Am I doing something wrong here..?

[Dr Livingston]

As always, script for GLOBALs being OFF; No buts about it really; you are a developer and yes, you have a responsibility for developing secure scripts

[mak-uk]

Hi

I started development after the introduction of PHP 4.2. I have had a look at Kevin's article that he suggested (4.2 and after) but now I am totally confused as I have the previous example and the new example baffling me all over the place.

Any suggestison? Sorry for being thick..

Thanks.

Mak

[Sarah]

Mak

Don't worry you are not being thick, I rewrote the 'kev' script before he wrote his new article. The sad thing is I don't have a copy here at the moment - can you wait until monday? I basically re wrote kev script to work with php globals off etc, dead easy (although I will admit it took a while!!)

can you do anything else until then? or maybe flick register globals on in the php.ini to test and get the rest looking good and then I will pop back in Monday am with some help?

I would revamp the one you posted - BUT its friday night I am 1/2 way down a bottle of wine - and honestly can not really be bothered - is that ok? (us advisors are human after all )

Cool?

Thanks
Sarah

[sweatje]

IIRC, a very quick hack is

PHP Code:

$GLOBALS += $_GET; 


at the top of the script. But it really should be recoded to handle it correctly. If you look at the article I mentioned earlier, you can pass an array to my getpost_ifset() function and register all the variables at once.

HTH

[Kevin Yank]

Hmm I think this thread has gone on long enough. I'm going to update the article to work with register_globals off...

[mak-uk]

Hi

Sarah.. that's wonderful, thanks.. I can wait 'til Monday..in the meantime I have plenty to be getting on with! I hope you enjoyed your Friday night!! I don't drink but I enjoyed staying in and watching an old favourite which got me motivated for the gym tomorrow - Rocky 2!

sweatje.. thanks for your help, will look at that in the meantime.

Kevin.. thanks for your reply once again, I look forward to the updated article. Let me know when you have it done?

Thanks all.

Mak

[Kevin Yank]

The article has now been updated, along with the downloadable code archive. Enjoy! :-)

[mak-uk]

Hi

I am trying out the newly updated article now.

When I run 'signup.php' I get the following error msg:

Warning: mail() [function.mail]: SMTP server response: 503 No recipient(s). in d:\inetpub\wwwroot\session_test\signup.php on line 130
User registration successful!
Your userid and password have been emailed to someaddresshere@somedomain.whatever, the email address you just provided in your registration form. To log in, click here to return to the login page, and enter your new personal userid and password.

I think this is referring to the following line(s):

PHP Code:

mail($newemail,"Your Password for Your Website", 
        $message, "From:Your Name <you@example.com>"); 


In my 'php.ini' I have:

[mail function]
; For Win32 only.
SMTP = localhost ; for Win32 only
; For Win32 only.
sendmail_from = me@localhost.com ; for Win32 only

Oh, and I am running Win XP which has the SMTP server enabled with all the default settings.

Any ideas?

Thanks.

Mak

[Dr Livingston]

Obviously since your using your local machine and you normally wouldn't have an email server, you'll get this message ? Upload the scripts etc to your web space and try again using a known valid email address instead. If not, then download an email server of your own and configure it Try www.mailenabled.com although at the moment the website has .htaccess so try again later to see if they're finished uploading their updates ? Note: it is not easy (I know from experience) to configure your own email server so you may as well use your ISP to access the mail() function, or sign up to an ISP with email access...

[Dr Livingston]

Btw - do you have dial up or broadband access ? If you've got broadband I'll upload and email you the app I have ? It's about 6MB...

[Kevin Yank]

Actually, the problem was a typo in the article. The code in question has now been updated:

PHP Code:

    mail($_POST['newemail'],"Your Password for Your Website",
         $message, "From:Your Name <you@example.com>"); 


The downloadable code archive had the correct code in it, but the article needed updating.

[Sarah]

Mak - I also was watching Rocky 2 old fav of mine

Kev - thats great getting that article updated as I know loads of people use it

So Mak let us know how you are getting on now?

