I have a clecklogin script (using PDO)
When I login tp
<?php
session_start();
include("db/configPDO.php");
if(isset($_POST['email'],$_POST['password']))
{
$referrer = $_SERVER['HTTP_REFERER'];
$Email = $_POST['email'];
$Password = $_POST['password'];
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
$sql = "SELECT `id`,`type_id`,`name` FROM `members` WHERE `email` = :email AND `password` = :password AND `display` = 1";
$STM = $dbh->prepare($sql);
$STM->bindParam(":email", $Email);
$STM->bindParam(":password", $Password);
$STM->execute();
$count = $STM->rowCount();
$row = $STM -> fetch();
$STM->debugDumpParams();
if(($count==1) && ($row['type_id'] == 0))
{
$_SESSION['type']=$row['type_id'];
$_SESSION['email']=$Email;
$_SESSION['name']=$row['name'];;
$_SESSION['id']=$row['id'];
header( "location: admin/");
exit();
}
else if (($count==1) && ($row['type_id'] == 1))
{
$_SESSION['type']=$row['type_id'];
$_SESSION['email']=$Email;
$_SESSION['name']=$row['name'];
$_SESSION['id']=$row['id'];
if ("http://localhost/masterasp/reviews.php" === $referrer) {
header( "location: reviews.php");
exit();
} else if ("http://localhost/masterasp/providers.php" === $referrer) {
header( "location: providers.php");
exit();
}
}
else
{
header("location: index.php");
exit();
}
} catch (PDOException $e) {
//Only use line below during testing your query
echo "Database error: ".$e->getMessage();
}
//var_dump($count);
//var_dump($row);
$dbh = null;
}
?>
using good credentials, all I get no redirection, just
SQL: [111] SELECT `id`,`type_id`,`name` FROM `members` WHERE `email` = :email AND `password` = :password AND `display` = 1 Params: 2 Key: Name: [6] :email paramno=-1 name=[6] ":email" is_param=1 param_type=2 Key: Name: [9] :password paramno=-1 name=[9] ":password" is_param=1 param_type=2
What does that even mean?
lukeurtnowski:
$STM->debugDumpParams();
I’m guesing what you got came from here. Keep in mind that Header commands only work if there is NO output before that point. Dumping variables would be output.
bu5t, if I comment that out, nothing happens (I dont get redirected)
If I look at the source of the blank page, I get 2 blank lines.
Where are they coming from?
So, it’s time to go back to basics.
if(($count==1) && ($row['type_id'] == 0))
{
echo "Admin IF";
$_SESSION['type']=$row['type_id'];
$_SESSION['email']=$Email;
$_SESSION['name']=$row['name'];;
$_SESSION['id']=$row['id'];
header( "location: admin/");
exit();
}
else if (($count==1) && ($row['type_id'] == 1))
{
echo "Non-Admin IF";
$_SESSION['type']=$row['type_id'];
$_SESSION['email']=$Email;
$_SESSION['name']=$row['name'];
$_SESSION['id']=$row['id'];
if ("http://localhost/masterasp/reviews.php" === $referrer) {
echo "Reviews IF";
header( "location: reviews.php");
exit();
} else if ("http://localhost/masterasp/providers.php" === $referrer) {
echo "Providers IF";
header( "location: providers.php");
exit();
}
echo "Garbage Zone";
}
else
{
echo "OuterElse";
header("location: index.php");
exit();
}
Where does your code go? Time to find out which path is getting filtered to. (My money’s on the garbage zone)
this is the result
Non-Admin IFGarbage Zone
Ding ding ding. A winrar is me.
So it went into the Non-Admin IF, and then did NOT match either of your cllauses. I pointed out in your previous thread that you have no ELSE on the end of that if block.
You might want to echo "Referrer: ".$referrer.“moo” to see what Referrer contains (remember when you were cautioned never to rely on HTTP_REFERRER?
Oh, Thanks for the help, you were right, I got confused and didn’t include if the user tried to login from elsewhere
Nesting IF’s can do that to the best of us
My browser sends NO HTTP_REFERER
But if I wanted to, I could change the value sent to anything I wanted it to be.
Not that you should never use it, just never rely on it.
so I need to set a session variable, thats the better way?
I set the session variable on each of those pages?
Well, IMO the better way is either:
1: not seperate the login processing from the page it’s entered on.
2: pass the return page as a form variable. (Note: Unless said page name is ultrasensitive… which… it doesnt seem to be in your case.)