Hi all,

I am trying to create a small login system, but so far I suck at it.

I have a form in one page.
It contains only: EMAIL, PASSWORD.

I want to do this:
When the form has been submitted to the processing page, I am trying to check, if the email and password has been filled out.
IF they havent, or just one of them havent, I want to store an error message in a session, to use to display an error back on the form page.
So I want to return false/redirect to the form again, and display the error message stored in the session, into the form field.

I know I am doing it wrong, so please be kind :-)

This is my processing page:

<?php
session_start();
require_once ("../mysql/connection.php");

$email = '';
$password = '';

// validate email
if(filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)){
$email = mysqli_real_escape_string($connection, $_POST['email']);
echo '<p>Valid email.</p>'; // Used for testing
} else{
    if(empty($_POST['email'])){
    $_SESSION['email'] = '<p>Not valid email.</p>';
  }
}
// validate password
if(!empty($_POST['password'])){
$password = mysqli_real_escape_string($connection, $_POST['password']);	
echo 'You entered a password'; // Used for testing
} else {
     if(empty($_POST['password'])){
     $_SESSION['password'] = '<p>Enter a password.</p>';	
   }
}

// If no mistakes, look for user and pass in DB
$query = "SELECT email, pass FROM users WHERE
email='$email' AND pass='$password'";
$result = mysqli_query($connection, $query);	

// if ONE match is found - store username in session
if(mysqli_num_rows($result) == 1){
$row = mysqli_fetch_array($result, MYSQLI_NUM);	
$_SESSION['username'] = $row['username'];
if($row['type'] == 'admin')$_SESSION['user_name'] = true;
header("location:login_form.inc.php");
}  // END mysql_num_rows IF-ELSE Statement

This is my form page:

<form action="login.inc.php" method="post" name="login_form" accept-charset="utf-8">
<p>
<label for="email"><strong>Email Addresse:</strong></label>
<br />
<!-- Below, I want to display the error, stored in the $_SESSION['email'], but only if it has a value, an actualn error occured -->
<input type="text" name="email" id="email" value="<?php if(!empty($_SESSION['email']))echo $_SESSION['email']; ?>"/>
<br />
<label for="password"><strong>Password:</strong></label>
<br />
<input type="password" name="password" id="password" value="<?php if(!empty($_SESSION['password']))echo $_SESSION['email']; ?>"/>
<a href="glemt_password.php" align="right">Forgot Password?</a><br />
<input type="submit" value="&nbsp;Login&nbsp;&rarr;&nbsp;">    
</p>
</form>

This is really not working....The processing code doesnt even execute.

I thought I could use a header location:blah blah..And the use the session data, in the form.
Isnt that idea in general ok?
I am trying to avoid ajax so far, just to get to know php and sessions better.

Can it be done thinking this way?

Jan

What does the code returns ? Is any errors or what ? Echo the value pass via form first and ensure that the data are correct. Need more clear detail.

Thanks for looking at the post!

I did another way, but I would be happy to get comments on this approach.

Is it good/secure, or bad or is it just fine?
I processed the form on the same page, by tjecking in the top of the page if teh request has been a $_POST, and then I included the processing file, like this:

Form page: (The variables used for validation, is made in processing script.)

<?php
// Include form processing script IF there has been made a submit request on 
// the page 
if($_SERVER['REQUEST_METHOD']=='POST'){
	include("login.inc.php");	
}
?>
<!DOCTYPE HTML>
<form action="login_form.inc.php" method="post" name="login_form" accept-charset="utf-8">
<p>
<label for="email"><strong>Email Addresse:</strong></label>
<br />
<input type="text" name="email" id="email" /> 
<?php if(isset($_POST['submit'])&&(!empty($email_field_blank))) 
echo $email_field_blank;
if(isset($_POST['submit'])&&(!empty($email_field_not_valid))) 
echo $email_field_not_valid;
?>
<br />
<label for="password"><strong>Password:</strong></label>
<br />
<input type="password" name="password" id="password" />
<?php if(isset($_POST['submit'])&&(!empty($password_field_blank))) 
echo $password_field_blank; ?>
<br />
<?php
if(isset($_POST['submit']) && ($count!=1)){
// Meaning no rows in DB matched email AND Password
if(filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)) if(!empty($_POST['password'])){ 
echo 'Email and Password doesnt match, try again!<br/>';
    }
}
?>
<input type="submit" name="submit" value="&nbsp;Login&nbsp;&rarr;&nbsp;">
<a href="glemt_password.php">Forgot Password?</a>    
</p>
</form>
</div>

In the form processing script, included in the top, IF there has been made a $_POST request, looks like this:

require_once ("../mysql/connection.php");
$email ='';
$password ='';

if(isset($_POST['submit'])){
// Form validation of email

if(empty($_POST['email'])){
$email_field_blank = 'Email is empty';	
} else{
if(!filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)){
$email_field_not_valid = 'Entered Email was not valid, try again!';
	}
}
// Form validation of password
if(empty($_POST['password'])){
$password_field_blank = 'Password skal udfyldes';
	}
}

// Tjeck values from DB, and redirect to Index if there is a match
$email= $_POST['email'];
$password=$_POST['password'];

// Protect against mysql injection
$email = stripslashes($email);
$password = stripslashes($password);
$email = mysqli_real_escape_string($connection, $email);
$password = mysqli_real_escape_string($connection, $password);

$sql="SELECT email, username FROM users WHERE email='$email' and pass='$password'";
$result=mysqli_query($connection, $sql);

// Mysql_num_row counting the rows
$count=mysqli_num_rows($result);
// IF $result matched $email, $password, table row must be 1 row

if($count==1){
// Register $email, $password and redirect to file "../index.php"
session_register("email");
session_register("password"); 
session_register("username"); 
header("location:../index.php");
}

Next question, How do I create a session, so that I can include it on the pages I want to protect,

I have written: session_register blah blah..

Is that how it is done?

Any comments on this approach will be appreciated, as I havent made a login, and validated much before.

Thanks.

Update:

In line 18 on the processing script:

Do I need to return false; to do it correct, and the script doesnt contibue after the validation?

I haveent done this, and it is not submitting (It is working anyways)!?

If i write return false; it still works..

Anyone knows if that should be included or not, to make the code "better"?

What is the difference of 'login.inc.php' and 'login_form.inc.php'? Aren't they same ? If they are have the same functions, you don't need to include the 'login.inc.php'. The login will be process in 'login_form.inc.php' when the form was submitted even if you included 'login.inc.php' on the top because your form points 'login_form.inc.php'.

In line 18 on the processing script:
Do I need to return false; to do it correct, and the script doesnt contibue after the validation?
I haveent done this, and it is not submitting (It is working anyways)!?
If i write return false; it still works..

You shouldn't use 'empty()' for string. See more detail here.

Next question, How do I create a session, so that I can include it on the pages I want to protect

You must write 'session_start()' on the very top of the file before processing any PHP scripts. Put 'session_start()' in the file where you want to create and use.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.