| Re: php code [message #177421 is a reply to message #177415] |
Tue, 27 March 2012 08:37  |
Erwin Moller
Messages: 228
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 3/26/2012 5:05 PM, shaurya077 wrote:
> hi frds .....
Hi shaurya,
> i'm working on a small assignment based on php
> in this assignment i just created a login page (username and password
> required)
> but it is working all right
> but after login there i created a welcome page but in which welcome
> page php scripts didn't showing the name of user
OK, clear enough.
First tip: Make sure you have error reporting set to the right values.
If you are using a session variable that isn't set, you want an
error/notice/warning, not an empty string!
How do you set error reporting to a sensible value?
While you are developing, I suggest you want to see ALL.
http://nl.php.net/manual/en/function.error-reporting.php
Also look at "display errors". Make sure it is on.
http://nl.php.net/manual/en/errorfunc.configuration.php#ini.display-errors
You can set "display errors" to "1".
Use ini_set() or .htaccess with php_value (if on Apache), or whatever,
to set it to "1".
The easiest is probably to use ini_set() in your script.
Once you go live and actually expect people using it, you change
"display errors" to "0".
If you have appropriate error reporting, and you use an uninitialized
variable (eg $_SESSION["mycat"]), you will get a descriptive notice:
exactly what you need during development!
>
> like "hi! shaurya"
>
> my php code is for login check:
>
> <?php
>
> include("config.php");
What happens in config.php?
Are you sure it can be included BEFORE session_start()?
>
> session_start();
>
> if($_SERVER["REQUEST_METHOD"]=="POST")
> {
> $myusername=addslashes($_POST['user_name']);
> $mypassword=addslashes($_POST['pass_word']);
This is a bit cumbersome formulated I think.
Easier/clearer/better is:
if (isset($_POST['user_name']) && isset($_POST['pass_word'])){
$myusername=addslashes($_POST['user_name']);
$mypassword=addslashes($_POST['pass_word']);
}
(addslashes is bad, but I come back to that later.)
In your code you only test for REQUEST_METHOD being POST, but that
doesn't mean that $_POST['user_name'] and $_POST['pass_word'] was send.
It is better to test if the variables you expect are ALL set.
About addslashes: One rule: Never use that function. Period. :-)
It is good you think about avoiding SQL injection, but you need better,
specialized functions to escape the (possibly dangerous) content of
$_POST['user_name'] and $_POST['pass_word'].
addslashes simply don't do it right: it only safeguards you against 4
characters:
'
"
\
NUL
You need a better function.
In your case (mysql) follow Michael's advice and look into
mysql_real_escape_string().
Remember that you need a different escape function for each database.
>
>
> $sql="select id from userinformation WHERE username='$myusername' and
> password='$mypassword' ";
Like Denis said: It is not very nice of you to store people's passwords
in plaintext in the database.
If some funny people crack your system they have access to all those
passwords. Use a hash with a salt.
"Hashing and salt" is all very technical, so look it up when you have
time to study it.
What you do (storing passwords in plain text) is fine during testing,
but very bad when you build anything serious.
>
> $result=mysql_query($sql);
>
> $row=mysql_fetch_array($result);
>
> $active=$row['active'];
>
> $count=mysql_num_rows($result);
>
> if($count==1)
> {
> session_register("myusername");
Remove that line session_register() and NEVER use session_register again.
Put it on the same heap as addslashes and never look at it again.
> $_SESSION['login_user']=$myusername;
This is OK.
>
> header("location:welcome.php");
Add an exit here.
PHP runs on with your script after the header, unlike VB/ASP.
So:
header("location:welcome.php");
exit;
If you don't do that, you risk that something else gets executed (if you
have more code under the if/else block.).
> }
> else
> {
> $error="name and password is invalid";
>
> echo $error;
>
>
> }
> }
>
>
> ?>
>
> this scripts is used to check the data filled bu user and after that
> this welcome page comes (code):
SO the following code is from welcome.php, right?
>
> <?
>
> //screen after verification
>
> include('lock.php');
>
> echo $login_session;
>
You want to use the session again on this page, so you must first start
it again.
Add:
session_start();
And then echo what you want FROM THE SESSION.
echo $_SESSION['login_user'];
> ?>
>
>
> reply plz....
I hope that helped.
Regards,
Erwin Moller
--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]