Results 1 to 5 of 5
  1. #1
    Join Date
    Aug 2003
    Location
    Colorado
    Posts
    10

    Unanswered: help with forms and variables

    ok guys I am a programmer but this is my first foray into php. I have a friend who already had a site written in php. The hosting company needed to move servers so thought was should be able to recreate the database and pow it would work. Not so, think it was written in an older version of php. That aside I managed to work through many variable problems but this one has got me stumped. I'm not sure why it was written this way and it seems the page calls itself. No matter I can never get the login to be acknowledged it just repaints the login screen as if it never tests for valid login, password information. I changed the form from a POST to a GET and I know the variables are being assigned correctly but it just never seems to get to the if's to prove it. Any help would be greatly appreciated as this is holding up the site.
    here is the code it is called admin.php and you'll notice that is the same name used in the form- thanks in advance for any help I'm losing hair over this one

    <?

    //Let's make a database connection, eh?
    $Host = 'localhost';
    $User = 'username';
    $Password = 'password';
    $DBName = 'database';

    $Link = mysql_connect ($Host, $User, $Password);
    //connected
    function Verify($name, $password){
    if ($name=='admin' && $password=='wordpass'){
    setcookie("loggedin", "true");
    //include("header.php");
    global $loggedin;
    $loggedin="true";
    }
    }

    Verify($name, $password);
    if ($loggedin=='true') {
    include("header.php");
    print("<H1>Administrative Pages</H1>");
    Pprint("here");
    ?>
    <!--Begin logged-in material-->
    <H2>Horses</H2>
    <TABLE BORDER=1 CELLSPACING=5>
    <?
    $Query = "SELECT * FROM horse;";
    $Result = mysql_db_query($DBName, $Query, $Link);
    while ($Row = mysql_fetch_array($Result)) {
    print("<TR>\n<TD>$Row[Name]</TD>\n<TD><DIV CLASS=\"caption\"><A HREF=\"edithorse.php?horse=$Row[HorseID]\">Edit Horse</A></DIV></TD>
    <TD><DIV CLASS=\"caption\"><A HREF=\"removehorse.php?horse=$Row[HorseID]\">Remove Horse</A></DIV></TD></TR>");
    }
    ?>
    </TABLE>
    <A HREF="addhorse.php"><DIV CLASS="caption">Add New Horse</DIV></A>
    <H2>Saddles</H2>
    <TABLE BORDER = 1 CELLSPACING=5>
    <?
    $Query = "SELECT * FROM saddle";
    $Result = mysql_db_query($DBName, $Query, $Link);
    while ($Row = mysql_fetch_array($Result)) {
    print("<TR>\n<TD>$Row[Color] by $Row[Brand]</TD>\n<TD><DIV CLASS=\"caption\"><A HREF=\"editsaddle.php?saddleID=$Row[saddleID]\">Edit Saddle</A></DIV></TD>
    <TD><DIV CLASS=\"caption\"><A HREF=\"removesaddle.php?saddleID=$Row[saddleID]\">Remove Saddle</A></DIV></TD></TR>");
    }
    ?>
    </TABLE>
    <A HREF="addsaddle.php"><DIV CLASS="caption">Add New Saddle</DIV></A>

    <?
    }else{ //coresponds to if statement on appx. line 11
    include("header.php");
    print("<H1>Administrative Pages</H1>\n<P>");
    if($submitted){
    print("<FONT COLOR='#FF0000'>Login Failed</FONT>&nbsp;-- ");
    }
    ?>
    Please login.</P>
    <FORM ACTION="admin.php" METHOD="GET">
    <TABLE>
    <TR>
    <TD>User:</TD>
    <TD><INPUT TYPE="TEXT" NAME="name"></TD>
    </TR>
    <TR>
    <TD>Password:</TD>
    <TD><INPUT TYPE="PASSWORD" NAME="password"></TD>
    </TR>
    <TR>
    <TD COLSPAN=2><CENTER><INPUT TYPE="SUBMIT" VALUE="Log In"><CENTER></TD>
    </TR>
    </TABLE>
    <INPUT TYPE="HIDDEN" NAME="submitted" VALUE="true">
    </FORM>
    <?
    }
    include("footer.php");
    mysql_close($Link);
    ?>

  2. #2
    Join Date
    Aug 2003
    Posts
    32
    Are globals turned off? I would assume that $name and $password will allways be null because POSTing and GETting isn't creating global variables for you. Do you need:

    PHP Code:
    $name $HTTP_GET_VARS["name"];
    $password $HTTP_GET_VARS["password"]; 
    before calling Verify?

  3. #3
    Join Date
    Aug 2003
    Location
    Colorado
    Posts
    10

    thanks will try it tonight

    I did read a bit on this last night after posting but need to research some more. I will try tonight and hopefully it will cure one of many problems. I am assuming the difference in versions might be the culprit as it has already shown to be a problem.
    Do I just add this at the top of the script?

    Thanks so much for taking the time to respond. Again I am a programmer but php is a new language and learning the details is always the problem

    Terri

  4. #4
    Join Date
    Oct 2003
    Posts
    706

    Cool

    Here's what is probably the problem...

    Let's say that you are interacting with a PHP-generated web page that has built a form on your browser screen. You've filled it out and pressed the submit-button. You notice, also, that at the URL-entry area on your browser screen the URL looks like: www.foobar.com?foo=bar&sun=moon

    When you submit the data to the web-page, two complete sets of "variables" are supplied by your browser, interpreted by PHP, and made available to your script. They are:
    • The POST variables, which are the fields you entered on the form and their values; and...
    • The GET variables, which are two: "foo" has the value "bar", and "sun" has the value "moon." (See the underlined text in the URL fragment above.)

    Now, originally, PHP shipped with the option REGISTER_GLOBALS = ON which means that it will "helpfully" create a global variable for every POST variable and for every GET variable. "Convenient, yes, but in these days and times, prohibitively risky." Why? Because a Nasty Person could set the value of any variable within that script, simply by adding it to the HTML stream! By guessing the names of variables you might use, like is_admin, said Nasty Person could be very Nass-ss-sty indeed. Simply by altering the web-page request string, the user might break your site security wide open, viz: www.foobar.com?foo=bar&sun=moon&is_admin=1

    Consequently, the REGISTER_GLOBALS option now defaults to OFF. You should leave it that way. Now, to access the GET or POST variables, you must obtain them specifically from the PHP "super-global" arrays, $_GET and $_POST (or $_REQUEST).
    ChimneySweep(R): fast, automatic
    table repair at a click of the
    mouse! http://www.sundialservices.com

  5. #5
    Join Date
    Aug 2003
    Location
    Colorado
    Posts
    10

    Smile I &_GET it!!!

    Thanks a bunch got that page up and running now on to the next.
    Nothing like learning a new language from the inside out.

    I'm sure I'll be back for more.

    Thanks again
    Terri

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •