I'm trying to make a simple login page to grant access to my form pages. I don't want anything fancy, just a simple name and password match to grant access. What I have grants access no matter what is typed in, and I don't understand why.

Any help would be appreciated. here's the code

Hendo

<html>
<head>
<link rel="stylesheet" type="text/css" href="fh.css" />
</head>
<body>
<form action='forms.php' method='post'>
Username: <input type='text' name='user'><BR>
Password: <input type='password' name='pass'><BR>
<input type='submit' value='Login'>
</form>

<?php 
$user="";
$pass="";

// this variable is anything you enter in the uname and password fields
$user=$_POST['user'];
$pass=$_POST['pass'];

// authenticate
if (($user=="Enter") && ($pass=="12345")) echo "Access Granted";
else echo "Access Denied";
?>
Member Avatar for diafol
<input type="submit" value="Login" name="login">
</form>

<?php
if(isset($_POST['login'])){
  $user=addslashes($_POST['user']);
  $pass=addslashes($_POST['pass']);

   if ($user=="Enter" && $pass=="12345"){
      echo "Access Granted";
   }else{
      echo "Access Denied";
   }
}

That *should* work I think. However, I would encourage you to use a DB-based login system.

<html>
<head>
<link rel="stylesheet" type="text/css" href="fh.css" />
</head>
<body>

<?php 

if (isset($_POST['user']) && isset($_POST['pass'])) {

$user="";
$pass="";

// this variable is anything you enter in the uname and password fields
$user=$_POST['user'];
$pass=$_POST['pass'];

// authenticate
if (($user=="Enter") && ($pass=="12345")) echo "Access Granted";
else die("Access Denied");

}
?>

<form action='forms.php' method='post'>
Username: <input type='text' name='user'><BR>
Password: <input type='password' name='pass'><BR>
<input type='submit' value='Login'>
</form>

maybe?

<input type="submit" value="Login" name="login">
</form>

<?php
if(isset($_POST['login'])){
  $user=addslashes($_POST['user']);
  $pass=addslashes($_POST['pass']);

   if ($user=="Enter" && $pass=="12345"){
      echo "Access Granted";
   }else{
      echo "Access Denied";
   }
}

That *should* work I think. However, I would encourage you to use a DB-based login system.

No, I still get the same problem. Doesn't matter if I put in a username and password or if I don't, it still advances to the forms page

Hendo

<html>
<head>
<link rel="stylesheet" type="text/css" href="fh.css" />
</head>
<body>

<?php 

if (isset($_POST['user']) && isset($_POST['pass'])) {

$user="";
$pass="";

// this variable is anything you enter in the uname and password fields
$user=$_POST['user'];
$pass=$_POST['pass'];

// authenticate
if (($user=="Enter") && ($pass=="12345")) echo "Access Granted";
else die("Access Denied");

}
?>

<form action='forms.php' method='post'>
Username: <input type='text' name='user'><BR>
Password: <input type='password' name='pass'><BR>
<input type='submit' value='Login'>
</form>

maybe?

Nope. same thing. I don't even have to enter anything and it still advances to the forms page.

you need to save it, in a session..

eg:

<html>
<head>
<link rel="stylesheet" type="text/css" href="fh.css" />
</head>
<body>
 
<?php 

session_start();
 
if(isset($_POST['login'])){
  $user = $_POST['user'];
  $pass = $_POST['pass'];
 
   if ($user == "Enter" && $pass == "12345"){
      echo "Access Granted";
      $_SESSION["remember"] = "yay";
   }else{
      echo "Access Denied";
   }
}
 
<form action='forms.php' method='post'>
Username: <input type='text' name='user'><BR>
Password: <input type='password' name='pass'><BR>
<input type='submit' value='Login'>
</form>

Then put this in the top of all your restricted pages

<?php 
session_start();
if( !  $_SESSION["remember"] || $_SESSION["remember"] != "yay"){
header("HTTP/1.0 404 Not Found");
session_destroy();
exit;
}
?>

you need to save it, in a session..

eg:

<html>
<head>
<link rel="stylesheet" type="text/css" href="fh.css" />
</head>
<body>
 
<?php 

session_start();
 
if(isset($_POST['login'])){
  $user = $_POST['user'];
  $pass = $_POST['pass'];
 
   if ($user == "Enter" && $pass == "12345"){
      echo "Access Granted";
      $_SESSION["remember"] = "yay";
   }else{
      echo "Access Denied";
   }
}
 
<form action='forms.php' method='post'>
Username: <input type='text' name='user'><BR>
Password: <input type='password' name='pass'><BR>
<input type='submit' value='Login'>
</form>

Then put this in the top of all your restricted pages

<?php 
session_start();
if( !  $_SESSION["remember"] || $_SESSION["remember"] != "yay"){
header("HTTP/1.0 404 Not Found");
session_destroy();
exit;
}
?>

Okay, this is close. I'm getting a session error though:

"Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/html/lin.php:13) in /home/html/lin.php on line 18"

Line 18 is the <?php session_start(); line.

edited: Nope...it still lets everything through...even with the session start errors.

Member Avatar for diafol

I assumed that the code you posted was the forms.php page. My apologies.

I assumed that the code you posted was the forms.php page. My apologies.

Sorry man. Did I not post it correctly? The code that I posted was what I have for the login page. The forms page is just an html menu page to the individual forms. Do you need that posted?

Member Avatar for diafol

I don't understand why you have the $_POST variables in the page along with the form when you're posting the form to a different page (forms.php).

Page with the form:

<form action='data_page.php' method='post'>
Username: <input type='text' name='user'><BR>
Password: <input type='password' name='pass'><BR>
<input type='submit' value='Login'>
</form>

Page that accepts the form data:

if(isset($_POST['login'])){
$user = $_POST['user'];
$pass = $_POST['pass'];
 
if ($user == "Enter" && $pass == "12345"){
echo "Access Granted";
}else{
echo "Access Denied";
}
}

You don't need to use a SESSION unless you are using multiple "member only" pages (correct me if I'm wrong please). In general though, using SESSIONS is a good idea for obvious security reasons.

I don't understand why you have the $_POST variables in the page along with the form when you're posting the form to a different page (forms.php).

Yikes! Then obviously, I'm doing something seriously wrong. Ok...lets attack this from a different angle then. Lets say there are two web pages. Page 1 is nothing but a simple login page. we enter a username and password. A correct username and password allows access to page two, and an incorrect username and password redirects to an error page. Page two is nothing but an html link page.

If I don't have to use the $_POST, then should I just be able to use an standard if statement with pre-defined variables?

I'm sorry for all the confusion. I really do appreciate the assistance.

hendo

Member Avatar for diafol

OK, let's boil it down:

You can have a login.php file (just the form) as an include file, so that any url within your site will display it if an user is not logged in. Alternatively, all pages should redirect via header() to the login.php page if nobody is logged in.

If somebody links to the login page but they are already logged in, you can have them redirected to the main page (index.php?).

Hope that makes sense.

The form in the login.php file should be sent to a separate formhandler.php file - it's never a good idea to send a form to itself - it causes all sorts of problems with page refreshes and back buttons.

The formhandler.php file should check the data and compare it against set values or DB details. The result of which will be 'success' or 'fail'. Here you use the $_POST and $_POST variables to check.

On success, the user should be redirected to the main page (index.php). Else, the user gets redirected to the login.php page with a querystring like login.php?attempt=fail . You display an error message if $_GET is set.

That's a simplistic login. You said that you just want a simple one, so for me, that's the bare bones. If I were to build a more robust system, I'd definitely use a DB, sanitization of input data and possibly the use of session data to repopulate the form on fail.

Make sense?

Then obviously, I'm doing something seriously wrong. Ok...lets attack this from a different angle then.

Have you tried copying and pasting the code already given, seeing if it works, and then walking through it to see how it works?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.