Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 235
  • Last Modified:

If...else statement is not returning what I want it to.

I have the following if...else statement, but I can't seem to figure out why it is not working.  Do you mind taking a look and seeing what I am missing?  Right now I am not getting any errors nor am I getting my friendly error message.
<?php
	session_start;
	
	include("includes/db.php");
	include("includes/constants.php");
	
	if($_POST['image-click']) {
		$username = $_POST['username'];
		$password = md5($_POST['password']);
		
		$findUser = "SELECT username, password
			FROM login
			WHERE password = '" . $password . "'";
		$user = mysql_query($findUser) or die("The error is: " . mysql_error());
		
		if(mysql_num_rows($user) > 0) {
			$_SESSION['username'] = $username;
			header("location:/admin/index.php");
			exit();
		} else {
			$result = "The information you typed in does not match the records in the database.  Please try again.";
		}
	}
?>

Open in new window

0
pingeyeg
Asked:
pingeyeg
  • 13
  • 6
  • 6
  • +1
3 Solutions
 
hieloCommented:
try this:
<?php
      session_start();
      
      include("includes/db.php");
      include("includes/constants.php");
      
      if( isset($_POST['image-click']) && !empty($_POST['image-click'])) {
            $username = $_POST['username'];
            $password = md5($_POST['password']);
            
            $findUser = "SELECT username, password
                  FROM login
                  WHERE password = '" . $password . "'";
            $user = mysql_query($findUser) or die("The error is: " . mysql_error());
            
            if(mysql_num_rows($user) > 0) {
                  $_SESSION['username'] = $username;
                  header("location:/admin/index.php");
                  exit();
            } else {
                  $result = "The information you typed in does not match the records in the database.  Please try again.";
            }
      }
	 else
	 {
	 	echo "No image-click submitted";
	 }
?>

Open in new window

0
 
darron_chapmanCommented:
session_start;  should be

session_start();

0
 
Roger BaklundCommented:
Line 2, session_start; should be session_start();

Line 21, you are not outputing the message. Add this:

echo $result;
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Roger BaklundCommented:
Line 18 is also wrong, you should include the full URL:

header("Location: http://yourdomain/admin/index.php");
0
 
Roger BaklundCommented:
The user lookup query is weak, what if multiple users have the same password?
$findUser = "SELECT username, password
                  FROM login
                  WHERE username='$username' AND password = '$password'";

Open in new window

0
 
pingeyegAuthor Commented:
Well this is just plain weird.  I have added the parens to session_start();.  I have added the full URL to the header.  I have added the output if the submit button was not clicked, but I am still not getting sent to the admin home page.
0
 
pingeyegAuthor Commented:
cxr, I can understand where you are coming from, but since this is a test CMS for customers to check out on their own, I only require one username and password for everyone.
0
 
darron_chapmanCommented:
Can you post your login page code?
0
 
pingeyegAuthor Commented:
<?php
      session_start();
      
      include("includes/db.php");
      include("includes/constants.php");
      
      if($_POST['image-click']) {
            $username = $_POST['username'];
            $password = md5($_POST['password']);
            
            $findUser = "SELECT username, password
                  FROM login
                  WHERE password = '" . $password . "' and username = '" . $username . "'";
            $user = mysql_query($findUser) or die("The error is: " . mysql_error());
            
            if(mysql_num_rows($user) > 0) {
                  $_SESSION['username'] = $username;
                  header("Location:http://cms.goodboyweb.com/admin/index.php");
                  exit();
            } else {
                  $result = "The information you typed in does not match the records in the database.  Please try again.";
            }
      } else {
            echo "No image click was submitted";
      }
?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
        "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
      <title></title>
      <link type="text/css" href="/admin/style/cmsadmin.css" rel="stylesheet">
</head>
<body>
      <div class="wrapper">
            <div class="header">
                  
