I hate PHP

tominated · Nov 16, 2007

I am having a bit of trouble with following a tutorial at http://www.upgradetheweb.com/2007/07/31/building-your-own-myspacecom-with-phppart-i-introduction/ . It doesn't really explain where to put the code or anything, so there is the possibility that everything is completely wrong. What the problem is, is that when I log in, the page just refreshes (it sort of works, cos when i just type random letters into the box, it says that it doesn't exist). And I cant for the love of god get the edit function to work. I have the DbConnector.php and Dbvars.php working. Here is the code for the other pages:

signup.php

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

	<title>untitled</title>
	
</head>

<body>

<div id="container">

	<div id="header">
		<h1>jpex</h1>
		<h2>sign up</h2>
	</div><!-- End Header -->

	<div id="contentcontainer">
		<div id="sidebar">
			
		</div><!-- End Sidebar -->
		<div id="content">
			
			<?php
			// Check if the form has been submitted
			if(isset($_GET["submit"]))
			{
				if(isset($_POST["username"]) && isset($_POST["password"]))
				{	
					//Username or password is not blank
					if($_POST["username"]!="" && $_POST["password"]!="")
					{ // Everything is ok add the user to the database

						// Connect to the database
						require_once("classes/DbConnector.php");   // Include the database class
						$db = new DbConnector();               // Create an instance of the database class
						$db->connect();                               // Connect to the database
						$query = "SELECT * FROM members WHERE username='".$_POST["username"]."'";
						$result = $db->query($query);
						$result = mysql_num_rows($result);

						if($result!="0")
							echo "Username already exists!";
						else 
						{ 
							// Create a query that inserts the data from the form to the database
							$query = "INSERT INTO members(username,password) VALUES('".$_POST["username"]."','".$_POST["password"]."')";

							$result = $db->query($query);
							echo "Signed up succesfully you can now <a href=\"login.php\">log in</a>";
						}
					}
					else 
					{
						echo "Error: No username or password supplied, try again.";
					}

				}
				else 
					echo "Error: please fill in the <a href=\"signup.php\">signup form</a>";
			}
			?>
			
			<form action="signup.php?submit" method='POST'>
				<fieldset>
					<legend>Login Details</legend>
					<p>Username: <input name='username' size='25' maxlength='25' /></p>			
					<p>Password: <input name='password' size='25' maxlength='25' /></p>	
					<p><button type='submit'>Submit</button></p>
				</fieldset>
			</form>
		</div><!-- End Content -->
	</div><!-- End Content Container -->

</div><!-- End Container -->


</body>
</html>

login.php

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

	<title>untitled</title>
	
</head>

<body>

<div id="container">

	<div id="header">
		<h1>jpex</h1>
		<h2>log in</h2>
	</div><!-- End Header -->

	<div id="contentcontainer">
		<div id="sidebar">
			
		</div><!-- End Sidebar -->
		<div id="content">
			
			<?php
			// login.php
			session_start();
			if(isset($_GET["submit"]))
			{
				login($_POST["username"],$_POST["password"]);
			}
			function login($username,$password)
			{	
				require_once("classes/DbConnector.php");
				$db = new DbConnector();
				$db->connect();
				$query = "SELECT * FROM members WHERE username='$username' AND password='$password'";
				$result = $db->query($query);
				$result = mysql_num_rows($result);  // Does the row exists?

				if($result!="0"){ 
				// authenication correct lets login
				$_SESSION["password"] = $password;;
				$_SESSION["username"] = $username;
				header("Location: member.php?id=$username");
				}
				else 
				{
					echo "Wrong username or password. Please try again!";
				}
			}
			?>
			
			<form action="login.php?submit" method='POST'>
				<fieldset>
					<legend>Login Details</legend>
					<p>Username: <input name='username' size='25' maxlength='25' /></p>			
					<p>Password: <input name='password' size='25' maxlength='25' /></p>	
					<p><button type='submit'>Login</button></p>
				</fieldset>
			</form>
		</div><!-- End Content -->
	</div><!-- End Content Container -->

