Here is my form that is using login.php to check if the user is registered, etc.
<form action="login.php" method="post" target="SHOW">
<ul id="login">
<li>
Username:<br />
<input type="text" name="username">
</li>
<li>
Password:<br />
<input type="password" name="password">
</li>
<li>
Submit:
<br />
<input type="submit" name="log in">
</li>
<li>
Register</li>
</ul>
</form>
<iframe id="iframe" name="SHOW" scrolling="no"></iframe>
My dilemma stems with the iframe tags I'm using to display the error messages. If the user is registered I would like to redirect him back to index.php as you can see at the end of the PHP ---> header('Location: index.php');
Problem is that iframe doesn't allow for redirecting. So, I would like to change the target from ---> target="SHOW" to target="_top" or something like that. So, the user is redirected after successfully logging in without using any JavaScript.
My failed attempt at accomplishing this --> $href->removeAttribute('target');
$href->setAttribute("target", "_top");
Here is login.php.
<?php
include 'core/init.php';
if(empty($_POST) === false){
$username = $_POST['username'];
$password = $_POST['password'];
if(empty($username) || empty($password) === true){
$errors[] = 'You need to enter a username and password';
} else if (user_exists($username) === false){
$errors[] = 'We can\'t find that username. Have you registered?';
} else if (user_active($username) === false){
$errors[] = 'You haven\'t activated your account!';
} else {
$login = login($username, $password);
if($login === false){
$errors[] = 'That username/password combination is incorrect';
} else {
$_SESSION['user_id'] = $login;
$href->removeAttribute('target');
$href->setAttribute("target", "_top");
header('Location: index.php');
exit();
}
}
print_r($errors);
}
?>
Since you're POST-ing to the iframe, any action taken by the response will only be valid for the context of the iframe itself, which means that doing a regular HTTP redirection will only change the content of the iframe.
If you want to keep the iframe (which I'd advice against, and instead keep both the error handling and logging in the same controller / file that displays the form), you can redirect by using javascript in your iframe response:
<script type="text/javascript">
parent.location.href = 'http://www.bbc.co.uk/';
</script>
Not pretty, but it works.
Related
So I have a page where when user click on login button, it will open up an iframe popup with a login form. So, if the user submitted the correct username/password, it will redirect the parent page to let say Main.php. However, I wasn't able to achieve this as it keeps on redirecting it in the iframe popup. How do I achieve this? I'm fairly new to php so please clarify your answer.
Here's the code snippet that processes the login. Tell me if you need more. Thank you.
<?php
include '../Initialization.php';
if (empty ($_POST) === false) {
$username = $_POST ['username'];
$password = $_POST ['password'];
if (empty ($username) === true || empty ($password) === true) {
$errors[] = 'You need to enter a username and password!';
} else if (user_exists ($username) === false) {
$errors[] = 'We can\'t find the username you entered. Have you registered?';
} else if (user_active ($username) === false) {
$errors[] = 'You haven\'t activated your account!';
} else {
$login = login($username, $password);
if ($login === false) {
$errors[] = 'That username/password combination is incorrect!';
} else {
$_SESSION['user_id'] = $login;
header("Refresh:0; url=../../Main.php"); //Am I doing anything wrong here?
exit();
}
}
print_r ($errors);
}
?>
The link that will open up the iframe :
<a class='iframe' href="Login.php" style="text-decoration:none; color:#FFF">LET'S GO</a
The login form :
<form action = "Core/System/LoginProcess.php" method="post">
<p>
<input name="username" type="text" class="textBox" id="username2" placeholder = "Username" onblur="this.value=removeSpaces(this.value);"/>
<br />
<br />
<input name="password" type="password" class="textBox" id="password" placeholder = "Password" />
</p>
<p> </p>
<p>
<input name="Login" type="submit" class="loginButton" id="Login" value="Login" />
</p>
</form>
When you press login on my site, the script uses mysqli_real_escape_string and than process the login.
When you are for example at the homepage and you press the login button there, the site goes to this file. if everything goes well, you will be redirected to the begin page but when something goes wrong, you will stay at this page and see a form. The form contains the data you entered before your pressed login. THAT data contains a slash at the end.
I want to remove the slashes by using stripslashes so I created a function called slash to remove them but when you enter the wrong things I still see the slashes.
