0

I currently have a html login page which has two textfields for e-mail address and password. The HTML contains a form and a button which triggers some javascript to check the data input is valid. If the data is valid, then the data is posted to a php application.

This php application gives a response dependent on whether the login details were valid/invalid.

Here is my php:

if(isset($_POST['username']) && isset($_POST['password'])){
    //connect to database
    $dbh = connect();   
    $user = mysql_real_escape_string($_POST['username']);
    $usertype = mysql_real_escape_string($_POST['usertype']);
    $pass = md5($_POST['password']);
    $query = "";
    if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $user)) {
      if($usertype == "SupportStaff"){      
        $query = "SELECT staffId, fName, lName, gender, email FROM SupportStaff WHERE email = '$user' AND password = '$pass'";
      }else{       
        $date = $_POST['currdate'];     
        $query = "SELECT athleteId, fName, lName, gender, email FROM Athletes WHERE email = '$user' AND password = '$pass'";
      } 

      //make query
      $result = mysql_query( $query ) or die ("didn't query");

      //see if there's an EXACT match
      $num = mysql_num_rows( $result );
      if ($num == 1){
        $row = mysql_fetch_assoc($result);
        if($usertype == "Athlete"){     
          $user = str_replace("@","at",$user);
          $user = str_replace(".","dot",$user);
          $user .= "Entries";
          $query = mysql_query("SELECT * FROM $user WHERE date = '$date'");
          $exists = false;
          if(mysql_num_rows( $query ) == 1){
        $exists = "true"; //to see if questionnaire is complete
          }else{
        $exists = "false";
          }
          $row['complete'] = $exists;               
        }
        echo json_encode($row);
      } else {
        echo ($user." ");
        echo ($pass);
        echo ("&result=invalid");
      }
    }else{
      mysql_close($dbh);
      echo ("&result=false"); //invalid e-mail address
    }
    mysql_close($dbh);
}
?>

If it echos &result=false OR &result=invalid then I would like the user to be served up with the login page again displaying an error message or something similar, if it is successful (echo json_encode($row)) then it should take to home.html (i.e. the homepage)...What is the best way to achieve this?

Improve this question
2
  • See PHP Login Script, read the code & understand how its done. Good luck! Commented Aug 15, 2011 at 11:10
  • I submitted my answer before you'd updated your question with the code, but my suggestion is still one possible solution. If you write your code effectively, you can prevent your PHP files becoming too large / unruly by writing functions (or full OO code) instead of purely procedural code. Commented Aug 15, 2011 at 11:16

3 Answers 3

Reset to default
1

Is there any good reason why you need a separate php file for your login code? Assuming your login form is on a page called login.php, you could have all your login code in that same file; your form should then have

<form name="input" action="login.php" method="post">

You can test whether any data has yet been submitted by using

if(count($_POST) > 0)
{
    //if data has been submitted, then test whether it's correct, and if it is, show relevant content

    //If validation fails, show form
    display_form();
} else
{
   display_form();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

yes, I would like to provide a webservice which interfaces the database as this is best practise. It seems like a 'cleaner' solution to seperate the HTML from the php...
0

Either use Ajax or redirect server side after doing the desired processing.

If you go for the Ajax route (which would be sensible if you are already doing client side scripting), you may want to take a look at jQuery's Ajax functionality. Specifically, post will probably meet your requirements.

I'm sure you know, but I should emphasise that client side validation alone is not sufficient to secure your site. Client side validation should be viewed as a way of improving the user experience, not as a form of security. People could easily bypass any client side validation by making requests to the server manually.

Improve this answer

Comments

0

There's a couple of options:

  • You could do it completely in javascript using an AJAX call to the server. Then your javascript would update the content of the page depending on if the login was successful or not. This can be quite tricky, so if you're not very familiar with javascript and AJAX calls, I wouldn't reccomend this.
  • You could add a little code to the php-page that instantly redirects to whichever page you want to show.
  • You can change the php page so it immediatly shows what you want to be shown (for example, include the login page again if the data was invalid).
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.