</div><!-- End Container -->


</body>
</html>

member.php

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>

	<title>untitled</title>
	
</head>

<body>

<div id="container">

	<div id="header">
		<h1>jpex</h1>
		<h2>profile</h2>
	</div><!-- End Header -->

	<div id="contentcontainer">
		<div id="sidebar">
			
		</div><!-- End Sidebar -->
		<div id="content">
			
			<?php
			// members.php
			if(isset($_GET["id"]))
			{
				// Check if user exists in the database
				$member = $_GET["id"];
				require_once("classes/DbConnector.php");
				$db = new DbConnector();
				$db->connect();
				$query = "SELECT * FROM members WHERE username='$member'";
				$result = $db->query($query);
				$exists = mysql_num_rows($result);  // Does the row exists?

				if($exists !="0"){ // Presentation exists so display it
					$rows = $db->fetchArray($result); // Get the profile from database
					echo $rows["presentation"]."<br/><br/>"; 


					//TODO: Display guestbook here

				}	
				else 
				{
					echo "That member does not exist";
				}
			}
		?>
		
		<?php
			if(isset($_GET["edit"])) // Edit profile
			{	
				// First lets make sure the user is logged in 	
				if(session_is_registered("username") && session_is_registered ("password") && $_SESSION["username"] == $_GET["edit"])
				{
					if(isset($_GET["update"]))
					{
						require_once("classes/DbConnector.php");
						$member = $_GET["edit"];
						$db = new DbConnector();
						$db->connect();
						$presentation = $_POST["presentation"];
						$query = "UPDATE members SET presentation='$presentation' WHERE username='$member'";
						$result = $db->query($query);
						echo "Profile updated!";		
					}
					else 
					{	// Display edit box
						require_once("classes/DbConnector.php");
						$member = $_GET["edit"];
						$db = new DbConnector();
						$db->connect();
						$query = "SELECT * FROM members WHERE username='$member'";
						$result = $db->query($query);
						$rows = $db->fetchArray($result);
						echo "<b>Edit your profile</b><br/>\n
							<form action=\"member.php?edit=".$_GET["edit"]."&update\" method='POST'>
								<textarea name='presentation' rows='10' cols='80' align='left'>"
								.$rows["presentation"].
								"</textarea><br/>
								<input type='submit' value='Update' name='submit' />
							</form>
						";

					}
				}
			}
			?>
			
			<form action="member.php?edit" method="get">
				
				<p><input type="text" name="edit" /></p>
			</form>
			
		</div><!-- End Content -->
	</div><!-- End Content Container -->

</div><!-- End Container -->


</body>
</html>

any help would be greatly appreciated.

angelwatt · Nov 16, 2007

I didn't have much time too look at things, but did notice one thing that could be causing problems. In your signup.php there's this line of code at the beginning of your php,

PHP:

if(isset($_GET["submit"]))

But at the form later on you're using a POST method, not GET. This to me seems an issue.

Also the statement "session_start();" from what I remember needs to be the first thing on the page, before the DOCTYPE declaration. You might want to finds some examples with it to make sure I'm remembering correctly.

If that doesn't work I'll try to find time after work tonight.

Knox · Nov 16, 2007

angelwatt said:
I didn't have much time too look at things, but did notice one thing that could be causing problems. In your signup.php there's this line of code at the beginning of your php,

PHP:

if(isset($_GET["submit"]))

But at the form later on you're using a POST method, not GET. This to me seems an issue.

That's OK actually - you can combine $_GET and $_POST as long as you put whatever you want to be in $_GET in the <form action=""> URI.

jeremy.king · Nov 16, 2007

Your problem is this line in your login routine.

Code:

header("Location: member.php?id=$username");

You can't set a Location header in the middle of the page and expect it to work. Any headers you try to set must occur BEFORE ANY HTML or other output.

I'd suggest you move all of this code to the top of the login.php file. Yes, even before the DOCTYPE declaration. You will have to store the error message (instead of echo) in a variable so you can display it where it was before.

