I hate PHP

Discussion in 'Web Design and Development' started by tominated, Nov 16, 2007.

  1. tominated macrumors 68000

    tominated

    Joined:
    Jul 7, 2006
    Location:
    Queensland, Australia
    #1
    I am having a bit of trouble with following a tutorial at http://www.upgradetheweb.com/2007/07/31/building-your-own-myspacecom-with-phppart-i-introduction/ . It doesn't really explain where to put the code or anything, so there is the possibility that everything is completely wrong. What the problem is, is that when I log in, the page just refreshes (it sort of works, cos when i just type random letters into the box, it says that it doesn't exist). And I cant for the love of god get the edit function to work. I have the DbConnector.php and Dbvars.php working. Here is the code for the other pages:

    signup.php
    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    
    	<title>untitled</title>
    	
    </head>
    
    <body>
    
    <div id="container">
    
    	<div id="header">
    		<h1>jpex</h1>
    		<h2>sign up</h2>
    	</div><!-- End Header -->
    
    	<div id="contentcontainer">
    		<div id="sidebar">
    			
    		</div><!-- End Sidebar -->
    		<div id="content">
    			
    			<?php
    			// Check if the form has been submitted
    			if(isset($_GET["submit"]))
    			{
    				if(isset($_POST["username"]) && isset($_POST["password"]))
    				{	
    					//Username or password is not blank
    					if($_POST["username"]!="" && $_POST["password"]!="")
    					{ // Everything is ok add the user to the database
    
    						// Connect to the database
    						require_once("classes/DbConnector.php");   // Include the database class
    						$db = new DbConnector();               // Create an instance of the database class
    						$db->connect();                               // Connect to the database
    						$query = "SELECT * FROM members WHERE username='".$_POST["username"]."'";
    						$result = $db->query($query);
    						$result = mysql_num_rows($result);
    
    						if($result!="0")
    							echo "Username already exists!";
    						else 
    						{ 
    							// Create a query that inserts the data from the form to the database
    							$query = "INSERT INTO members(username,password) VALUES('".$_POST["username"]."','".$_POST["password"]."')";
    
    							$result = $db->query($query);
    							echo "Signed up succesfully you can now <a href=\"login.php\">log in</a>";
    						}
    					}
    					else 
    					{
    						echo "Error: No username or password supplied, try again.";
    					}
    
    				}
    				else 
    					echo "Error: please fill in the <a href=\"signup.php\">signup form</a>";
    			}
    			?>
    			
    			<form action="signup.php?submit" method='POST'>
    				<fieldset>
    					<legend>Login Details</legend>
    					<p>Username: <input name='username' size='25' maxlength='25' /></p>			
    					<p>Password: <input name='password' size='25' maxlength='25' /></p>	
    					<p><button type='submit'>Submit</button></p>
    				</fieldset>
    			</form>
    		</div><!-- End Content -->
    	</div><!-- End Content Container -->
    
    </div><!-- End Container -->
    
    
    </body>
    </html>
    

    login.php
    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    
    	<title>untitled</title>
    	
    </head>
    
    <body>
    
    <div id="container">
    
    	<div id="header">
    		<h1>jpex</h1>
    		<h2>log in</h2>
    	</div><!-- End Header -->
    
    	<div id="contentcontainer">
    		<div id="sidebar">
    			
    		</div><!-- End Sidebar -->
    		<div id="content">
    			
    			<?php
    			// login.php
    			session_start();
    			if(isset($_GET["submit"]))
    			{
    				login($_POST["username"],$_POST["password"]);
    			}
    			function login($username,$password)
    			{	
    				require_once("classes/DbConnector.php");
    				$db = new DbConnector();
    				$db->connect();
    				$query = "SELECT * FROM members WHERE username='$username' AND password='$password'";
    				$result = $db->query($query);
    				$result = mysql_num_rows($result);  // Does the row exists?
    
    				if($result!="0"){ 
    				// authenication correct lets login
    				$_SESSION["password"] = $password;;
    				$_SESSION["username"] = $username;
    				header("Location: member.php?id=$username");
    				}
    				else 
    				{
    					echo "Wrong username or password. Please try again!";
    				}
    			}
    			?>
    			
