0

Hi I am new to php and I am doing a simple login form in php. the user enters the userid and password. On button click I redirect it to a php page. There i use a simple select query and retrieve number of rows with that userid and password. Now if rows are returned, then its valid and I am redirecting him from there to other pages. If its not, I want to pass a values back to same login page (preferably a boolean value) and use it to enable a label saying invalid credentials.

code in validation php page:

<?php
$user = $_GET['txtUserName'];
$password = $_GET['txtPassword'];
$link = mysql_connect("localhost",username,password);
mysql_select_db(dbname, $link);
$result = mysql_query("SELECT * FROM user_table WHERE user_name='$user' and          password='$password'", $link);
$num_rows = mysql_num_rows($result);
if($num_rows!=0)
{
redirection to other pages  
}
else
{
//code here to pass back to login form
}
?>

I am very much new to php. Trying simple forms.

SomeUser
  • 390
  • 6
  • 22
  • SO is not made for this kind of questions, but why don't you google some simple tutorials for this? I did. Also, just a piece of advice, DO NOT PASS data like password in the URL. Use POST instead of GET. – Craftein Mar 16 '14 at 07:15
  • I tried. But I couldnt get. Anyways thanks for ur reply. will try few more. – SomeUser Mar 16 '14 at 07:18

5 Answers5

2
  1. DON'T use GET method to submit a form with sensitive data like password.
  2. instead of submitting the form to another page, submit it to the same page. Put PHP code on top of the page.
  3. Initialize variable say $user = $_POST['txtUserName']. Now let's assume your input box is, <input type ='text' name = 'txtUserName'>, put value='<?PHP echo $user?> attribute in the input box and it will show the value.

Finally, read some tutorial. There are bunch of them out there on internet :-) Wish you very best of luck with PHP :-)

This demo might give you more idea:

<?PHP

    $username = "";
    $password = "";
    $error    = "";

    if($_SERVER['REQUEST_METHOD'] == "POST") {
        $username = $_POST['txtUserName'];
        $password = $_POST['txtPassword'];

        if(/*everything OK*/) {
            // sign the user in
            // redirect to some other page of your choice or not
        } else {
            $error = "Please try again";
        }
    }    
?>

<html>
... html goes here

<?PHP
    if(strlen($error) ) {
        echo $error;
    }
?>
<form action = "" method = "POST">
<input type  = 'text'     name = 'txtUserName' value='<?PHP echo $username?>' />
<input type  = 'password' name = 'txtPassword' />
<input type  = 'submit'  value = 'Sign In' />
</form>
?>
... rest of the html

Fallen
  • 4,256
  • 1
  • 24
  • 43
  • I seem to have got an idea. So when we submit to same page, its kinda post back and we can change the state of boolean variable ? – SomeUser Mar 16 '14 at 07:20
  • be careful of sql injection as well... dont pass the variable directly into your SQL select. look here for examples/documentation: http://us3.php.net/mysql_real_escape_string – John Ruddell Mar 16 '14 at 07:23
  • Thanks @JohnRuddell, I'll sure keep that in mind. And does my comment make sense ? Is it a way to achieve what I want ? – SomeUser Mar 16 '14 at 07:25
  • well sorta... I think you can do that.. not a php expert in any way.. If it was me I would just check the credentials, if true direct to a new page, if false just stay on the same page and post a message that says incorrect credentials – John Ruddell Mar 16 '14 at 07:29
0

First thing, you shouldn't pass a username and password value through the GET method. You should use POST, as it doesn't pass through the URL.

As for redirecting to the previous page and sending info, I'm no expert on that. But from what I've read, you should either use a session, or use javascript.

EDIT: Looking at another answer that was posted, you could use header(Location:""") to pass values through the url(i.e header(Location:"someurl.com/somefile.php?var=data") and use the get method on your registration page to check for those variables. If they're present, then you could display the labels informing the user of invalid credentials.

KruSuPhy
  • 33
  • 7
0

if($num_rows!=0) { header("location:other-page.php"); } else { header("location:old-page.php"); }

Also use sessions...if username and password does not match,make that sessions to 1 and redirect to old page..There take that value ..Compare if it is set.Then display invalid crediantials

codelover
  • 217
  • 1
  • 10
0

The straight answer is: 

if($num_rows != 0)
   header("Location: http://myhost/myauthorizedpage.html");
else
   header("Location: http://myhost/loginpage.html");

Although this is a pretty lame security solution. Anyone can just type http://myhost.com/myauthorizedpage.html in their browsers and will be bypassing your login page.

A more reliable solution would include sessions management (http://www.sitepoint.com/php-sessions/) and protecting all the important pages with something like:

if(!isset($_SESSION["user"]))
    header('HTTP/1.0 403 Forbidden');
rodix
  • 340
  • 3
  • 13
0

Advices

  1. Dont use GET method for password because GET is displayed in the URL. Here is the link for tutorial What is the difference between POST and GET?
  2. Dont use you are new to php so therefore it is the right right time to upgrade to mysqli and PDO in PHP. mysql() function will be soon depreciated from PHP5. Mysqli tutorials.
  3. Your code is vulnerable to SQL injection. Tutorials for SQL injection
  4. Your Code shows that you haven't gone through the general tutorials properly. Reference to the tutorial and if you face problem in your code, then post a question here.

Redirection can be simply done by header() function . header() tutorial

Community
  • 1
  • 1
CyberBoy
  • 740
  • 1
  • 4
  • 30