On Mon, April 9, 2007 2:51 pm, Mário Gamito wrote: > I'm making this site that was static and now has some dynamic > features, > so it's a little bit patched :) > > If you care to visit > http://www.telbit.pt/2/login.php > > you'll notice that the word "Welcome" is already present, and only > should be after the download. > > Also, the error "You didn't fill all fields, please try again." is > being > displayed on page load. > > This is my problem and to which i ask you for your help. > > How can i make the word "Welcome" appear only after the login ? > > My code follows my signature. > > Any help would be appreciated. > > Warm Regards > -- > :wq! Mário Gamito > -- > > <p><a href="recover-password.php">Forgot your password ?</a> > > <?php > if ($_GET['error']) { It might be better to use: if (isset($_GET['error'])) { > // SESSION You have to do: session_start(); before you can use $_SESSION. > $field1 = $_SESSION['field1']; > $field2 = $_SESSION['field2']; Why did you bother to get $_SESSION data if you're about to throw it away? > // GET > $field1 = urldecode($_GET['field1']); > $field2 = urldecode($_GET['field2']); $_GET is already urldecoded before you ever see it. This is not Perl. :-) So unless you've got something doing an extra extra bogus urlencode() before it SENDS you the GET data, you shouldn't be doing urldecode. [But you get bonus points for trying to do this all neat and proper.] > } > > $email = mysql_escape_string($_REQUEST['email']); > $pass = mysql_escape_string($_REQUEST['pass']); Excellent! Some folks would claim you should use POST or GET specifically, but if your application wants to response equally well to either, that's okay too, imho -- Especially in the bad old days when you couldn't style butotns/links to look like links/buttons. :-) > include('config.php'); > include('adodb/adodb.inc.php'); include is NOT a function, so these parens are not doing what you think they are doing... > // connect to MySQL > $conn->debug=1; > $conn = &ADONewConnection('mysql'); > $conn->PConnect($host,$user,$password,$database); I wouldn't recommend that a beginner use PConnect, as it is just going to mess you up... > // get password from db > $rsSel = "SELECT name, password FROM subscribers WHERE email = > '$email' > AND valid = '1'"; > $rs = $conn->Execute($rsSel); > > $name = $rs->fields[0]; > $password_db = $rs->fields[1]; > > if ($pass != $password_db) { It is customary to store the password in the DB as a one-way encrypted hash. For example, you could store the http://php.net/md5 of the password, and then compare md5($password) with $password_db The point being that your DB has something like: 4975gb87987hi2uh4rhvvyrt57ty in it, instead of the actual password, so if somebody manages to break into the DB or snag the data from it somehow, they STILL don't have anybody's password. "&field1=".urlencode($_POST['field1'])."&field2=".urlencode($_POST['field2']); > echo "<div class=\"blocoApresentacao\"> There are some lines missing here or something... In addition to urlencoding() the data, you should also call htmlentities on the whole URL before you dump it to the browser. > <p>Wrong password, please try again.</p> > </div>"; > exit; > } > > print('Welcome ' . $name); This print() statement is not inside an if(){ } block. It's ALWAYS going to print. > unset ($_SESSION['error']); > > $conn->Close(); > > ?> > > > <!-- end .titulo --> > </div> > <!-- end #secContent --> > </div> > > <!-- end #Content e #picContent--> > </div> > </div> > > <div id="footer"> > <p id="copyright">Copyright©2006 Telbit - > Tecnologias de Informação, Lda.</p> > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
