Use of forms 2

[svar]

I'm new to PHP, though I know perl very well.
I am trying to learn PHP by actually building a test system. So I have apache, mysql and php
and I am building the following:
1. A login form. Somebody logs in with a user name and passwd
This is done via a mysql table LOGIN, of the form
username password ID. So if login is successful, PHP knows the logger's ID
2. After authentication, based on the ID of the user name, the rights of the logger are determined via a second table, say RIGHTS of the form
ID Rights, where rights may be 'user' or 'admin'
Based on what rights ID has, a different form appears for user and admin

Here is how I am implementing these:
<!DOCTYPE html>
<html>
<body>

<SCRIPT LANGUAGE="JavaScript">

function doLogin() {
username=document.login.username.value;
if(username=="") {
alert("Please, enter your user name and password to complete the login procedure.\nIf you are a new user, click on the 'Register here' link.");
return false;
}
return true;
}

</SCRIPT>
<?php



if(!isset($_SESSION['userid'])) {
?>
<FORM METHOD="POST" NAME="login" ACTION="login.php" onSubmit="return doLogin()">
<table border=0 class=normal cellspacing="1" cellpadding="1" align=center>

<tr><td class=title><div align="center">Welcome to my site</div></td></tr>
<tr><td class=title><div align="center"> LOGIN</div></td></tr>

<tr><td><div align="center">Username</div></td></tr>

<tr><td><div align="center">
<input CLASS="textbox" type="text" name ="username" size=15>
</div></td></tr>

<tr><td><div align="center">Password</div></td></tr>

<tr><td><div align="center">
<input CLASS="textbox" type="password" name="passwd" size=15>
</div></td></tr>

<tr>
<td align=center><br>
<input CLASS="button" type="submit" value="Submit"></td></tr>
<tr>
<td align=center><p><A class=inside HREF="registration.php"><br>
Not yet registered?<br>
Register <B>here</B>!</A><br>
<br>
<br>

And login.php reads:

<?php
include 'userlogin.php';
include 'adminlogin.php'; //Are these necessary?


$debugOn=0;

ob_start();
// $pagegroup=public;
require "header.php";

require ("db_connect.php");
$dbname="Mydatabase";
$username=$_POST['username'];
$administrator='admin@mysite.com';//the admin (I'd like it global
/* Now since in the LOGIN table the passwd is stored hashed, get the hash; if not md5 or
if salted, do appropriate transformation*/
$passwd=md5($_POST['passwd']);
// $passwd=$_POST['passwd'];
// $pass = md5($_POST['pass']);

if ($user&&$pass)
{
//connect to db
$con = mysqli_connect("localhost",$user,$passwd,$dbname) or die("Some error occurred during connection to the $dbname database " . mysqli_error($con));


if ($result = $mysqli->query("SELECT ID,user,passwd FROM LOGIN WHERE user=$user and passwd=$passwd")){
/* printf("Select returned %d rows.\n", $result->num_rows);*/
/* Now check if a simple user, or admin on ID */
$row0 = mysqli_fetch_row($result);
$id=$row0[0]; // so $id is the user ID
}else{
echo "Invalid user name and/or password";
/* free result set */
$result->close();
}


/*
$result = mysqli_query($link, "SELECT ID,Rights FROM RIGHTS WHERE ID = $id");
$row = mysqli_fetch_row($result);
/* this assumes username is unique and is part of RIGHTS database integrity to guarantee this*/
if (!$row)
{
$error = 'Error - user does not exist';
include 'error.php';
exit();
}
else{
/* authenticated. So note id and do a further query to offer menus as simple user or admin*/

$category = $row[1];

/*check for admin */
if($category=='Admin'){
<td width="30%"> <A class=lightblue HREF="adminmenu.php"> Authenticated as an admin, click on linkto proceed</A> </td>}else{
<td width="30%"> <A class=lightblue HREF="usermenu.php"> Authenticated as a user, click on linkto proceed</A> </td>}

}// else authenticated
}// if user&&pass
?>





In addition, do I understand correctly that variables are scoped, i.e. if inside a <?php ...?>
I have a variable and call another form, the form called already knows the variables, such as a database connection of the calling form?
Even so, I might like to have a truly global variable, such as a mailing address for the site admin, that should be set ONCE(e.g. in the initial form) and known to all other forms, so that for example if something goes wrong ,error trapping can notify the admin. How does one do that?