[mak-uk]

Hi

Yeah I love all of the Rocky series. Most people think that it's all about boxing but it isn't much really.. at least not the first three! I have the anthology on DVD.. pretty great! Damn, I wish I could play the new Rocky... (dreamland)

Anyway, I have gotten Kevin's great tutorial working. If you recall, my sign-up script goes along the following lines:

PHP Code:

<?php 
 if(!isset($_POST['is_submitted'])) { 
// Start drop down box queries
.. etc
// End drop down box queries
?>
 <! ------------------- START FORM  ------------------- >
 <FORM TYPE="SUBMIT" NAME="is_submitted" ACTION="<?php echo($_SERVER['PHP_SELF']); ?>" METHOD="POST">
   <input type=hidden name="is_submitted" value="yes"> 
</FORM>
 <! ------------------- END FORM  ------------------- >      
<?php
 }
else {
  # FORM has been sent so need to look at values
  $Forename   = (string) $_POST['Forename'];
  $Surname   = (string) $_POST['Surname'];
   ... etc
 
  // Create error array variable
  $ErrorArray = array();
 
  // Check each input from user - start form validation
  .. etc
  // End form validation
 
if(empty($ErrorArray)) {
   echo"<h1>You are registered!</h1>";
 
// generate and execute query
  $query = "INSERT INTO Members SET
   mForename  =  '".$_POST['Forename']."',
   mSurname  =  '".$_POST['Surname']."',
  ... etc
 
$result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());
  $memberID = mysql_insert_id();
 
$query2 = "INSERT INTO Lookup SET
     relMemberID = '".$_POST['memberID']."',
     relReligionID = '".$_POST['religion_id']."',
     ... etc
 
$result2 = mysql_query($query2) or die ("Error in query 2: $query2. " . mysql_error());
 
// Email the login details to the person. 
   ... etc
// End Email code
 
}
  else {
   // Found one or more errors
              $nerrors = count($ErrorArray);
              echo ('You have '.$nerrors.' errors.<br>');
              foreach($ErrorArray as $error) {
                  echo('You have this error: '.$error.' Please correct it.<br>');
          }
 
# now display your FORM here again using
 # same HTML etc - FORM variables and all
 
 // Start drop down box queries
    ... etc
 // End drop down box queries
if(empty($ErrorArray["Forename"])) {
  $ok_Forename = $_POST["Forename"];
 } 
... etc
 
?>
<! -- FORM with previously submitted values -- >
 <FORM TYPE="SUBMIT" NAME="is_submitted" ACTION="<?php echo($_SERVER['PHP_SELF']); ?>" METHOD="POST">
  <input type=hidden name="is_submitted" value="yes"> 
</FORM>
      
 <! ------------------- END FORM  ------------------- >
<?php   
   
  }
}
?>

Now what I was wondering is:

1. Firstly, is this sufficient for a sign-up script?
2. When the user enters ALL valid data, they are e-mailed their login details. Should I then make it that they are automatically logged in.. OR.. divert them to the index page to login?

Okay.. once I get this stuff a bit clearer, I will ask a bit more about sessions.

Thanks.

Mak

[Sarah]

Mak,

Yes that is sufficient,

I generally send the login link in the email that you will send them. 'click here to login' type thing, then they are prompted for their details - and voila!

session themselves are pretty simple, anything that you would like stored as a session do this to store it:

PHP Code:

$_SESSION['something_to_store']=$something_to_store 


and then if you ever need to use that value instead of having

PHP Code:

$something_to_store 


use

PHP Code:

$_SESSION['something_to_store'] 


instead.

That simple.

Off Topic:

me being a huge sly fan I pretty much have all his moves including rocky and rambo

[Kevin Yank]

You should definitely not automatically log them in! As is explained in the article, forcing them to log in using the password you sent them by e-mail guarantees that the e-mail address is valid.