    			<form action="login.php?submit" method='POST'>
    				<fieldset>
    					<legend>Login Details</legend>
    					<p>Username: <input name='username' size='25' maxlength='25' /></p>			
    					<p>Password: <input name='password' size='25' maxlength='25' /></p>	
    					<p><button type='submit'>Login</button></p>
    				</fieldset>
    			</form>
    		</div><!-- End Content -->
    	</div><!-- End Content Container -->
    
    </div><!-- End Container -->
    
    
    </body>
    </html>
    

    member.php
    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    
    	<title>untitled</title>
    	
    </head>
    
    <body>
    
    <div id="container">
    
    	<div id="header">
    		<h1>jpex</h1>
    		<h2>profile</h2>
    	</div><!-- End Header -->
    
    	<div id="contentcontainer">
    		<div id="sidebar">
    			
    		</div><!-- End Sidebar -->
    		<div id="content">
    			
    			<?php
    			// members.php
    			if(isset($_GET["id"]))
    			{
    				// Check if user exists in the database
    				$member = $_GET["id"];
    				require_once("classes/DbConnector.php");
    				$db = new DbConnector();
    				$db->connect();
    				$query = "SELECT * FROM members WHERE username='$member'";
    				$result = $db->query($query);
    				$exists = mysql_num_rows($result);  // Does the row exists?
    
    				if($exists !="0"){ // Presentation exists so display it
    					$rows = $db->fetchArray($result); // Get the profile from database
    					echo $rows["presentation"]."<br/><br/>"; 
    
    
    					//TODO: Display guestbook here
    
    				}	
    				else 
    				{
    					echo "That member does not exist";
    				}
    			}
    		?>
    		
    		<?php
    			if(isset($_GET["edit"])) // Edit profile
    			{	
    				// First lets make sure the user is logged in 	
    				if(session_is_registered("username") && session_is_registered ("password") && $_SESSION["username"] == $_GET["edit"])
    				{
    					if(isset($_GET["update"]))
    					{
    						require_once("classes/DbConnector.php");
    						$member = $_GET["edit"];
    						$db = new DbConnector();
    						$db->connect();
    						$presentation = $_POST["presentation"];
    						$query = "UPDATE members SET presentation='$presentation' WHERE username='$member'";
    						$result = $db->query($query);
    						echo "Profile updated!";		
    					}
    					else 
    					{	// Display edit box
    						require_once("classes/DbConnector.php");
    						$member = $_GET["edit"];
    						$db = new DbConnector();
    						$db->connect();
    						$query = "SELECT * FROM members WHERE username='$member'";
    						$result = $db->query($query);
    						$rows = $db->fetchArray($result);
    						echo "<b>Edit your profile</b><br/>\n
    							<form action=\"member.php?edit=".$_GET["edit"]."&update\" method='POST'>
    								<textarea name='presentation' rows='10' cols='80' align='left'>"
    								.$rows["presentation"].
    								"</textarea><br/>
    								<input type='submit' value='Update' name='submit' />
    							</form>
    						";
    
    					}
    				}
    			}
    			?>
    			
    			<form action="member.php?edit" method="get">
    				
    				<p><input type="text" name="edit" /></p>
    			</form>
    			
    		</div><!-- End Content -->
    	</div><!-- End Content Container -->
    
    </div><!-- End Container -->
    
    
    </body>
    </html>
    


    any help would be greatly appreciated.
     
  2. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #2
    I didn't have much time too look at things, but did notice one thing that could be causing problems. In your signup.php there's this line of code at the beginning of your php,
    PHP:
    if(isset($_GET["submit"]))
    But at the form later on you're using a POST method, not GET. This to me seems an issue.

    Also the statement "session_start();" from what I remember needs to be the first thing on the page, before the DOCTYPE declaration. You might want to finds some examples with it to make sure I'm remembering correctly.

    If that doesn't work I'll try to find time after work tonight.
     
  3. Knox Administrator

    Knox

    Staff Member

    Joined:
    Jul 1, 2002
    Location:
    UK
    #3
    That's OK actually - you can combine $_GET and $_POST as long as you put whatever you want to be in $_GET in the <form action=""> URI.
     
