Login not working (php)

Adam

Hi all,

I'm rather confused, this has never occurred before, I have a simple login script, which either pops up a javascript alert if there was an error or redirects to the relevant page otherwise. It works perfectly in FF but seems to do nothing in IE6 (and IE 7 I think). In IE the page reloads on clicking the submit button, and nothing else... Can anyone see why?? Here's the script:

[php]
<?

include('db_connect.php');

//if the login form is submitted
if (isset($_POST)) {


$sql="SELECT * FROM users_table WHERE username = \"{$_POST}\"";
$result=mysql_query($sql) or die(mysql_error());
$numrows = mysql_num_rows($result);
$row = mysql_fetch_array($result);



// makes sure they filled it in
if(!$_POST | !$_POST) {

?>

<script language="Javascript">
<!--
alert ("You did not fill in a required field.")
//-->
</script>

<?

} else {

// checks it against the database
//Gives error if user dosen't exist
if ($numrows == 0) {

?>

<script language="Javascript">
<!--
alert ("That user does not exist in our database.")
//-->
</script>

<?

} else {

//gives error if the password is wrong
if (md5($_POST) != $row) {

?>

<script language="Javascript">
<!--
alert ("Incorrect details.")
//-->
</script>

<?

} else {

session_register("user_id");
session_register("user_fname");
session_register("user_sname");
session_register("admin");

$_SESSION = $row;
$_SESSION = $row;
$_SESSION = $row;
$_SESSION = $row;

if($_SESSION == '1') {

header("Location: admin/");
die();

} else {

header("Location: client_home.php");
die();

}

}

}

}

}
[/php]


Thanks in advance!

ron_darrell

Just to make sure it isn't a problem with your browser have you tried replacing the php redirect code with javascript redirect code ??

window.location = "/admin";

window.location = "client_page.php";

Adam

Yes, I had been using javascript for both initially and thought that might have had something to do with the problem so I changed them for php headers. Both methods work in FF, neither work in IE, hence my confusion!

louie

you make few mistakes there.
first you check to is if the submit button has been pressed, then you query the database and then you look to see if the fields have any value in them (not blank).
I will do that before accessing the database.

Also this
[php]
//if(!$_POST | !$_POST) {

//should be

if(empty($_POST) || empty($_POST)) {//notice double ||
[/php]

I will avoid javascript for this or at least make use of it onsubmit='check form()', then use php to check values.

Adam

Ah yeah, the database query was initially down with the numrows check, I moved it up out of the way to try and figure out the problem here.

The single | was just a typo, but what's the fundamental difference between

[php]if(!$_POST)[/php]

and

[php]if(empty($_POST))[/php]

louie

when you query a post like this:
[php]
if(empty($_POST)) ...
[/php]

it checks the field value > ""

the long version to that is
[php]
if(isset($_POST) && $_POST != "")....
[/php]

i wouldn't use
[php]
if(!$_POST)
[/php]
cause this checks to see if is true or false.
this type has better use when you return something from a function like:
[php]
function check_field($str){
if(!empty($str)){
return true;
}else{
return false;
}
}
[/php]

Adam

Ok, the code now:

[php]
<?

include('db_connect.php');

//if the login form is submitted
if (isset($_POST)) {

// makes sure they filled it in
if(empty($_POST) || empty($_POST)) {

$error="You did not fill in a required field.";

} else {

// checks it against the database
$sql="SELECT * FROM usersWHERE username = \"{$_POST}\"";
$result=mysql_query($sql) or die(mysql_error());
$numrows = mysql_num_rows($result);
$row = mysql_fetch_array($result);
//Gives error if user dosen't exist
if ($numrows == 0) {

$error="That user does not exist in our database.";

} else {

//gives error if the password is wrong
if (md5($_POST) != $row) {

$error="Incorrect details.";

} else {

session_register("user_id");
session_register("user_fname");
session_register("user_sname");
session_register("admin");