[Dr Livingston]

But Rambo 3 and 4 were seriously crap The Rocky Films are no that bad though; missed the film the other night though

[mak-uk]

Hi

On a side note.. I love Sly movies too.. am a big fan in-fact!! Rocky is just the best! Love the films (mainly 1-3) and the soundtrack .
I didn't know they made a Rambo 4? Agreed, Rambo 2 and 3 were not as good as First Blood.. that is a classic! However, Rambo 3 did have a good storyline in terms of showing the suffering of the Afghan people and then Rambo comes in to help with their uprise against the Russians. Ironic that Mr Bin-Laden was part of this 'uprising' that the US helped and later turned on! ![img]images/smilies/eek.gif[/img] [img]images/smilies/mad.gif[/img]

Okay, so for the sign-up script as I have it, I don't really need sessions then do I?

So once the user is signed up, they are diverted (or provided with a link as well as e-mail) to the login page (i.e. the main page of the site).

Now, for the main page of the site, apart from all the usual paraphernalia, I should provide them with a log-in section. Here, I need to iron out a query..

I have made it so that the user has a unique 'username'. Hence, should they log in with their username, or, should they log in with their e-mail? (Hence, implying, only one registration per e-mail?).

What do you think?

Thanks.

Mak [img]images/smilies/smile.gif[/img]

[Dr Livingston]

Umm... Generally though the email address is their username, no ? And this field (email) is UNIQUE. Helps if you provide a password as well... Remember to use SESSIONs in all your pages you want a user to have access to once they've signed in/logged in/whatever though...

[mak-uk]

Hi

Well I am starting the main page and log-in screen. I am trying it out with a table with three sections, thus:

------------------------------------
Members | New Users | Quick Search
------------------------------------

PHP Code:

<table width="640" border="0" cellpadding="0">
              <tr align="center" valign="bottom"> 
                <td colspan="2">&nbsp;</td>
                <td>&nbsp;</td>
                <td colspan="2">&nbsp;</td>
              </tr>
              <tr align="center" valign="middle"> 
                <td colspan="2">Members</td>
                <td width="203">New Users</td>
                <td colspan="2">Quick Search</td>
              </tr>
              <tr align="center" valign="middle"> 
                <td colspan="2">&nbsp;</td>
                <td>&nbsp;</td>
                <td colspan="2">&nbsp;</td>
              </tr>
              <tr align="center" valign="middle"> 
                <td width="74" height="22" align="right">E-Mail</td>
                <td width="131"> <INPUT TYPE="text" class="forminput" NAME="EMail" size="20" maxlength="35" /></td>
                <td>- Free membership!</td>
                <td width="86" align="left">Looking for a</td>
                <td width="134" align="left"> <select name="gender" class="formselect">
                    <option selected>Female</option>
                    <option>Male</option>
                  </select></td>
              </tr>
              <tr align="center" valign="middle"> 
                <td align="right">Password</td>
                <td> <INPUT TYPE="text" class="forminput" NAME="Password" size="20" maxlength="35" /></td>
                <td>- Free searching!</td>
                <td align="left">who is </td>
                <td align="left"> <select name="age" class="formselect">
                    <option value="" selected>Select</option>
                    <option value="">Any</option>
                    <option value="18 - 25">18 - 25</option>
                    <option value="26 - 30">26 - 30</option>
                    <option value="31 - 35">31 - 35</option>
                    <option value="36 - 45">36 - 45</option>
                    <option value="46 - 50">46 - 50</option>
                    <option value="51 - 99">Above 50</option>
                  </select></td>
              </tr>
              <tr align="center" valign="middle"> 
                <td colspan="2"> <input type="submit" name="SubmitLogin" value="Log In"></td>
                <td>&nbsp;</td>
                <td align="left">and a</td>
                <td align="left"> <select name="religion" class="formselect">
                    <option selected value="">Select</option>
                    <option value="">Any</option>
                    <option>Muslim</option>
                    <option>Hindu</option>
                    <option>Sikh</option>
                  </select></td>
              </tr>
              <tr align="center" valign="middle"> 
                <td colspan="2">Forgot your password?</td>
                <td>Join HERE!</td>
                <td colspan="2"> <input type="submit" name="QSearch" value="Search"> 
                </td>
              </tr>
              <tr align="center" valign="middle"> 
                <td colspan="2">&nbsp;</td>
                <td>&nbsp;</td>
                <td align="left">Profile ID</td>
                <td> <input type="text" class="forminput" name="profileid" value="Enter ID" size="20" maxlength="20"></td>
              </tr>
              <tr align="center" valign="middle"> 
                <td colspan="2">Not a member yet?</td>
                <td height="24">&nbsp;</td>
                <td colspan="2">Advanced Search</td>
              </tr>
            </table> 