Code:

			<?php
			// login.php
			session_start();
			if(isset($_GET["submit"]))
			{
				login($_POST["username"],$_POST["password"]);
			}
			function login($username,$password)
			{	
				require_once("classes/DbConnector.php");
				$db = new DbConnector();
				$db->connect();
				$query = "SELECT * FROM members WHERE username='$username' AND password='$password'";
				$result = $db->query($query);
				$result = mysql_num_rows($result);  // Does the row exists?

				if($result!="0"){ 
				// authenication correct lets login
				$_SESSION["password"] = $password;;
				$_SESSION["username"] = $username;
				header("Location: member.php?id=$username");
				}
				else 
				{
					echo "Wrong username or password. Please try again!";
				}
			}
			?>

P.S. This login script is easily bypassed using SQL injection. I'd consider you clean those posted form values before trying to use them in a SQL script.

tominated · Nov 16, 2007

OK, so that fixed the login problem, thanks for that

. Now I need to get the edit function to work:

I have a form like this in the member.php file:

Code:

<form action="member.php?edit" method="get">
	<p><input type="submit" name="edit" /></p>
</form>

but I can't get it to get the edit function working.

------

kingjr3 said:
P.S. This login script is easily bypassed using SQL injection. I'd consider you clean those posted form values before trying to use them in a SQL script.

That wont be a problem, since it will be hosted on my schools private server (it's for a school social network).

MrSmith · Nov 16, 2007

tominated said:
OK, so that fixed the login problem, thanks for that. Now I need to get the edit function to work:

I have a form like this in the member.php file:

Code:

<form action="member.php?edit" method="get"> <p><input type="submit" name="edit" /></p> </form>

but I can't get it to get the edit function working.

I only know the basics, but can you embed a variable in the action URL like that? I would have used something like:

Code:

<form action="member.php" method="get">
<input type="hidden" name="***" value="***">
	<p><input type="submit" name="Edit"/></p>
</form>

I mean, shouldn't the bit after the '?' be in the form 'a=b' when it's sent?

tominated · Nov 16, 2007

MrSmith said:
I only know the basics, but can you embed a variable in the action URL like that? I would have used something like:

Code:

<form action="member.php" method="get"> <input type="hidden" name="***" value="***"> <p><input type="submit" name="Edit"/></p> </form>

I mean, shouldn't the bit after the '?' be in the form 'a=b' when it's sent?

ok, that fixed that. But it won't show the textbox or anything else when you press the button to edit. I think it is completely ignoring the ?edit=user bit at the end of the url.

MrSmith · Nov 16, 2007

tominated said:
ok, that fixed that. But it won't show the textbox or anything else when you press the button to edit. I think it is completely ignoring the ?edit=user bit at the end of the url.

A wild stab in the dark: I believe you need two variables passed to member.php (namely, $_GET["edit"] and $_GET["update"]). In the form you only appear to be sending one. Maybe $update needs (re-)sending as well?

Lixivial · Nov 16, 2007

tominated said:
That wont be a problem, since it will be hosted on my schools private server (it's for a school social network).

Will it be used in a production environment -- meaning will people rely on the integrity of the data and reliability of the application? I hope you reconsider your stance on the matter, if for no other reason than to be used as a learning experience. SQL injection is not meaningless drivel or a theoretical security weakness. It's easily understood and can be easily manipulated into doing really nasty things with your database.

Lesson #1 on dynamic SQL is that you should never have user input placed directly in a query string. There are a good few tutorials out there on how to sanitise your input, please consider looking into them. A quick Google search and an hour or so of reading -- probably less -- will be well invested time.

tominated · Nov 16, 2007

@MrSmith: The update bit is when you are in the edit mode, and press the button to update your profile.

@Lixivial: Ok, I will have a read of those and see what I can do.

@everybody: can anybody help me with my previous post?

Search

Search

I hate PHP

tominated

macrumors 68000

angelwatt

Moderator emeritus

Knox

Administrator

jeremy.king

macrumors 603

tominated

macrumors 68000

MrSmith

macrumors 68040

tominated

macrumors 68000

MrSmith

macrumors 68040

Lixivial

macrumors 6502a

tominated

macrumors 68000

Our Staff