//the slash function is placed in a previous loaded file
function slash($username, $password){
$password = stripslashes($password);
$username = stripslashes($username);
return $username;
return $password;
}
if(empty($_POST === false)){
$username = $_POST['username'];
$password = $_POST['password'];
//check if the fields are empty
if (empty($username) || empty($password)){
$errors[] = 'You need to enter a username and password';
//check if the username exists
}else if(user_exists($username) === false){
$errors[] = 'We can\'t find that username';
slash($username, $password);
//check if the username is active
}else if(user_active($username) === false){
$errors[] = 'You haven\'t activated your account';
slash($username, $password);
//if none of the previous checks are false, log in
}else{
$login = login($username, $password);
//if username or password is incorrect, display error
if($login === false){
$errors[] = 'That username or password combination is incorrect';
slash($username, $password);
//if everthing is fine, log in
}else{
//set the user session
$_SESSION['user_id'] = $login;
//redirect user to home
header('Location: index.php');
exit();
}
}
}
?>
<html>
<head>
<link rel="stylesheet" href="css/error_login.css"/>
</head>
<body>
<?php
include 'templates/menu/menu.php';
?>
<div class="error_login">
<h3>Login</h3>
<form action="login.php" method="POST">
<div id="login">
username:<br>
<input type="text" name="username" value=<?php echo $username; ?>/><br><br>
password:<br>
<input type="password" name="password" value=<?php echo $password; ?>/><br><br>
<input type="submit" value="Log In"/><br><br>
Register
<ul>
<?php
error_output($errors);
?>
</ul>
</div>
</form>
</div>
<?php
include 'templates/footer/footer.php';
?>
</body>
</html>
edit
input:
username: test
password:
The input is invalid like your see because there is no password so the site will reshow a form with the userinput + an added slash
output:
username: test/
password: ●
In your HTML:
<input type="text" name="username" value=<?php echo $username; ?>/>
You missed the double-quotes to the value attribute:
<input type="text" name="username" value="<?php echo $username; ?>"/>
This is the same for password.
How can I hold the half entered details that a user when attempting to create a user for my webpage?
If, for example, the user only fills out the 'USERNAME' field, I want the error to flag, redirecting them back to the register page, but I want the fields that they previously entered to remain filled.
Any ideas please? :(
The Register Page
<!DOCTYPE html>
<html>
<head>
<title>The Classic - Vintage Cinema Reviews</title>
<link href="CSS.css" rel="stylesheet" type="text/css">
<link rel="shortcut icon" href="favicon.ico">
<meta name="description" content="A unique, ground-breaking website for all things relating to classical cinema. The Classic revolutionises the way that we see classic cinema, and provides the movie goer with an opportunity to find all the reviews they need!">
<meta name="author" content="Stefan Batterbee">
<meta charset="UTF-8">
</head>
<body>
<div id="page">
<header> <?php
session_start();
if(isset($_SESSION['Logged_In']))
{
header('Location: index.php');
}
else
{
echo '<br>';
echo 'You are not logged in!<br>';
echo 'Click here to log in,<br>';
echo 'or register below.';
}
?>
</header>
<nav>
<ul id="navigation">
<li>H O M E </li>
<li>F I L M R E V I E W S </li>
<li>A R T I C L E S</li>
<li>A B O U T U S</li>
</ul>
</nav>
<div id="breadcrumbs">
<a class="link" href="index.php">Home</a> > Register
</div>
<div id="main">
<centre>
<?php
if( isset($_SESSION['ERROR_MESSAGE']) && is_array($_SESSION['ERROR_MESSAGE']) && count($_SESSION['ERROR_MESSAGE']) >0 ) {
echo '<h3 style="color:#F00;">';
foreach($_SESSION['ERROR_MESSAGE'] as $msg) {
echo $msg;
}
echo '</h3><br>';
unset($_SESSION['ERROR_MESSAGE']);
}
?>
<br>
<center><h1>Welcome to The Classic!</h1><br>
<h3>You can create an account below to become an exclusive member of our website.<br>
Just simply fill our your details below, and we will create your account!<br>
<p>If you already have an account, please go to the log in page.</p></h3></center><br><br>
</centre>
<div id="loginbox">
<form method="post" action="regprocess.php">
<h3>Username:</h3>
<input type="text" name="username" value=""/><br>
<h3>Password:</h3>
<input type="password" name="password" /><br>
<h3>Confirm Password:</h3>
<input type="password" name="password2" /><br>
<h3>First Name:</h3>
<input type="text" name="fname" value=""/><br>
<h3>Surname:</h3>
<input type="text" name="lname" value=""/><br><br>
<input type="submit" name="submit" value="Create your account!" /><br><br>
Already a user? Log in <a class="link" href="register.php">HERE</a><br>
</form>
</div><br><br>
</div>
<footer>
<p class="textleft">Created by Stefan Batterbee (2013)</p>
<p class="textright">Click <a class="link" href="https://www.facebook.com/the.classic.cinema.reviews">HERE</a> to access our Facebook page.</p>
</footer>
</div>
</body>
</html>
The Processing Script
<?php
session_start();
include"config.php";
$error_message = array();
$error = false;
$username = $_POST['username'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
if($username == '') {
$error_message[] = 'Please enter a username.';
$error = true;
}
if($password == '') {
$error_message[] = 'Please enter a password.';
$error = true;
}
if($password2 == '') {
$error_message[] = 'Please enter a confirmation of your password.';
$error = true;
}
if($fname == '') {
$error_message[] = 'Please enter a first name.';
$error = true;
}
if($lname == '') {
$error_message[] = 'Please enter a last name.';
$error = true;
}
if ($password != $password2)
{
$error_message[] = 'Your passwords did not match, please try again!';
$error = true;
}
if ($username && $password && $password2 && $fname && $lname != '' and $password == $password2) {
$insert = 'INSERT INTO USER(USERNAME, PASSWORD, FIRST_NAME, SURNAME) VALUES("'.$username.'","'.$password.'","'.$fname.'","'.$lname.'")';
}
mysql_query($insert);
header('location: log_in.php');
if($error) {
$_SESSION['ERROR_MESSAGE'] = $error_message;
session_write_close();
header("location: register.php");
exit();
}
?>
In each value spot of each input, echo the posted value of that input.