Now, members log-in with a email and password.. so, I need a form there.

New users just click to join.. nothing there.

Quick Search involves selecting a few drop down boxes OR typing in a profile ID to search by. Hence, I need a form for the profile ID field.. right?

Now, when I try to enter the appropriate form tags, it messes up my layout.

Can anyone help please?

Thanks.

Mak

[mak-uk]

Hi

I think I have done it..

What I have done is have a form for:

1. The user to log-in.
2. Quick search.
3. Profile ID search.

Anyway, trying out sessions what I have is:

PHP Code:

<?php // index.php 
session_start();
include_once './inc/db.inc';
$uid = isset($_POST['EMail']) ? $_POST['EMail'] : $_SESSION['EMail']; 
$pwd = isset($_POST['Password']) ? $_POST['Password'] : $_SESSION['Password'];
if(!isset($EMail)) { 
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>some title</title>
..
<table width="640" height="238" border="0" cellpadding="0">
              <tr>
                <td width="200" height="234" align="left" valign="top"> 
                <FORM METHOD="POST" NAME="Login" AUTOCOMPLETE="off" action="<?=$_SERVER['PHP_SELF']?>">
  <table width="200" height="122" border="0" cellpadding="0">
                    <tr>
                      <tr>
                <td valign="middle" align="right" class="mediumblack">Email&nbsp;</td>
  <td width="65%" class="forminput"><INPUT TYPE="text" class="forminput" NAME="EMail" size="20" maxlength="35" /></td>
  </tr>
  <tr>
                <td valign="middle" align="right" class="mediumblack">Password&nbsp;</td>
                <td class="forminput"><INPUT TYPE="password" class="forminput" NAME="Password" size="20" maxlength="20" /></td>
  </tr>
  <tr>
  <td><br></td>
  <td align="center">
  <input type="checkbox" name="autologin" value="Y">Automatic login<br>
                        &nbsp;<a href="#">What is this?</a></td>
  </tr>
  <tr>
  <td><br></td>
                <td valign="bottom" align="center" height="18"> 
                        <input type="image" src="img/go.gif" border="0">
                      </td>
  </tr>
              <tr align="center"> 
                      <td height="18" colspan="2" valign="bottom"><a href="#" title="Forgot Password">Forgot 
                        your password?</a></td>
  </tr>
              <tr align="center"> 
                      <td height="18" colspan="2" valign="bottom"><a href="join.php" title="Join Here">Not 
                        a Member yet?</a></td>
                    </tr>
                  </table></FORM></td>
                <td width="200" align="left" valign="top"> <table width="200" border="0" cellpadding="0">
                    <tr valign="top"> 
                      <td colspan="2" align="center"><font class="largeblackbold">Join 
                        here to create your profile!</font></td>
                    </tr>
                    <tr> 
                      <td><img src="imgs/spacer.gif" width="40" height="1" border="0"></td>
                      <td valign="top" class="mediumblack"><img src="imgs/spacer.gif" width="142" height="8" border="0"><br>
                        FREE <a href="#" title="Membership">Membership</a><br>
                        FREE <a href="#" title="Photoprofile">Photoprofile</a><br>
                        FREE <a href="#" title="Search">Searches</a><br>
                      </td>
                    </tr>
                    <tr> 
                      <td align="center" colspan="2" class="mediumblack"><div align="justify">blah blah blah</div></td>
                    </tr>
                    <tr> 
                      <td align="center" colspan="2"><a href="join.php" title="Join Now">Join 
                        Now >></a></td>
                    </tr>
                    <tr> 
                      <td height="18" colspan="2" align="left" valign="top">&nbsp;</td>
                    </tr>
                  </table></td>
                <td width="200" align="left" valign="top"> 
                  <FORM METHOD="POST" NAME="QSearch" action="<?=$_SERVER['PHP_SELF']?>">
      <table width="240" border="0" cellpadding="0">
