Help: (php) form/submit Button...

I have this code that logs in a suer (If the username/password is found in a database)

The code worked, until i added a hyperlink on the button...

(I think this is because the button 'moves' you (redirects you) before it does the code before -check if username/password match database)

Is there anyway to fix this? -get it to work with hyperlink?

The code below may be completely wrong now...

<form id="form1" name="form1" method="post" action="http://mountgame.com/zombie/main.php">
<label></label>
<label>
<input name="textbox" type="text" id="textbox" value="" size="15" />
</label>
<input name="password" type="password" id="password" size="15" />
<input type="submit" name="Submit" id="Submit" value="Submit" />
</form>
<?
}
if (isset($_POST['Submit'])) {

$loggeduser = $_POST['textbox'];
$loggedpass = $_POST['password'];
$result = mysql_query("SELECT * FROM `Zombie` WHERE `Username` = '$loggeduser' AND `Password` = '$loggedpass'");
$numrows= mysql_num_rows($result);

if ($numrows == 0) {
echo "Invalid username or password, please re-enter...";
}


Any working variation is good

Thanks alot,

James

 

where is hyperlink that you mean?

just for your information, it will be better if you wrote your code like this:

if (isset($_POST['Submit'])) {
	$loggeduser = (!empty($_POST['textbox'])) ?  strip_tags(trim($_POST['textbox'])) : null;
	$loggedpass = (!empty($_POST['password'])) ? strip_tags(trim($_POST['password'])) : null;
	if(!empty($loggeduser) && !empty($loggedpass))
	{
		$result = mysql_query("SELECT * FROM `Zombie` WHERE `Username` = '$loggeduser' AND `Password` = '$loggedpass'");
		$numrows= mysql_num_rows($result);
		
		if ($numrows == 0) {
			echo "Invalid username or password, please re-enter...";
		}
		else
		{
			echo "VALID username and password...";
		}
	}
	else
	{
		echo "Please enter your username and password!";
	}
}

Code (markup):

 

I mean the hyperlink (button)

-The action="http://mountgame.com/zombie/main.php", it redirects you before doing the code =/ Is there a way to fix this?

<form id="form1" name="form1" method="post" action="http://mountgame.com/zombie/main.php">
<input name="textbox" type="text" id="textbox" value="" size="15" />
<input name="password" type="password" id="password" size="15" />
<input type="submit" name="Submit" id="Submit" value="Submit" />
</form>
<?
}
if (isset($_POST['Submit'])) {

$loggeduser = $_POST['textbox'];
$loggedpass = $_POST['password'];
$result = mysql_query("SELECT * FROM `Zombie` WHERE `Username` = '$loggeduser' AND `Password` = '$loggedpass'");
$numrows= mysql_num_rows($result);

if ($numrows == 0) {
echo "Invalid username or password, please re-enter...";
}
?>

 

First of all SANITIZE YOUR VALUES THAT YOU WILL WORK WITH DATABASES!! you have a classic sql injection and you will be hacked...to sanitize the values, use mysql_real_escape_string() function.
Try this code :

<form id="form1" name="form1" method="post" action="http://mountgame.com/zombie/main.php">
<input name="textbox" type="text" id="textbox" value="" size="15" />
<input name="password" type="password" id="password" size="15" />
<input name="do_insert" type="hidden" value="TRUE"  />
<input type="submit" name="Submit" id="Submit" value="Submit" />
</form>
<?
}
if (!empty($_POST['do_insert'])) {

$loggeduser = mysql_real_escape_string($_POST['textbox']);
$loggedpass = mysql_real_escape_string($_POST['password']);
$result = mysql_query("SELECT * FROM `Zombie` WHERE `Username` = '$loggeduser' AND `Password` = '$loggedpass'");
$numrows= mysql_num_rows($result);

if ($numrows == 0) {
echo "Invalid username or password, please re-enter...";
}
?> 

Code (markup):

 

Ok, i have no idea what that does, but still the code does not work after =/ -the php code after clicking the form button.

Can anyone fix this?

 

What do you mean when do you say "doesn't work"? what does appear after do you click the submit button?

 

Nothing at all, it just takes you to the /main.php page with no $_SESSSION['username']

 

I want it to run the php code; then take you to /main.php, =/

 

man, that script that you posted is NOT main.php?

 

No its a login form on index.php, i want it to redirect you onto main.php, so can you fix it?

or if you know a better way? -like keep it on the same page but make the textbox/button go invisible...

 

<form id="form1" name="form1" method="post" action="index.php">
<input name="textbox" type="text" id="textbox" value="" size="15" />
<input name="password" type="password" id="password" size="15" />
<input name="do_insert" type="hidden" value="TRUE"  />
<input type="submit" name="Submit" id="Submit" value="Submit" />
</form>
<?
}
if (!empty($_POST['do_insert'])) {

$loggeduser = mysql_real_escape_string($_POST['textbox']);
$loggedpass = mysql_real_escape_string($_POST['password']);
$result = mysql_query("SELECT * FROM `Zombie` WHERE `Username` = '$loggeduser' AND `Password` = '$loggedpass'");
$numrows= mysql_num_rows($result);

if ($numrows == 0) {
echo "Invalid username or password, please re-enter...";
}
else{
session_start();
$row = msql_fetch_array($result);

$_SESSION['username'] = $row['username'];
$_SESSION['password'] = $row['password'];

header("location: main.php");

}

}
?>

Code (markup):

I haven't tested it, but I think should work...
Attention, this is not a good ideea for a login sistem!!!! you must verify on EVERY page if the $_session['username'] and $_session['password'] are correct.
And another thing is that is not a good idea to save the password not crypted in the database. To encrypt the password, use sha1() function.

 

Then you should not put main.php as the form action. Validate the form in index.php first and redirect users to main.php when its done.

Like the post above.

 

my be you are not put main.php as the form action. Validate the form in index.php first and redirect users to main.php when its done.

 

Ah thanks ok, i never knew a redirection worked -Or never knew there was such thing. And yeah this is a basic login. I'll encrypt data and verify _SESSION user/pass on each page when i finish the rest of the site.

 

Hmmm, appears not to be working...

Warning: Cannot modify header information - headers already sent by (output started at /home/mountgam/public_html/zombie/index.php:9) in /home/mountgam/public_html/zombie/index.php on line 34

=/ Any fixes?

 

Works now -I think...
<? ob_start(); ?> Helps =/

 

Damn, another problem... not working now... =/ Any other fixes?

 

Warning: Unknown: Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively in Unknown on line 0

=/ so im not using the ob_start();

Any fixes for header ("location: example.php") after a html bit/form?

 

Anyone? =/

 

Ok, i havent read all the thread but it was really easy to spot what you did wrong, i doubt anyone that didnt tell you it earlier dont know shit about php.

This code:

<?
}
if (!empty($_POST['do_insert'])) {

$loggeduser = mysql_real_escape_string($_POST['textbox']);
$loggedpass = mysql_real_escape_string($_POST['password']);
$result = mysql_query("SELECT * FROM `Zombie` WHERE `Username` = '$loggeduser' AND `Password` = '$loggedpass'");
$numrows= mysql_num_rows($result);

if ($numrows == 0) {
echo "Invalid username or password, please re-enter...";
}
?>

Should be on this page:

http://mountgame.com/zombie/main.php


That's all.