Getting Multiple Post Values

[PCHomepage]

Being so spoiled by an IDE that did all this for me, I have forgotten how to do the most basic of things. I am trying to relearn when I once knew so I know this is probably a dumb question but how can I retrieve values from a form? That is, I know how to do it but for some reason I seem to be able to get only one at a time when two are required (it's a simple non-database login form).

In HTML the form, I tried echoing the variables but nothing appears UNLESS I first echo them elsewhere. It makes no sense to me.

	$username = $_POST['UserName'];
	$password = $_POST['PWName'];

echo "Session User Name Value: " . $_SESSION['UserName'] . "<br>";
echo "User Name Variable: " . $username . "<br>";
echo "Password Variable: " . $password;

Somehow these echoes show the variable values AND they show in the form where the same code is located. Without these the two variables are empty. The above will allow the login process to work but, because it also gives header errors, the login does not redirect. What am I missing to get both POST values?

The entire the code is here in case it helps:

<?php

$SiteURL = "/";
$LoginName = "admin";
$PWord = "admin";

$username = $_POST['UserName'];
$password = $_POST['PWName'];

// These diagnostic echoes allow login to complete
//echo "Session User Name Value: " . $_SESSION['UserName'] . "<br>";
//echo "User Name Variable: " . $username . "<br>";
//echo "Password Variable: " . $password;

if ($_POST['Cancel'] == "Cancel") {
	header("Location: " . $SiteURL);
} elseif ($_GET['Logout'] == 1) {
	$_SESSION['UserName'] = "";
	header("Location: " . $SiteURL);
} elseif ($username == $LoginName && $password == $PWord)  {
	$_SESSION['UserName'] = $username;
	header("Location: index.php");
	echo "Login Test Passed"; // for diagnostic purposes
} elseif (($username && $username != $LoginName) || ($password && $password != $PWord))  {
	$InstMessage = "Login failed. The Login or Password was incorrect.";
} elseif ($username == "" || $password == "") {
	$InstMessage = "You must enter your Login and Password to proceed.";
}
?>

The form is basic too:

<form action="login.php" method="POST" enctype="application/x-[URL unfurl="true"]www-form-urlencoded"[/URL] name="Login">

Login: <input name="UserName" type="text" size="10" maxlength="10" onmousedown='this.value=""'><br />

Password: <input name="PWName" type="password" size="10" maxlength="10" onmousedown='this.value=""'><br />

<input name="Login" type="submit" value="Login"> <input name="Cancel" type="submit" value="Cancel">

</form>

Thanks in advance for any help!

 

[PCHomepage]

I came up with a little function that seems to allow the form input which I verified be echoing the values to the screen. Oddly, as soon as I added the function to the conditional it stopped showing the values so it is not logging in.

So the code is now:

<?php
$SiteURL = "/";
$LoginName = "admin";
$PWord = "admin";

function FormValue($parameter_name) {
    $parameter_value = "";
    if (isset($_POST[$parameter_name]))
        $parameter_value = $_POST[$parameter_name];
    else if (isset($_GET[$parameter_name]))
        $parameter_value = $_GET[$parameter_name];
    return $parameter_value;
}

if (FormValue("Cancel") == "Cancel") {
	$InstMessage = "Cancel received."; // For diagnostics only
	header("Location: " . $SiteURL);
} elseif (FormValue("Logout") == 1) {
	$_SESSION = array();
    	session_destroy();
    	setcookie (session_name(), '', time()-300, '/', '', 0);
	$InstMessage = "Logout received."; // For diagnostics only
	header("Location: " . $SiteURL);
} elseif (FormValue("UserName") == $LoginName && FormValue("PWName") == $PWord)  {
	$_SESSION['UserName'] = FormValue("UserName");
	header("Location: index.php");
	echo "Login Test Passed"; // For diagnostics only
} elseif ((FormValue("UserName") && FormValue("UserName") != $LoginName) || (FormValue("PWName") && FormValue("PWName") != $PWord))  {
	$InstMessage = "Login failed. The Login or Password was incorrect.";
} elseif (!FormValue("UserName") || !FormValue("PWName")) {
	$InstMessage = "You must enter your Login and Password to proceed.";
} else {
	$InstMessage = "Unknown problem. Please see the site administrator."; // For diagnostics only
}
?>

Then the form is below showing the echoes above it. The session value is empty so it's not clear to me that the session is being properly set even though there is a PHPSESSID Cookie being set:

<?
echo "Session User Name Value: " . $_SESSION['UserName'] . "<br>";
echo "User Name POST Input: " . FormValue("UserName") . "<br>";
echo "Password POST Input: " . FormValue("PWName");

if ($InstMessage) {
      echo $InstMessage;
}
?>

<form action="login.php" method="POST" enctype="application/x-[URL unfurl="true"]www-form-urlencoded"[/URL] name="Login">
Login: <input name="UserName" type="text" size="10" maxlength="10" onmousedown='this.value=""'><br />
Password: <input name="PWName" type="password" size="10" maxlength="10" onmousedown='this.value=""'><br />
<input name="Login" type="submit" value="Login"> <input name="Cancel" type="submit" value="Cancel">
</form>

Any ideas? I'm running out of them myself!

 

[DonQuichote]

The redirect header will never work if there is even one character output before it. This may be a space or newline before the <?php tag.
Off course, echoing before a redirect will simply not work.

Furthermore, check the greediness of operators. You may have done well with &&, but "and" is certainly more greedy than a comparison operator.

You could check the magic quotes settings in your FormValue function. If your real password contains a quote, a slash will "magically" be added.

What are the warnings you get? If the redirection fails, PHP should issue a warning. You switch warnings off on a live web server (because they are too useful for hackers and not for your visitors), but on your development PC they should be ON.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[PCHomepage]

It's not a redirect issue as that is working just fine as long as I turn off any echo statements above it. They are there now simply as a diagnostic.

The problem is that the form values are not getting through. It seems to be behaving oddly in that the login and password get passed individually if I leave the other blank but not both together! It never gets to the section in the conditional to do the actual logging in. If I put echo statements in the code above the conditional, then both get passed but of course that won't work. I need another pair of eyes to review the conditional to see if I have missed something - it's probably something obvious.

This login will always be used by only one person and even then only rarely so I am not too concerned with overhead. However, did I leave an "AND" in there somewhere? This is a port from a VBScript but I thought I converted all of them to &&.

 

[PCHomepage]

I'm feeling a little foolish in that it appears that the problem was on the editing page, not in the login page! It was stuck in a redirect loop of sorts so that the editing page was redirecting back to the login page so it appeared to be doing nothing. That does explain the peculiar behavior.

I discovered it by manually setting the session values to force it to log in. Then I got an error that there was a redirect loop, an error I have never seen before (Firefox) but which was very helpful. Sorry to have wasted everyone's time and I appreciate the help that I did receive.