  4. jeremy.king macrumors 603

    jeremy.king

    Joined:
    Jul 23, 2002
    Location:
    Fuquay Varina, NC
    #4
    Your problem is this line in your login routine.
    Code:
    header("Location: member.php?id=$username");
    You can't set a Location header in the middle of the page and expect it to work. Any headers you try to set must occur BEFORE ANY HTML or other output.

    I'd suggest you move all of this code to the top of the login.php file. Yes, even before the DOCTYPE declaration. You will have to store the error message (instead of echo) in a variable so you can display it where it was before.

    Code:
    			<?php
    			// login.php
    			session_start();
    			if(isset($_GET["submit"]))
    			{
    				login($_POST["username"],$_POST["password"]);
    			}
    			function login($username,$password)
    			{	
    				require_once("classes/DbConnector.php");
    				$db = new DbConnector();
    				$db->connect();
    				$query = "SELECT * FROM members WHERE username='$username' AND password='$password'";
    				$result = $db->query($query);
    				$result = mysql_num_rows($result);  // Does the row exists?
    
    				if($result!="0"){ 
    				// authenication correct lets login
    				$_SESSION["password"] = $password;;
    				$_SESSION["username"] = $username;
    				header("Location: member.php?id=$username");
    				}
    				else 
    				{
    					echo "Wrong username or password. Please try again!";
    				}
    			}
    			?>
    
    P.S. This login script is easily bypassed using SQL injection. I'd consider you clean those posted form values before trying to use them in a SQL script.
     
  5. tominated thread starter macrumors 68000

    tominated

    Joined:
    Jul 7, 2006
    Location:
    Queensland, Australia
    #5
    OK, so that fixed the login problem, thanks for that:). Now I need to get the edit function to work:

    I have a form like this in the member.php file:
    Code:
    <form action="member.php?edit" method="get">
    	<p><input type="submit" name="edit" /></p>
    </form>
    but I can't get it to get the edit function working.

    ------

    That wont be a problem, since it will be hosted on my schools private server (it's for a school social network).
     
  6. MrSmith macrumors 68040

    MrSmith

    Joined:
    Nov 27, 2003
    #6
    I only know the basics, but can you embed a variable in the action URL like that? I would have used something like:

    Code:
    <form action="member.php" method="get">
    <input type="hidden" name="***" value="***">
    	<p><input type="submit" name="Edit"/></p>
    </form>
    I mean, shouldn't the bit after the '?' be in the form 'a=b' when it's sent?
     
  7. tominated thread starter macrumors 68000

    tominated

    Joined:
    Jul 7, 2006
    Location:
    Queensland, Australia
    #7
    ok, that fixed that. But it won't show the textbox or anything else when you press the button to edit. I think it is completely ignoring the ?edit=user bit at the end of the url.
     
  8. MrSmith macrumors 68040

    MrSmith

    Joined:
    Nov 27, 2003
    #8
    A wild stab in the dark: I believe you need two variables passed to member.php (namely, $_GET["edit"] and $_GET["update"]). In the form you only appear to be sending one. Maybe $update needs (re-)sending as well?
     
  9. Lixivial macrumors 6502a

    Lixivial

    Joined:
    Jan 13, 2005
    Location:
    Between cats, dogs and wanderlust.
    #9
    Will it be used in a production environment -- meaning will people rely on the integrity of the data and reliability of the application? I hope you reconsider your stance on the matter, if for no other reason than to be used as a learning experience. SQL injection is not meaningless drivel or a theoretical security weakness. It's easily understood and can be easily manipulated into doing really nasty things with your database.

    Lesson #1 on dynamic SQL is that you should never have user input placed directly in a query string. There are a good few tutorials out there on how to sanitise your input, please consider looking into them. A quick Google search and an hour or so of reading -- probably less -- will be well invested time.
     
  10. tominated thread starter macrumors 68000

    tominated

    Joined:
    Jul 7, 2006
    Location:
    Queensland, Australia
    #10
    @MrSmith: The update bit is when you are in the edit mode, and press the button to update your profile.

    @Lixivial: Ok, I will have a read of those and see what I can do.

    @everybody: can anybody help me with my previous post?
     

Share This Page