I would always argue that the best way of validating forms server side is to split the script in two.
logon_display.php - A template that displays the form.
logon_input.php - The script that receives the input, validates and verifys the logon credentials.
Doing it like this will enable you to keep the form and the script that actually logs the user on separate entities.
login_display.php may look something like this:
Your logon_input.php will process the form and validate it. If validation and authentication success, a sesion variable called authenticated is set to true and the user is redirected to the next page. If it fails, the appropriate messages are set and added to the session and the user is redirected back to the logon page.PHP Code:<?php
/* disable notices as variables will be undefined on first display */
error_reporting(E_ALL ^ E_NOTICE);
session_start();
$formMessage = $_SESSION['formMessage'];
$username = $_SESSION['username'];
$password = $_SESSION['password'];
?>
<html>
<head>
<title>Logon</title>
</head>
<body>
<p>Enter your login details below:</p>
<form action="logon_input.php" method="post">
<div><?php echo($formMessage) ?></div>
<div>
<p><?php echo($username['msg']) ?></p>
<label for="username">Username:</label>
<input type="text" id="username" name="username"
value="<?php echo($username['value']) ?>" />
</div>
<div>
<p><?php echo($password['msg']) ?></p>
<label for="password">Password:</label>
<input type="password" id="password" name="password" />
</div>
<div><input type="submit" /></div>
</form>
</body>
</html>
Notice how the session is used, once logged on to store a variable to indicate the user has logged on. You should check this exists on every page that requires authentication and to log the user out you simply set this variable to false.PHP Code:<?php
session_start();
$_SESSION = array(); // clear any old session data
/* check a username is present */
if ((! isset($_POST['username'])) || trim($_POST['username'] == '')) {
$_SESSION['formMessage'] = 'Error Processing Request';
$_SESSION['username']['msg'] = 'Username Cannot be Left Blank';
header('Location: logon_display.php');
exit;
}
/* check a password is present */
if ((! isset($_POST['password'])) || trim($_POST['password'] == '')) {
$_SESSION['formMessage'] = 'Error Processing Request';
$_SESSION['password']['msg'] = 'Password Cannot be Left Blank';
header('Location: logon_display.php');
exit;
}
$username = $_POST['username'];
$password = $_POST['password'];
if (authenticate($username, $password)) {
/* valid username and password */
$_SESSION['authenticated'] = true;
header('Location: next_page.php');
} else {
$_SESSION['formMessage'] = 'Invalid Username or Password';
$_SESSION['user']['value'] = $username;
header('Location: logon_display.php');
}
/* this function will authenticate the user, prehaps via a database
or a file. in this case i just put the username and password in an
array */
function authenticate($username, $password)
{
$users = array ('user1' => 'password1',
'user2' => 'password2');
/* it is cruciual that you uncomment these lines if you a inserting
these values into a query to prevent sql injection. These are for
Mysql, so you my have to modify them appropriately for other
databases. */
// $username = mysql_escape_string($username);
// $password = mysql_escape_string($password);
return array_key_exists($username, $users) && ($users[$username] == $password);
}
?>
next_page.php contains an include to a small script called auth.php that checks for authentication. To enable authentication for a specified page, simply put this line at the top of the script:
auth.phpPHP Code:require 'auth.php';
PHP Code:<?php
session_start();
if (! @$_SESSION['authenticated']) {
header('Location: logon_display.php');
exit;
}
?>




Reply With Quote