<h3>Username:</h3>
<input type="text" name="username"
value="<?php if(isset($_POST['username'])) echo $_POST['username']; ?>"/><br>
You check for isset first to see if it is in the post, and if it is, put it back into the input.
EDIT:
I forgot to add that you should do the processing on the same page, rather than doing a redirect. That is what allows the post values to stick around so you can refill them into the form. It will also make it no longer necessary to put your error message into a SESSION variable.
EDIT 2:
As was commented, you can also fill the post into the session. The reason I don't do this is that, if a) the session were hijacked, or b) it's a public computer and someone else sits down at it, the person's registration data would show up again on the registration form. If you choose to set the post values into the session, I strongly suggest that, at the end of printing out the form, you unset all the registration session values. They will be lost on a page refresh, but it's more secure for the user. It's a good idea to do this for your error message also, unless you want that error message to be stuck on the page forever. E.g.:
//after the </form> tag
unset($_SESSION['ERROR_MESSAGE']);
unset($_SESSION['username']);
// ... and so forth for the rest
As per your request:
Using sessions could work better if you're planning on using your code in two seperate pages.
You would first assign your session name to your POST name:
$_SESSION['username'] = $_POST['username'];
then using it inside your input element:
<input type="text" name="username" value="<?php if(isset($_SESSION['username'])) echo $_SESSION['username']; ?>"/>
That's what I use myself. It's another option.
However, using ob_start() is usually required when using sessions, by placing it on top of session_start(); yet required since you are using header(). Not using ob_start(); will result in an headers already sent error message.
For example:
<?php
ob_start();
session_start();
// ...
Footnotes: session_start(); must reside inside all files using the same session(s).
I am using this code to create a secure log in page in PHP. I got it from http://girlswhogeek.com/tutorials/2006/creating-a-secure-php-login-page.
<?php
$username = "user";
$password = "pass";
$randomword = "bibblebobblechocolatemousse";
if (isset($_COOKIE['MyLoginPage'])) {
if ($_COOKIE['MyLoginPage'] == md5($password.$randomword)) {
?>
CONTENT HERE
<?php
exit;
} else {
echo "<p>Bad cookie. Clear please clear them out and try to login again.</p>";
exit;
}
}
if (isset($_GET['p']) && $_GET['p'] == "login") {
if ($_POST['name'] != $username) {
echo "<p>Sorry, that username does not match. Use your browser back button to go back and try again.</p>";
exit;
} else if ($_POST['pass'] != $password) {
echo "<p>Sorry, that password does not match. Use your browser back button to go back and try again.</p>";
exit;
} else if ($_POST['name'] == $username && $_POST['pass'] == $password) {
setcookie('MyLoginPage', md5($_POST['pass'].$randomword));
header("Location: $_SERVER[PHP_SELF]");
} else {
echo "<p>Sorry, you could not be logged in at this time. Refresh the page and try again.</p>";
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>?p=login" method="post">
<fieldset>
<label>
<input type="text" name="name" id="name" /> Name
</label>
<br />
<label>
<input type="password" name="pass" id="pass" /> Password
</label>
<br />
<input type="submit" id="submit" value="Login" />
</fieldset>
</form>
It works really well, however, when there is a mistake in the log in information, it switched to a blank page and echos out a message saying the log in information is wrong. I was wondering if there were a way to have it echo to a div on the page with the inputs. I tried putting the relevant echo messages inside a div but it didn't work. I must admit that I don't even know why it's going to a blank page.