$_SESSION = $row;
$_SESSION = $row;
$_SESSION = $row;
$_SESSION = $row;

if($_SESSION == '1') {

header("Location: admin/");
die();

} else {

header("Location: user_home.php");
die();

}

}

}

}

}
[/php]

I can't for the life of me see why this won't work! It's not very different from other login scripts I would have written, which obviously all worked in IE...

louie

ok it's a bit too much there and it can be simplified but give this code a go:
[php]
<? session_start();
include('db_connect.php');
$error = "";//set variable
//if the login form is submitted
if (isset($_POST)) {
// makes sure they filled it in
if(empty($_POST) || empty($_POST)) {
$error="You did not fill in a required field.";
} else {
$un = trim($_POST);
$pwd = $_POST;
// checks it against the database
$sql="SELECT * FROM users WHERE username = '".addslashes($un)."'";
$result=mysql_query($sql) or die(mysql_error());
$numrows = mysql_num_rows($result);
$row = mysql_fetch_array($result);
//Gives error if user dosen't exist
if ($numrows == 0) {
$error="That user does not exist in our database.";
} else {
//gives error if the password is wrong
if ( strtolower(md5($_POST)) != strtolower($row) ) {
$error="Incorrect details.";
} else {
/*session_register("user_id");
session_register("user_fname");
session_register("user_sname");
session_register("admin");*/
$_SESSION = $row;
$_SESSION = $row;
$_SESSION = $row;
$_SESSION = $row;

if($_SESSION == '1') {
header("Location: admin/");
die();
} else {
header("Location: user_home.php");
die();
}

}

}

}

}
?>
[/php]

you can also add an echo statement as you go and see where it stops or where the code never gets executed.

louie

there is a version that will help you debug your code:
[php]
<? session_start();//this needs to be at the top of your page - add // if you already have it
include('db_connect.php');
$error = "";//set variable
//if the login form is submitted
if (isset($_POST)) {
echo "we have presed the submit button<br />";
// makes sure they filled it in
if(empty($_POST) || empty($_POST)) {
$error="You did not fill in a required field.";
echo "$error <br />";
} else {
$un = trim($_POST);
$pwd = $_POST;
// checks it against the database
$sql="SELECT * FROM users WHERE username = '".addslashes($un)."'";
$result=mysql_query($sql) or die(mysql_error());
$numrows = mysql_num_rows($result);
$row = mysql_fetch_array($result);
//Gives error if user dosen't exist
if ($numrows == 0) {
$error="That user does not exist in our database.";
echo "$error <br />";
} else {
//gives error if the password is wrong
if ( strtolower(md5($_POST)) != strtolower($row) ) {
$error="Incorrect details.";
echo "$error <br />";
} else {
/*session_register("user_id");
session_register("user_fname");
session_register("user_sname");
session_register("admin");*/
$_SESSION = $row;
$_SESSION = $row;
$_SESSION = $row;
$_SESSION = $row;
echo "we have set the sessions <br />";

if($_SESSION == '1') {
//header("Location: admin/");
echo "we are redirecting to admin area <br />";
die();
} else {
//header("Location: user_home.php");
echo "we are redirecting to user area <br />";
die();
}

}

}

}

}
if($error != ""){
echo $error;
$error = ""; //reset to blank
}
?>
[/php]

declansnowden

Also just to make sure that you check that the inputted username/passwords are both alphanumerical. You could inject an SQL command through the URL with the current code and mess things up!

Adam

Thanks for the time and effort louie, but unfortunately we have the exact same results! I can't understand it... In IE it's as if I'm just hitting refresh!

@declansnowden

I was aware of SQL injection, thanks for the heads up though. Just wish I could figure this out before I beef it up!

Adam

Ok, even this won't work in IE:

[php]
if (isset($_POST)) {
echo "we have presed the submit button<br />";
}
[/php]

Perhaps there is something odd to do with the includes, though I'm pretty sure I've implemented this similarly before...