            </div>
            <div class="admin-top">
                  <img src="/admin/images/admin-top.png">
            </div>
            <div class="admin-middle">
                  <div class="login-position">
                        <div class="login">
                              <div class="login-title">
                                    <?= CMS_LOGIN ?>
                              </div>
                              <div class="login-instructions">
                                    <?= CMS_INSTRUCTIONS ?>
                                          <p><a href="/">Back to home page</a></p>
                              </div>
                              <div class="login-area">
                                    <form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
                                          <table cellpadding="5">
                                                <tr><td>
                                                      Username:
                                                </td><td>
                                                      <input class="login-input" type="text" name="username">
                                                </td></tr>
                                                <tr><td>
                                                      Password:
                                                </td><td>
                                                      <input class="login-input" type="password" name="password">
                                                </td></tr>
                                                <tr><td colspan="2" align="center">
                                                      <button class="button"><img src="/admin/images/enter-btn.png"></button>
                                                      <input type="hidden" name="image-click" value="1">
                                                </td></tr>
                                          </table>
                                    </form>
                              </div>
                              <?php
                                    if(isset($_POST['image-click'])) {
                                          echo "<div class=error>$result</div>";
                                    } elseif(!isset($_POST['image-click'])) {
                                          echo "";
                                    }
                              ?>
                        </div>
                  </div>
            </div>
            <div class="admin-bot">
                  <img src="/admin/images/admin-bot.png">
            </div>
      </div>
</body>
</html>
0
 
hieloCommented:
header("Location: /admin/index.php");

space after the colon. Also add:
echo $result;

in the else clause.
0
 
hieloCommented:
change:
<button class="button"><img src="/admin/images/enter-btn.png"></button>
 
to:
<input type="image" src="/admin/images/enter-btn.png" />

Open in new window

0
 
pingeyegAuthor Commented:
hielo, in your second to last remark, I'm not really following you on that one.  What do you mean by place the $result after the colon?
0
 
darron_chapmanCommented:
do you have error reporting turned off?  I think there is something else going on... also.. you don't actually need

else {
            echo "No image click was submitted";
      }

(only for testing purposes)
0
 
pingeyegAuthor Commented:
darron_chapman, I realize that.  And yes, error reporting is turned on.
0
 
Roger BaklundCommented:
In the header() function call, there must be a space after "Location:" and before your URL. Full URL is recommended, though relative URL (starting with /admin) will work in most cases.

You are not outputing the error message:

            } else {
                  $result = "The information you typed in does not match the records in the database.  Please try again.";
            }
 
# change this to:
 
            } else {
                  $result = "The information you typed in does not match the records in the database.  Please try again.";
                  echo $result;
            }

Open in new window

0
 
hieloCommented:

<?php
      session_start();
      
      include("includes/db.php");
      include("includes/constants.php");
      
      if( isset($_POST['image-click']) && !empty($_POST['image-click']) ){
            $username = $_POST['username'];
            $password = md5($_POST['password']);
            
            $findUser = "SELECT username, password
                  FROM login
                  WHERE password = '" . $password . "' and username = '" . $username . "'";
            $user = mysql_query($findUser) or die("The error is: " . mysql_error());
            
            if(mysql_num_rows($user) > 0) {
                  $_SESSION['username'] = $username;
                  header("Location: http://cms.goodboyweb.com/admin/index.php");
                  exit();
            } else {
                  $result = "The information you typed in does not match the records in the database.  Please try again.";
			   echo $result;
            }
      } else {
            echo "No image click was submitted";
      }
?>
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
        "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
      <title></title>
      <link type="text/css" href="/admin/style/cmsadmin.css" rel="stylesheet">
</head>
<body>
      <div class="wrapper">
            <div class="header">
                  