Also, is this the best way to do it or is there a way to make it more secure?
Thanks for any rendered assistance.
Benny.
There are 2 issues:
The exit in your code stop the execution of the page so after 'echo-ing' your message, the page stops
If you want to display in a div, set the message in a variable and display it in the div code
Here is an example of your code, re-worked a bit (you might want to adjust):
<?php
$message = NULL;
if (isset($_COOKIE['MyLoginPage'])) {
if ($_COOKIE['MyLoginPage'] == md5($password . $randomword)) {
?>
CONTENT HERE
<?php
exit;
} else {
$message = "<p>Bad cookie. Clear please clear them out and try to login again.</p>";
}
}
if (isset($_GET['p']) && $_GET['p'] == "login") {
if ($_POST['name'] != $username) {
$message = "<p>Sorry, that username does not match. Use your browser back button to go back and try again.</p>";
} else if ($_POST['pass'] != $password) {
$message = "<p>Sorry, that password does not match. Use your browser back button to go back and try again.</p>";
} else if ($_POST['name'] == $username && $_POST['pass'] == $password) {
setcookie('MyLoginPage', md5($_POST['pass'] . $randomword));
header("Location: $_SERVER[PHP_SELF]");
} else {
$message = "<p>Sorry, you could not be logged in at this time. Refresh the page and try again.</p>";
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>?p=login" method="post">
<fieldset>
<label><input type="text" name="name" id="name" /> Name</label>
<br />
<label><input type="password" name="pass" id="pass" /> Password</label>
<br />
<input type="submit" id="submit" value="Login" />
</fieldset>
<?php
if (isset($message)) {
echo "<div>" . $message . "</div>";
}
?>
</form>
Are you putting your entire content, including the <html> tags where it says CONTENT HERE?
The only thing that should go there is the secure content, not the whole page. Your boilerplate html, <html><head><title>title</title></head><body> ... </body></html> should go around the whole block of code you posted. The contents of CONTENT HERE only display with a successful login, so anything that isn't secure shouldn't be shown there.
Here's an alternative implementation of a PHP page locker I wrote a long time ago, that may make this more clear.</shameless plug>
You're echoing the result of the login if it fails, but not displaying a page with it. If you want to display the login failed page within your sites design already, I'd recommend sending them back to the login page with the error message. For example:
header("Location: http://website.com/loginpage.php?failed=1");
and then in the login page's code:
if ($_GET['failed'] == '1') echo "Failed to login. Please try again.";
This way if the login fails, they will be sent back to the login page with the error message.
Here's my problem:
I have two forms on the same page.
The first form works fine.
But whenever I click the submit button on the second form, I get two notices.
The first says "undefined index: email" which is referring to "$email = $_POST["email"];" in my coding.
The second says "undefined index: password" which is referring to "$password = $_POST["password"];" in my coding.
I do not want my 2nd form to be affected by all the "if statements" I created for the first form. And I'm going to be creating more "if statements" for the 2nd form soon.
For example, when I hit the submit button on the second form, it's echoing "You need to enter an email and password" which is an error I only wanted applied to the first form.
So MY QUESTION IS: How can I get the forms to only be affected by a specific group of "if statements"? Like in css coding you apply ids, but what would i do to the forms or "if statements" so the "if statements" only affect specific forms?
Here's the coding:
<form action="login.php" method="post">
<ul id="login">
//login information
<li id="loginn">
<input type="submit" value="Log in">
</li>
</ul>
</form>
<form action="" method="post">
<ul id="register">
//register info list items
<li>
<input type="submit" value="Sign up">
</li>
</ul>
</form>
<?php
if (empty($_POST) === false) {
$email = $_POST["email"];
$password = $_POST["password"];
if (empty($email) === true || empty($password) === true) {
$errors[] = "You need to enter an email and password.";
} else if (user_exists($email) === false) {
$errors[] = "The email you entered is not in our records. Have you registered?";
} else if (user_active($email) === false) {
$errors[] = "Go to your email, open the email we sent you,and activate your account.";
} else {$login = login($email, $password);
if ($login === false) {
$errors[] = "That email/password combination is incorrect.";
} else {
$_SESSION['users_id'] = $login;
header('Location: homepage.php');
exit();
}
}
}
if (empty($errors) === false) {
?>
<?php
echo output_errors($errors);
}
?>
You could add a <hidden> form field with the form's name:
<input type="hidden" name="formname" value="form1">
Then, in the PHP, use that to discern the forms:
if ($_POST['formname'] == "form1") {
// ifs for first form
}
(Note there is no error checking whatsoever in this code!)