 

[jpadie]

first, please always put code within [ignore]

[/ignore] tags. it makes it far easier to read.

do I understand correctly that variables are scoped, i.e. if inside a <?php ...?>

yes. all variables have either a superglobal ($_POST/$_GET etc), a global or a local scope. A superglobal is available in all scopes automatically. variables with a global scope are available outside of functions and class methods. They can be made available to a function or class method via the global keyword. eg.

<?php 
echo '<pre>';
$globalVar = "foo";
echo $globalVar . "\n";
bar(); //
foobar();
function bar(){
  echo $globalVar . "\n";
}
function foobar(){
  global $globalVar; //bring globalvar into scope
  echo $globalVar . "\n";
}

I have a variable and call another form, the form called already knows the variables, such as a database connection of the calling form?

variables don't exist in a 'form'. a form is simply a construct of a browser and is nothing to do with php. php sees a form simply as text that is output to a browser.

a browser submits a form to the webserver which, in turn, passes the form values to php. typically in $_POST or $_GET superglobal.

this distinction between php code and the controls that you see in a browser is vital to understanding how webservers and scripting language work and how best to structure your code. Remember that web-servers are stateless.

if ($result = $mysqli->query("SELECT ID,user,passwd FROM LOGIN WHERE user=$user and passwd=$passwd")){
/* printf("Select returned %d rows.\n", $result->num_rows);*/

remember that you must always escape and enquote variables used in mysql

[COLOR=#EF2929]$user = mysqli_real_escape_string($user);
$passwd = mysqli_real_escape_string($passwd);[/color]
if($result = $mysqli->query("SELECT ID,user,passwd FROM LOGIN WHERE user=[COLOR=#EF2929]'$user'[/color] and passwd=[COLOR=#EF2929]'$passwd'[/color]")){

if(!isset($_SESSION['userid'])) {

this won't ever work unless you first instantiate the session.

if(session_id() == '') session_start();

 

[vacunita]

include 'userlogin.php';
include 'adminlogin.php'; //Are these necessary?

No way to know. What's in them?. Only you know if the code inside is necessary.

As jpadie points out there are no forms in PHP. An HTML form to PHP is just a bunch of text it can ignore. Including a PHP file into another one brings the code in the included file into the same scope as the file doing the inclusion. That is all variables defined prior to inclusion of the PHP script file will be available to it within their respective scopes.

PHP runs on the server, before any HTML is even output to the browser. There is no real direct interaction between the HTML and PHP other than the PHP can output HTML or structure the resulting HTML in the ways you specify. Also the browser sees no PHP code. Only HTML is delivered to the browser, which is why when you try to view the source code of a PHP page, you only see HTML.

Even so, I might like to have a truly global variable, such as a mailing address for the site admin, that should be set ONCE(e.g. in the initial form) and known to all other forms, so that for example if something goes wrong ,error trapping can notify the admin.

You can define any constant values if you will at the beginning of your base script and they will be available to any scripts included by the base script by defining constants

http://www.php.net/constants

define (ADMIN_EMAIL,"admin@emailserver.com");

Then should you ever need to use that constant, you can call it directly like:

echo "The admin email is: " . ADMIN_EMAIL;

Constants cannot change. Once defined they will remain so for the execution of the script.













----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Web & Tech

 

[jpadie]

just to add to what Phil says a constant is available as if it were a superglobal. i.e. it is available in all scopes.

the big difference between a superglobal (or a global variable) and a constant is that a variable can be changed by the code and a constant (as its names suggests) cannot be changed by a script once it has been defined.

But bear in mind that the life of a script is not indefinite. every time it is instantiated (i.e. every web page) the variables are created, the constants defined etc anew. so you can change the constants between the script instances; but not during.

 

[svar]

Thanks to all. Looks like there are lots of bugs with that code, so I am going about it one by one...