[RESOLVED] Authentication Function HELP

[PlaGuE]

Well recently i took upon a task.Which needed me to make an authentication function/system for it, and well.... i thought i'd go into an old project and use that one.... but.... then i found out... that my sister had gotten onto the computer and DELETED ALL OF MY PROJECTS!!!!!!!!!!!!!!!!!!!!

sooo...here i am.lol

My problem is this.
I am trying to create an authentication system.Pretty basic explanation i know.
When your not logged in. It works fine.But...
For some reason when i use this code in my index.php page(Shown below).
To determine if the user should be able to view the page(when logged in) or not. It will show the "You do not have a high enough rank to view this page."
aswell as the content that shouldnt be able to be viewed by the user.

Here Are the files.
Config.php Not included As it's just the SQL connection.Atm.

Index.php

PHP Code:

<?php
session_start();
require("functions.php");

if(Authentication(5)){
print("Welcome");
}
?>

I remember at least this much.On how to call the function in the index.php.

this is my functions.php page

PHP Code:

<?php
include("config.php"); //Includes the connection to the database
error_reporting(E_ALL ^E_WARNING ^E_NOTICE);

// Start Authentication Functions    
    function Authentication($mRank){
        // Authentication Functrion
        if(isset($_POST['AuthLogin'])){

            $result = mysql_query("SELECT * FROM users WHERE username='".$_POST['userName']."' AND password='".$_POST['passWord']."'");
                      extract($userinfo = mysql_fetch_object($result));
                        $_SESSION['CuSeR']    =    $userinfo->username;
                        $_SESSION['CuSeR_ID']    =    $userinfo->ID;
                        $_SESSION['CuSeR_Rank']    =    $userinfo->rank;
                        $_SESSION['CuSeR_LastLogin']    =    $userinfo->lastlogin;
        
        }        
//*                
        $result = mysql_query("SELECT * FROM users WHERE username='".$_SESSION['CuSeR']."'");
        extract($userinfo = mysql_fetch_object($result));
            
            print("My Rank:".$userinfo->rank."<br />");
            print("Needed Rank:".$mRank."<br />");
            
            if($userinfo->rank >= $mRank){
                    //return true;
                    if(!$userinfo->ID){
                        //return false;
                        return loginForm();
                    }
                }else{
                    //return false;
                    return print("You do not have a high enough rank to view this page.<br />\n");
                    
                }            

    }//End Authentication Function
    
    function loginForm(){
        ?>
        <form action="index.php?module=Login" name="AuthLoginForm" method="post">
        <table width="15%" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#000000">
  <tr>
    <td colspan="2" bgcolor="#999999"><div align="center">Login</div></td>
    </tr>
  <tr>
    <td width="8%" bgcolor="#999999">Username</td>
    <td width="92%" bgcolor="#999999"><input name="userName" type="text" value="UserName" class="login_text" /></td>
  </tr>
  <tr>
    <td bgcolor="#999999">Password</td>
    <td bgcolor="#999999"><input name="passWord" type="password" value="Password" class="login_text" /></td>
  </tr>
  <tr>
    <td colspan="2" bgcolor="#999999"><div align="center">
      <input type="submit" name="AuthLogin" value="Submit" />
    </div></td>
    </tr>
</table>

        </form>
        <?        
    }
    
?>

Any Help is apperciated.
Not to put any pressure on anyone but.. i have till saturday to finish.
I had this project sprung on me without notice.T'is hard to say no. You know...

[penagate]

print always returns 1. Unless that's what you meant, it's almost certainly your source of error.

And your loginForm function doesn't return anything, yet you're returning its non-existant result.

[PlaGuE]

lol... i honestly didnt know that print returned 1...

koo.

[visualAd]

Like pena said, print will always return true. Your problem lies here:

PHP Code:

            if($userinfo->rank >= $mRank){
                    //return true;
                    if(!$userinfo->ID){
                        //return false;
                        return loginForm();
                    }
                }else{
                    //return false;
                    return print("You do not have a high enough rank to view this page.<br />\n");
                    
                } 


If the rank is okay, the function doesn't return a value. A function which doesn't return a value, returns null and null is false. Don't return the vlaues of the loginform() and print() fucntions, call them first then return on the nextl ine:

PHP Code:

            if($userinfo->rank >= $mRank){
                    //return true;
                    if(!$userinfo->ID){
                        //return false;
                        loginForm();
                        return false;
                    } else {
                        return true;
                    }
                }else{
                    //return false;
                    print("You do not have a high enough rank to view this page.<br />\n");
                    return false;
                    
                } 


Also, don't shoot yourself in the foot by turning off error reporting.

[PlaGuE]

Also, don't shoot yourself in the foot by turning off error reporting.

Im only turning off Warnings and Notices. As i dont care about those at the present time.

[visualAd]

Warnings and notices are the most important during development stages. With them off you can miss errors which could take an age to find.

[PlaGuE]

True.
But like i said.I didnt need it on at the present time.(Now i have full error reporting on.)
The only errors i ever got were "Undefined Variables ****..." because of my $_POST variables.

[penagate]

You should always have error reporting on full. If you are worried about error messages appearing in a production situation, then use an error handler function. If you know that a function call or statement can produce errors which you can safely ignore without affecting logic flow, prefix it with the @ symbol.

[knightcon]

You also have the option of using PHP's native authentication system. It sends the authentication request to the browser as a http header.

PHP Code:

if(!isset($_SERVER['PHP_AUTH_USER'])) {
        //User Is Not Logged In
        header('WWW-Authenticate: Basic realm="My Realm"');
        header('HTTP/1.0 401 Unauthorized');
        //If User Hits Cancel Button
        print("Access Denied");
        exit;
    } else {
        $username = $_SERVER['PHP_AUTH_USER'];
        $password = $_SERVER['PHP_AUTH_PW'];
    };
}; 


[visualAd]

True.
But like i said.I didnt need it on at the present time.(Now i have full error reporting on.)
The only errors i ever got were "Undefined Variables ****..." because of my $_POST variables.

If you write your code properly (i.e: use isset() before using variables which you have not yet used), you won't get any notices. The notice serves to tell you when you have used a variable without first initialising it. So when you do receive a notice it indicates that you may have spelt a variable name incorrectly. Ignoring them is NOT good coding practice at all and is sadly yet another bad habbit that PHP programmers fall into.

[visualAd]

You also have the option of using PHP's native authentication system. It sends the authentication request to the browser as a http header.

PHP Code:

if(!isset($_SERVER['PHP_AUTH_USER'])) {
        //User Is Not Logged In
        header('WWW-Authenticate: Basic realm="My Realm"');
        header('HTTP/1.0 401 Unauthorized');
        //If User Hits Cancel Button
        print("Access Denied");
        exit;
    } else {
        $username = $_SERVER['PHP_AUTH_USER'];
        $password = $_SERVER['PHP_AUTH_PW'];
    };
}; 


It is not PHP's native system, this is the HTTP authentication system. I would not recommend using it because it relies on PHP running inside the web server process as a module.

[PlaGuE]

You should always have error reporting on full. If you are worried about error messages appearing in a production situation, then use an error handler function. If you know that a function call or statement can produce errors which you can safely ignore without affecting logic flow, prefix it with the @ symbol.

I usually do that too.