On Fri, May 28, 2010 at 7:43 PM, Jason Pruim <lists@xxxxxxxxxxxxxxxxxxxx>wrote:
> Hey Everyone,
>
> So I'm sitting here on a friday night trying to figure out how in the world
> I'm going to fix an issue that should probably be simple to me but is
> escaping me at the moment....
>
> Take this authentication function:
>
> <?PHP
>
> function authentication($authUser, $authPass, $cfgtableAuth){
>
> // Keep in mind, PASSWORD has meaning in MySQL
> // Do your string sanitizing here
> // (e.g. - $user = mysql_real_escape_string($_POST['user']);)
> $authUser = mysql_real_escape_string($_POST['txtUser']);
> $authPass = mysql_real_escape_string($_POST['txtPass']);
> $md5pass = md5($authPass);
>
> $loginQuery = "SELECT * FROM {$cfgtableAuth} WHERE
> userLogin='".$authUser."' AND userPass='".$md5pass."' LIMIT 0,1;";
>
> $loginResult = mysql_query($loginQuery) or die("Wrong data
> supplied or database error" .mysql_error());
> $row1 = mysql_fetch_assoc($loginResult);
> if($row1['access'] == "5000000"){
> foreach (array_keys($_SESSION) as $key)
> unset($_SESSION[$key]);
>
> die('account disabled');
> }
>
> if(is_array($row1)){
>
> $_SESSION['userInfo'] = array( "userLogin" =>
> $row1['userName'], "loggedin" => TRUE, "userName" => $row1['userName'],
> "userPermission" => $row1['userPermission']);
>
> error_log("User has logged in: ". $row1['userLogin']);
>
> }else{
> //$_SESSION['userInfo'] =array("loggedin" => FALSE);
> die('authentication failed');
>
> }
> return TRUE;
>
> }
>
> ?>
>
> Here is how I am displaying the login form:
>
> <?PHP
> session_start();
>
> $link = dbconnect($server, $username, $password, $database);
>
> $page = $_GET['page'];
>
> echo <<<CSS
> <body>
> <div class="contentwrapper">
>
> CSS;
> include("nav.php");
>
> if ($_SESSION['userInfo']['loggedin'] == TRUE) {
>
> MAIN PAGE DISPLAY HERE
>
> }else{
>
> //Display login info
> echo <<<FORM
> <div class="dark">
> <form method="post">
> <p>
> You must login to proceed!<BR />
> User Name: <input type="text" size="20"
> name="txtUser"><BR />
> Password: <input type="password" size="20"
> name="txtPass"><BR />
> <input type="submit" value="Login"><BR />
> </p>
> </form>
> </div>
> FORM;
>
> if(isset($_POST['txtUser'])) {
> $authUser = $_POST['txtUser'];
> $authPass = $_POST['txtPass'];
> $auth = authentication($authUser, $authPass, $cfgtableAuth);
>
> }
>
> }
>
> ?>
>
> Now... the authentication actually works, and it logs me in properly, but I
> have to click the login button twice.... Ideally I should just do it once,
> so I'm wondering if anyone can spot my grievous misstep here?
>
it looks to me like you need to move the authentication() call
if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}
above the check to see if the user has logged in, right after the
include("nav.php");
line. right now, when the user submits the form, your code is first finding
that the user isnt logged in, spitting out the 'please log in' portion of
the html then logging them in, so youre actually already logged in when the
form shows itself the second time!
-nathan