                    <tr> 
                      <td width="95" align="right" valign="top">Looking for a&nbsp;</td>
                      <td colspan="2" align="left" valign="top"><select name="gender" class="formselect" style="width:70;">
                          <option selected>Female</option>
                          <option>Male</option>
                        </select></td>
                    </tr>
                    <tr> 
                      <td align="right" valign="top">between&nbsp;</td>
                      <td colspan="2" align="left" valign="top"><select name="age" class="formselect" style="width:70;">
                          <option value="">Select</option>
                          <option value="">Any</option>
                          <option value="18 - 25" selected="selected">18 - 25</option>
                          <option value="26 - 30">26 - 30</option>
                          <option value="31 - 35">31 - 35</option>
                          <option value="36 - 45">36 - 45</option>
                          <option value="46 - 50">46 - 50</option>
                          <option value="51 - 99">Above 50</option>
                        </select></td>
                    </tr>
                    <tr> 
                      <td align="right" valign="top">of religion&nbsp;</td>
                      <td width="78" align="left" valign="top"><select name="religion" class="formselect" style="width:70;">
                          <option selected value="">Select</option>
                          <option value="">Any</option>
                          <option>religion 1</option>
                          <option>religion 2</option>
                          <option>religion 3</option>
                        </select></td>
                      <td width="49" align="center" valign="bottom"> <input name="image" type="image" src="img/go.gif" border="0"> 
                      </td>
                    </tr>
                    <tr> 
                      <td align="right" valign="top">&nbsp;</td>
                      <td colspan="2" align="left" valign="top">&nbsp;</td>
                    </tr>
                  </table></FORM>
  <FORM METHOD="POST" NAME="ProfileSearch" action="<?=$_SERVER['PHP_SELF']?>">
                  <table width="240" border="0" cellpadding="0">
                    <tr><td align="right" valign="top">Profile ID&nbsp;</td>
                      <td width="78" align="left" valign="top"><input type="text" name="ProfileID" class="forminput" size="13" /></td>
                      <td width="49" align="center" valign="bottom"> 
                        <input name="image2" type="image" src="img/go.gif" border="0" />
                      </td>
                    
                      
                    </tr>
</table></FORM>

The problem is, when I press the first 'Go' to allow the user to log-in or be denied access.. nothing actually happens.

Any ideas?

Thanks.

Mak

[Dr Livingston]

Umm... First I'd change the start to something that actually checks to see if a session has previously been set it's self; and not through $_POST as you've done, ie:

PHP Code:

if(!isset($_SESSION['Email'])) {
$_SESSION['Email'] = '';
}
. 


And then set this session to hold the email once the FORM has been submitted; although in your case you've used an IMG - does the script work before you used an IMG ? If not then remove the IMG with a normal SUBMIT button, which leads me to this to check for FORM submission;

PHP Code:

.
.
# place after session script I have above
if(!isset($_POST['SUBMITFORM'])) {
?>
<!-- display FORM here -->
<?php
}
else {
$_SESSION['Email'] = (string) $_POST['Email'];
}
.
# rest of script

Now, remember to have the session part on every page where you need the Email ? As to how and why your FORM isn't being submitted as is (ie using IMG) I don't know since I never use IMGs anyway for FORM submission... although I suspect from what I've read you need to give an x and y co-ord or x/y variable ? Not too sure there;

Anyway, remove the IMG with a normal SUBMIT button and see how it goes ? Hope this'll help...