As it stands, the login form is in a file called sidebar.php, I like to break up a site so that content which remains the same on each page only exists once. So index.php looks like this:

[php]
<?
include('db_connect.php'); //includes session_start() and db connection, nothing more
$error = "";//set variable
//if the login form is submitted
if (isset($_POST)) {
echo "we have presed the submit button<br />";
// makes sure they filled it in
if(empty($_POST) || empty($_POST)) {
$error="You did not fill in a required field.";
echo "$error <br />";
} else {
$un = trim($_POST);
$pwd = $_POST;
// checks it against the database
$sql="SELECT * FROM users WHERE username = '".addslashes($un)."'";
$result=mysql_query($sql) or die(mysql_error());
$numrows = mysql_num_rows($result);
$row = mysql_fetch_array($result);
//Gives error if user dosen't exist
if ($numrows == 0) {
$error="That user does not exist in our database.";
echo "$error <br />";
} else {
//gives error if the password is wrong
if ( strtolower(md5($_POST)) != strtolower($row) ) {
$error="Incorrect details.";
echo "$error <br />";
} else {
/*session_register("user_id");
session_register("user_fname");
session_register("user_sname");
session_register("admin");*/
$_SESSION = $row;
$_SESSION = $row;
$_SESSION = $row;
$_SESSION = $row;
echo "we have set the sessions <br />";

if($_SESSION == '1') {
//header("Location: admin/");
echo "we are redirecting to admin area <br />";
die();
} else {
//header("Location: user_home.php");
echo "we are redirecting to user area <br />";
die();
}

}

}

}

}
if($error != ""){
echo $error;
$error = ""; //reset to blank
}

$title = 'Home';

include('header.php');
include('sidebar.php');

?>

/* THE HTML OF THE BODY IS HERE */

<?

include('footer.php');

?>
[/php]

As I said, the login form is contained in sidebar.php and it's action is index.php. Now I could simply remove the login processing script to a seperate file but would it make a difference?

EDIT: Ok, answered my own question, it didn't make a difference. I've ported the login processing script to a file named login.php, still no change. In IE the form is submitting to login.php but nothing is happening.

Further debugging has shown that IE seems to have a problem with the following check:

[php]if(isset($_POST)) {[/php]

which is new to me... Thoughts?

louie

ok few things you can do to get it sorted.
1. make sure the form method=post
2. add a hidden field to the form

<input type='hidden' name='try_login' id='try_login' value='1' />

3. change your code that looks for submit button to
[php]
//if(isset($_POST)) {
if(isset($_POST) && $_POST == '1') {
......................
[/php]
4. make sure all your form element has a name and an id name='input' id='input' and the value is the same in both.

This should work no matter if is on the left, on the login.php page or....

Let me know.

Adam

It seems to just be the $_POST value that isn't detected in IE. The hidden input example worked, with a simple echo in the code block to show that, but...

Ok it seems it's a problem with my submit button! I was using an image, here's the code:

[php]<input type="image" src="<? echo $prefix; ?>images/login_submit.gif" name="submit" id="submit" value="Login">[/php]

I just tried using a regular submit button and it worked in IE. So what's so wrong with my submit button??

louie

change the form method to get and see what's coming up in the address bar

you will get some sort of x= and y=
check for submit=....

Adam

hmmm, in ff we get:

login.php?try_login=1&username=&password=&submit.x=28&submit.y=20&submit=Login

and in ie we get:

login.php?try_login=1&username=&password=&submit.x=19&submit.y=14

louie

the difference in browsers.
You'll be better off looking for the hidden field as it is a standard input or change "submit" to "submit.x"

Adam

Yeah, I suppose so...

Thanks for the help anyway!

louie

you welcome. If you would have given the facts from the start, it would have been solved long ago.

Nietzschean

also in debugging stuff like this the fastest way in php to see what's going on is just have a phpinfo() in the target page and look at what the variables were that were passed into it....