Ben Nash Posted October 9, 2013 Share Posted October 9, 2013 (edited) I have a functions.php file containing a login(); function that has code in it for a basic login system. What I want to ask is what would I put in the action='' on the html form to use that function? EDIT: Could I just put the action as index.php then do: if (isset($_POST['login'])) { login(); } Edited October 9, 2013 by Ben Nash Quote Link to comment Share on other sites More sharing options...
HauntedDawg Posted October 9, 2013 Share Posted October 9, 2013 Yes, but not entirely. if(array_key_exists('login', $_POST) && $_POST['login'] != '') { login(); } Since get data is globally defined, and can be used within a function, theres no need to parse parameters to the function, or declare any variables within the function. Also, make sure your function makes proper use of type checking. Hope this answers your question. Quote Link to comment Share on other sites More sharing options...
Ben Nash Posted October 9, 2013 Author Share Posted October 9, 2013 Here is my login function. Is it looking good? function login() { $username = $_POST['username']; $password = $_POST['password']; $query = ("SELECT username, password from people WHERE {$username} = username AND {$password} = password "); $result = mysql_query($query); if(mysql_num_rows($result) < 1) { echo"Doesn't exist"; } } else { $_SESSION['valid'] = 1; $_SESSION['username']; echo $_SESSION['username']; } } echo $_SESSION['username']; will be on the page where the user has logged in.... Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted October 9, 2013 Share Posted October 9, 2013 *cough* perfect for the hackers.... Check what SQL injection is. That has been explained enough times even here. Quote Link to comment Share on other sites More sharing options...
Ben Nash Posted October 9, 2013 Author Share Posted October 9, 2013 I know it's not secure but does the good look right? Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted October 9, 2013 Share Posted October 9, 2013 Look right for what? Does it work? You can tell yourself by trying it. Is it secure? No, Is it well written? No. Quote Link to comment Share on other sites More sharing options...
advocaite Posted October 9, 2013 Share Posted October 9, 2013 ok a few things to note here i use PDO so alot of my trouble with injection is no a issue as much as older code like this function login() { $username = $_POST['username']; $password = $_POST['password']; $query = ("SELECT username, password from people WHERE {$username} = username AND {$password} = password "); $result = mysql_query($query); if(mysql_num_rows($result) < 1) { echo"Doesn't exist"; } } else { $_SESSION['valid'] = 1; $_SESSION['username']; echo $_SESSION['username']; } } OK first error } else { $_SESSION['valid'] = 1; $_SESSION['username']; echo $_SESSION['username']; } no function ends with a else ever it just wont work a better way you could do it is like this //here we will sanitise any POST or GET inputs from script kiddies foreach( $_POST as $key => $value ){ if (is_array($value)) { $value = array_map("mysql_real_escape_string",$value); $value = array_map("strip_tags",$value); } else { $value = mysql_real_escape_string($value); $value = strip_tags($value); } $_POST[$key] = $value; } foreach( $_GET as $key => $value ){ if (is_array($value)) { $value = array_map("mysql_real_escape_string",$value); $value = array_map("strip_tags",$value); } else { $value = mysql_real_escape_string($value); $value = strip_tags($value); } $_GET[$key] = $value; } //now lets do a nice login function for you function login($username, $password){ $username = $_POST['username']; $password = md5($_POST['password']);// you should also md5 password to keep secure or use sha even better add you own salt to it... $query = ("SELECT username, password from people WHERE username = ".$username." AND password = ". $password." LIMIT 1 "); $result = mysql_query($query); if(mysql_num_rows($result) > 0) { $array=mysql_fetch_array($result); $_SESSION['username'] = $array['username']; return true; } else { return false; } } // now this will work alot better for you below ill show example on how to use function say inside a login.php script if( !login($username ,$password) ){ echo "Invalid details you sure your a member."; }else{ //do what ever you like for a logged in member } I hope this helps explain some things for you. also note the part where i sanitized values need to be before any post data is used so if you had a main include or file you include on all pages, then that's where i would have it. As long as you use post and get vars after that should be fine. there is more to protect from like xss attacks js exploiting and more hackers find ways to do many things but google how to fix these you will get answers.. Quote Link to comment Share on other sites More sharing options...
Lucifer.iix Posted November 18, 2013 Share Posted November 18, 2013 Look right for what? Does it work? You can tell yourself by trying it. Is it secure? No, Is it well written? No. Looks like spagetti code to me.... Function Login() { <- I don't need a THING... echo $Name; <- Almost nothing..... echo $SomethingElse; <- Oeps, forgot about that one... } If your login function needs a `username` and `password`, why not give it to him ? Like: Function Login($INeedAName, $INeedAPassword, mysqli $INeedADB, $MoreStuffINeed, .....) { return true/false; } Than you can for example test your code: Like: Assert.IsFalse(Login("I Don't Exist","1,2,3,4,5", $Link, ....)) Also: Why does LOGIN mean PRINT a string to the USER ? Isn't that something else.... Isn't it just better to just check the username and password and give back a boolean or throw exception. Than in production you always can make: Login(mysql_real_escape_string($_POST['username']), mysql_real_escape_string($_POST['password'])) So login doesn't care about $_POST array and the page that does the login. Doesn't care about FIELD names in a database some where. Maybe a good read: http://en.wikipedia.org/wiki/Design_Patterns Rule number 1#: "Program to an 'interface', not an 'implementation'." (Gang of Four 1995:18) Your login function is a implementation of almost everything, and your interface Login(....) is empty ! So you API says: Login() <- Nothing needed, just pray it works correct. Happy Hacking: Roger. Ps: Don't be mad in 10 years you will thank me for this. (When you work in a professional software company where they re-use there code and write tests.) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.