Question

[Ben Nash]

I have a functions.php file containing a login(); function that has code in it for a basic login system.

What I want to ask is what would I put in the action='' on the html form to use that function?

EDIT:

Could I just put the action as index.php then do:

 

if (isset($_POST['login'])) {

login();

}

Edited October 9, 2013 by Ben Nash

[HauntedDawg]

Yes, but not entirely.

 

if(array_key_exists('login', $_POST) && $_POST['login'] != '') {

    login();

}

 

Since get data is globally defined, and can be used within a function, theres no need to parse parameters to the function, or declare any variables within the function.

Also, make sure your function makes proper use of type checking.

Hope this answers your question.

[Ben Nash]

Here is my login function. Is it looking good?

 

function login() {

$username = $_POST['username'];
$password = $_POST['password'];

 $query = ("SELECT username, password from people WHERE {$username} = username AND {$password} = password ");
 $result = mysql_query($query);

   if(mysql_num_rows($result) < 1) {
       echo"Doesn't exist";
}

} else {

$_SESSION['valid'] = 1;
   $_SESSION['username'];

echo $_SESSION['username'];

}

}

 

echo $_SESSION['username']; will be on the page where the user has logged in....

[a_bertrand]

*cough* perfect for the hackers.... Check what SQL injection is. That has been explained enough times even here.

[Ben Nash]

I know it's not secure but does the good look right?

[a_bertrand]

Look right for what? Does it work? You can tell yourself by trying it. Is it secure? No, Is it well written? No.

[advocaite]

ok a few things to note here i use PDO so alot of my trouble with injection is no a issue as much as older code like this

 

   function login() {

$username = $_POST['username'];
$password = $_POST['password'];

 $query = ("SELECT username, password from people WHERE {$username} = username AND {$password} = password ");
 $result = mysql_query($query);

   if(mysql_num_rows($result) < 1) {
       echo"Doesn't exist";
   }

} else {

   $_SESSION['valid'] = 1;
   $_SESSION['username'];

   echo $_SESSION['username'];

   }

}

 

OK first error

 

} else {

   $_SESSION['valid'] = 1;
   $_SESSION['username'];

   echo $_SESSION['username'];

   }

no function ends with a else ever it just wont work

a better way you could do it is like this

 

//here we will sanitise any POST or GET inputs from script kiddies
foreach( $_POST as $key => $value ){
   if (is_array($value)) {
       $value = array_map("mysql_real_escape_string",$value);
       $value = array_map("strip_tags",$value);
   } else {
       $value = mysql_real_escape_string($value);
       $value = strip_tags($value);
   }

$_POST[$key] = $value;

}

foreach( $_GET as $key => $value ){
   if (is_array($value)) {
       $value = array_map("mysql_real_escape_string",$value);
       $value = array_map("strip_tags",$value);
   } else {
       $value = mysql_real_escape_string($value);
       $value = strip_tags($value);
   }

$_GET[$key] = $value;	

}

//now lets do a nice login function for you

function login($username, $password){
$username = $_POST['username'];
$password = md5($_POST['password']);// you should also md5 password to keep secure or use sha even better add you own salt to it...

 $query = ("SELECT username, password from people WHERE username = ".$username." AND password = ". $password." LIMIT 1 ");
 $result = mysql_query($query);

   if(mysql_num_rows($result) > 0) {
   $array=mysql_fetch_array($result); 
   $_SESSION['username'] = $array['username'];
   return true;     

  }
   else
  {
   return false;
  }  

}

// now this will work alot better for you below ill show example on how to use function say inside a login.php script

if( !login($username ,$password) ){
echo "Invalid details you sure your a member.";
}else{
//do what ever you like for a logged in member
}

 

I hope this helps explain some things for you.

also note the part where i sanitized values need to be before any post data is used so if you had a main include or file you include on all pages, then that's where i would have it. As long as you use post and get vars after that should be fine.

there is more to protect from like xss attacks js exploiting and more hackers find ways to do many things but google how to fix these you will get answers..

[Lucifer.iix]

Look right for what? Does it work? You can tell yourself by trying it. Is it secure? No, Is it well written? No.

Looks like spagetti code to me....

Function Login() { <- I don't need a THING...

echo $Name; <- Almost nothing.....

echo $SomethingElse; <- Oeps, forgot about that one...

}

 

If your login function needs a `username` and `password`, why not give it to him ?

Like: Function Login($INeedAName, $INeedAPassword, mysqli $INeedADB, $MoreStuffINeed, .....) {

return true/false;

}

Than you can for example test your code:

Like: Assert.IsFalse(Login("I Don't Exist","1,2,3,4,5", $Link, ....))

Also: Why does LOGIN mean PRINT a string to the USER ? Isn't that something else....

Isn't it just better to just check the username and password and give back a boolean or throw exception.

Than in production you always can make:

Login(mysql_real_escape_string($_POST['username']), mysql_real_escape_string($_POST['password']))

So login doesn't care about $_POST array and the page that does the login. Doesn't care about FIELD names in a database some where.

 

Maybe a good read: http://en.wikipedia.org/wiki/Design_Patterns

Rule number 1#: "Program to an 'interface', not an 'implementation'." (Gang of Four 1995:18)

Your login function is a implementation of almost everything, and your interface Login(....) is empty !

So you API says: Login() <- Nothing needed, just pray it works correct.

 

Happy Hacking: Roger.

Ps: Don't be mad in 10 years you will thank me for this. (When you work in a professional software company where they re-use there code and write tests.)