[mak-uk]

Hi

Okay, I take it then that I do not need to store their password in their session?

I have done as you said and that seems to work in that it tells me when I press 'Login' if access is denied.

However, at the bottom of the page, regardless, it prints the 'Access Denied' part from the following code:

PHP Code:

<?php
..
</html>
}
else { 
$_SESSION['Email'] = (string) $_POST['Email']; 
} 

dbConnect("pa" ); 
$sql = "SELECT * FROM members WHERE 
mEmail = '$EMail' AND mPassword = PASSWORD('$Password')"; 
$result = mysql_query($sql); 
if (!$result) { 
error('A database error occurred while checking your '. 
'login details.\\nIfhis error persists, please '. 
'contact [email=you@example.com.']you@example.com.'[/email]); 
}
if (mysql_num_rows($result) == 0) { 
unset($_SESSION['EMail']); 
?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"[url=http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[/url]"> 
<html xmlns="[url=http://www.w3.org/1999/xhtml]http://www.w3.org/1999/xhtml[/url]"> 
<head> 
<title> Access Denied </title> 
<meta http-equiv="Content-Type" 
content="text/html; charset=iso-8859-1" /> 
</head> 
<body> 
<h1> Access Denied </h1> 
<p>Your user ID or password is incorrect, or you are not a 
registered user on this site. To try logging in again, click 
<a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant 
access, click <a href="join.php">here</a>.</p> 
</body> 
</html> 
<?php 
exit; 
}
?>

Any ideas?

Thanks.

Mak [img]images/smilies/smile.gif[/img]

[Dr Livingston]

Going to get some sleep now; although I store password, username and ID to sessions,... look at your script later ? To suggest that your getting the Access Denied though could be the condition ? Maybe a brace out of place somewhere... ? ZZzzz... Yawn

[mak-uk]

Hi

I'm still not sure where I am going wrong. What I have is as follows:

PHP Code:

?php // index.php 
session_start();
include_once './inc/db.inc';

$uid = isset($_POST['EMail']) ? $_POST['EMail'] : $_SESSION['EMail']; 
$pwd = isset($_POST['Password']) ? $_POST['Password'] : $_SESSION['Password'];

if(!isset($_SESSION['EMail'])) { 
$_SESSION['EMail'] = ''; 
} 

if(!isset($_POST['SUBMITFORM'])) { 
?> 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>...

</html>
<?php
}
else { 
$_SESSION['EMail'] = (string) $_POST['EMail']; 
$_SESSION['Password'] = (string) $_POST['Password']; 
} 

dbConnect("pa"); 
$sql = "SELECT * FROM members WHERE 
       mEmail = '$EMail' AND mPassword = PASSWORD('$Password')"; 
$result = mysql_query($sql); 
if (!$result) { 
 error('A database error occurred while checking your '. 
       'login details.\\nIfhis error persists, please '. 
       'contact [email]you@example.com[/email].'); 
}

if (mysql_num_rows($result) == 0) { 
 unset($_SESSION['EMail']); 
 ?> 
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
 <html xmlns="http://www.w3.org/1999/xhtml"> 
 <head> 
 <title> Access Denied </title> 
 <meta http-equiv="Content-Type" 
   content="text/html; charset=iso-8859-1" /> 
 </head> 
 <body> 
 <h1> Access Denied </h1> 
 <p>Your user ID or password is incorrect, or you are not a 
    registered user on this site. To try logging in again, click 
    <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant 
    access, click <a href="join.php">here</a>.</p> 
 </body> 
 </html> 
 <?php 
 exit; 
}
?>

Any ideas?

Thanks.

Mak

[mak-uk]

Help..anyone..please?