1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 10:27 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Getting login denied to appear in a set place

         

Jamier101

11:45 am on Oct 3, 2010 (gmt 0)

10+ Year Member



I have a login script on my main page, everything is working fine although at present when I get a false login it displays the error in the top left of the page, I would like it to display in the row below the submit button although I can't seem to work out how I'd do this because the code would then be outside the php tags... any ideas?

index.php 

<?php 

$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password="password"; // Mysql password 
$db_name="test"; // Database name 
$tbl_name="users"; // Table name

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

session_start();

$userid  = $_POST['userid'];
$password = $_POST['password'];
$submitted = $_POST['submitted'];

if ($userid && $password){
/////////////////////////////////////////////////////////////////////////
$query   = sprintf("SELECT * FROM users WHERE username='$userid' and password='$password'"); 
$result   = @mysql_query($query);
$rowAccount = @mysql_fetch_array($result);
/////////////////////////////////////////////////////////////////////////
}

if ($rowAccount){

$_SESSION['id'] = $rowAccount['username'];

header("location:welcome.php");
exit;

}elseif($submitted){

echo "You dont exist in the system so your not getting in";
}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
</head>

<body>
<table width="80%" border="0" align="center">
 <tr>
  <td colspan="4">Welcome to the website</td>
 </tr>
 <tr>
  <td colspan="2">&nbsp;</td>
  <td>&nbsp;</td>
  <td>&nbsp;</td>
 </tr>
 <tr>
  <td width="20%"><strong>Menu</strong></td>
  <td colspan="2" rowspan="6" valign="top" width="60%">
  <h2>Are you looking to rent Orlando Villas or Disney Villas for your next Florida Holiday/Vacation? You are!</h2>
<p>
Our experienced Orlando villa owners are here to help you with a straight forward uncomplicated booking process. All our Orlando villas and Disney area villas are individually owned by people just like you.</p>
<p>
They came :they saw and they bought so that you could enjoy Florida just as they had done before. You can rest assured that no owners registered with use intermediaries or agents:you deal only with the owner of your chosen property. All our villa owners are carefully selected to advertise on our site: this is why we do not advertise hundreds of villas. We select the best Orlando villa owners and reject the rest thereby ensuring only quality villas are offered.</p>
</p>
  </td>
  <td width="220" rowspan="4">
<form id="form1" name="form1" method="post" action="<?php $_SERVER['PHP_SELP'];?>">
 <table width="20%" border="1">
  <tr>
   <td>User ID</td>
   <td><input type="text" name="userid" id="userid" /></td>
  </tr>
  <tr>
   <td>Password</td>
   <td><input type="password" name="password" id="password" /></td>
  </tr>
  <tr>
   <td>&nbsp;</td>
   <td><label>
    <input name="submitted" type="hidden" id="submitted" value="1" />
    <input type="submit" name="button" id="button" value="Submit" />
   </label></td>
  </tr>
 </table>
</form>  </td>
 </tr>
 <tr>
  <td>Search for a villa</td>
 </tr>
 <tr>
  <td>Advertise a villa</td>
 </tr>
 <tr>
  <td>About us</td>
 </tr>
 <tr>
  <td>Contact</td>
  <td>&nbsp;</td>
 </tr>
 <tr>
  <td>&nbsp;</td>
  <td>&nbsp;</td>
 </tr>
 <tr>
  <td>&nbsp;</td>
  <td>&nbsp;</td>
  <td>&nbsp;</td>
  <td>&nbsp;</td>
 </tr>
 <tr>
  <td>&nbsp;</td>
  <td>&nbsp;</td>
  <td>&nbsp;</td>
  <td>&nbsp;</td>
 </tr>
 <tr>
  <td colspan="4">Footer</td>
 </tr>
</table>
</body>
</html>

enigma1

1:39 pm on Oct 3, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



You can open close php tags anywhere so you could do

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
</head>
<body>
<table width="80%" border="0" align="center">
<?php
if( $logged ) {
?>
<tr>
<td colspan="4">Welcome to the website</td>
</tr>
........................
<?php
} else {
?>
<tr>
<td colspan="4">Please login first</td>
</tr>
<?php
}
?>
</table>
</body>
</html>

Matthew1980

5:48 pm on Oct 3, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there,

Whether this is important or not, not sure, but I think that when you instantiate a database connection handle, it would be prudent to refer to it on the next mysql_ function call, then at least subsequent mysql_ function calls can 'inherit' the last known connection...