            </div>
            <div class="admin-top">
                  <img src="/admin/images/admin-top.png">
            </div>
            <div class="admin-middle">
                  <div class="login-position">
                        <div class="login">
                              <div class="login-title">
                                    <?= CMS_LOGIN ?>
                              </div>
                              <div class="login-instructions">
                                    <?= CMS_INSTRUCTIONS ?>
                                          <p><a href="/">Back to home page</a></p>
                              </div>
                              <div class="login-area">
                                    <form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
                                          <table cellpadding="5">
                                                <tr><td>
                                                      Username:
                                                </td><td>
                                                      <input class="login-input" type="text" name="username">
                                                </td></tr>
                                                <tr><td>
                                                      Password:
                                                </td><td>
                                                      <input class="login-input" type="password" name="password">
                                                </td></tr>
                                                <tr><td colspan="2" align="center">
                                                      <input type="image" src="/admin/images/enter-btn.png" />
                                                      <input type="hidden" name="image-click" value="1">
                                                </td></tr>
                                          </table>
                                    </form>
                              </div>
                              <?php
                                    if(isset($_POST['image-click'])) {
                                          echo "<div class=error>$result</div>";
                                    } elseif(!isset($_POST['image-click'])) {
                                          echo "";
                                    }
                              ?>
                        </div>
                  </div>
            </div>
            <div class="admin-bot">
                  <img src="/admin/images/admin-bot.png">
            </div>
      </div>
</body>
</html>

Open in new window

0
 
darron_chapmanCommented:
the asker is outputting the error message here:

if(isset($_POST['image-click'])) {
   echo "<div class=error>$result</div>";
}

there is no need to echo $result right after setting it....
0
 
pingeyegAuthor Commented:
heilo, as of right now when I click on the submit button, I am still getting the error friendly message "No image click was submitted".  I'm not longer getting my other error friendly message stating their information was incorrect.
0
 
Roger BaklundCommented:
This seems to be one file containing both the html form and the php code. There should be no echo statements before the DOCTYPE. Remove "echo $result;" from line 22, and also the echo in line 25.
0
 
pingeyegAuthor Commented:
darron_chapman, the reason I am doing that is to display the error message "Your information was entered incorrectly" if the submit button was clicked and the information was incorrect.
0
 
pingeyegAuthor Commented:
cxr, those echo statments were only for testing purposes.
0
 
Roger BaklundCommented:
When I test your login page now, WITHOUT entering username or password, I get message "The information you typed in does not match the records in the database. Please try again." in a red box below the login box. It is also showed at the top of the page. You do not need those test echo statements anymore.
0
 
hieloCommented:
Try renaming your hidden field. Instead of:
name="image-click"

try:
name="imageClick"

you will need to also change all your
$_POST['image-click'] to $_POST['imageClick']
0
 
pingeyegAuthor Commented:
I just don't see why this is so difficult.  It is a simple login page.  I've done these several times before.  WTF!
0
 
pingeyegAuthor Commented:
cxr, I have taken those extra ones out.
0
 
pingeyegAuthor Commented:
What appears to be happening is the username and password are correct, but the header is not doing its job.
0
 
hieloCommented:
>> but the header is not doing its job.
I suspect that when the page is redirected to admin/index.php, then admin/index.php incorrectly redirects back to the login page, making it seem as if though the login page is the one with the problem. Examine admin/index.php
0
 
pingeyegAuthor Commented:
This is the only thing that would make that possible, but it appears to be correct.  I took out the absolute URL only for anonymity sake.
session_start();
 
if(!isset($_SESSION['username'])) {
	header("Location:/admin/login.php");
    exit();
}
 
if(!isset($_SESSION['session_count'])) {
	$_SESSION['session_count']=0;
    $_SESSION['session_start']=time();
} else {
    ++$_SESSION['session_count'];
} 
 
$session_timeout = 10000;
 
if(time() - $_SESSION['session_start'] > $session_timeout) {
	header("Location:/admin/logout.php");
    exit();
}
 
$_SESSION['session_start'] = time();

Open in new window

0
 
pingeyegAuthor Commented:
Apparently I did have something to do with the index.php page.  I removed everything off of it and just placed some text and it went through just fine.  Thanks for everyone's help.  I will be awarding the ones who gave the correct answer.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 13
  • 6
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now