// Connect to server and select database.
$conn =mysql_connect($host, $username, $password)or die("Connection Error:".mysql_error());
mysql_select_db($db_name, $conn)or die("Database Selection Error:".mysql_error());

At least this way, you know you are passing a handle from the mysql_connect function directly into the next mysql_ function.

And also, try not to do this:-

$result = @mysql_query($query);//<--Remove the @ symbol
$rowAccount = @mysql_fetch_array($result);//<--Remove the @ symbol

This is just not a good idea, surely you want to know about anything that could be potentially erroneous with your hard work; that said though, there are a couple of exceptions to this, even php themselves suggest that will some xml functions, that you need to use the error suppressor so that your script runs - bit dodgy IMO but there'ya go!

Lastly, I would URGE you to sanitise ANY data that is user submitted before it gets ANYWHERE near your database, a stray semi-colon, and the word DROP are a very dangerous commands when mixed together and put into your input's or textarea's and sent without being sanitised first.

$userid = strip_tags(mysql_real_escape_string(trim($_POST['userid'])));
$password = strip_tags(mysql_real_escape_string(trim($_POST['password'])));
$submitted = strip_tags(mysql_real_escape_string(trim($_POST['submitted'])));


Just noticed this too:-

<form id="form1" name="form1" method="post" action="<?php $_SERVER['PHP_SELP'];?>">

If the form is posting to itself, either leave the attribute blank: action="" or put the name of the file in there that is running the application, as $_SERVER['PHP_SELF']; has security issues..

Cheers,
MRb

penders

11:56 am on Oct 4, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Having taken on board the good advice of enigma1 and Matthew1980 above, you could do something like the following to achieve your goal:

Initialise an error message variable: 
$errmsg = ''; 
$userid = $_POST['userid'];


Assign your error to $errmsg rather than echo'ing it directly: 
} elseif($submitted) { 
 $errmsg = "You dont exist in the system so your not getting in"; 
}


Then echo your $errmsg variable anywhere in the page you wish to: 
<tr> 
<td>&nbsp;</td> 
<td><label> 
<input name="submitted" type="hidden" id="submitted" value="1" /> 
<input type="submit" name="button" id="button" value="Submit" /> 
</label></td> 
</tr> 
<tr><td>&nbsp;</td><td><?php echo $errmsg; ?></td></tr>

rocknbil

5:34 pm on Oct 4, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Or even, no empty cells allowed, multiple error handling included. :-)

session_start();
//
$host="localhost"; // Host name
$username="root"; // Mysql username
// Do not use root as your myslq user in a live production environment
$password="password"; // Mysql password
$db_name="test"; // Database name
$tbl_name="users"; // Table name
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$errmsg=check_data($tbl_name);

// the rest of your output . . . .

if ($errmsg) { $errmsg = '<tr><td>&nbsp;</td><td><ul id="error-list">' . $errmsg . '</ul></td></tr>'; }

Then just put $errmsg wherever you need it. Use style sheets to style the ul any way you like, no dots in the list, whatever. 


function check_data($tbl) { 
 $errors=null; 
 // Note you need to check for POST first, otherwise you 
 // may get "undefined index: userid" ... etc. errors 
 if (! isset($_POST['submitted']) or (isset($_POST['submitted']) and empty($_POST['submitted'])) { 
 $errors .="<li>Please use the form to log in.</li>"; 
 } 
 // If submitted is not present, no need to continue. 
 if ($errors) { return $errors; } 
 if (! isset($_POST['userid']) or (isset($_POST['userid']) and empty($_POST['userid'])) { 
 $errors .="<li>Please enter your user name.</li>"; 
 } 
 if (! isset($_POST['password']) or (isset($_POST['password']) and empty($_POST['password'])) { 
 $errors .="<li>Please enter your password.</li>"; 
 } 
 // If u and p not present, no need to continue. 
 if ($errors) { return $errors; } 
 // Otherwise, OK to set. 
 $userid = $_POST['userid']; 
 $password = $_POST['password']; 
 $query = sprintf("SELECT * FROM $tbl WHERE username='$userid' and password='$password'"); 
 $result = mysql_query($query) or (return "could not check database for user."); 
 if ($rowAccount = mysql_fetch_array($result)) { $_SESSION['id'] = $rowAccount['username']; } 
 // Errors should be null. 
 return $errors; 
}
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 10:27 am Apr 28, 2026