Archived

This topic is now archived and is closed to further replies.

ironfroggy

PHP Page Forbidden

Recommended Posts

I''m doing some renovating on my site, and right now I''m working on a login script. Its in PHP. The login page loads fine. it displays a username and password box and a submit button if !$login ($login is the name of the submit form object). so this works ok. i enter the name and password, hit login and it POSTs the data to the same script, which should then log me in (mm, cookies). Problem is, then it says the page is forbidden. So, its only forbidden when I''m posting data. I''m not sure how to fix this. Are you? (http://www.ironfroggy.com/) (http://www.ironfroggy.com/pinch)

Share this post


Link to post
Share on other sites
Have you checked the docs on http://www.php.net ?

Also, if you could post some source code, that would help greatly.

"Doomed to crumble, unless we grow, and strengthen our communication" - Maynard James Keenan, Tool

Edited by - daerid on February 18, 2002 1:45:58 PM

Share this post


Link to post
Share on other sites
this code takes the POSTed data and logs in the user
    if ($login) {
$sqlresult = mysql_query("SELECT Username,Password FROM User");
while ($row = mysql_fetch_array($sqlresult)) {
$userdata[$row["Username"]] = $row["Password"];
}
if ($userdata[$Username] = $Password) {
// set cookie

/* I CANT REVEAL THIS CODE, BUT IT SHOULDNT AFFECT ANYTHING THE WAY
THIS CODE IS FAILING. IT SIMPLY LOGS THE USER INTO THE SYSTEM
AND LOADS THE ADMIN PAGE */

}
}


this is a portion of the php script for displaying the login page, this works.

  
else {
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<form ACTION="login.php" METHOD="POST">
Username: <input TYPE="text" name="Username" SIZE="20"><br>
Password: <input TYPE="password" name="Password" SIZE="20"><br>
<input TYPE="submit" name="login" value="Submit">
</form>
</body>
</html>
<?php
}
?>


(http://www.ironfroggy.com/)
(http://www.ironfroggy.com/pinch)

[Edit: Hate scrolling so far right.]

Edited by - Oluseyi on February 18, 2002 4:20:17 PM

Share this post


Link to post
Share on other sites
I don''t use PHP so forgive any stupid mistakes.

I''m guessing $row returns a row from the table, userdata[item] returns the item sent from a form and $row["item"] returns a field item from the row. I also assume that the while loop will break and leave row (as an index) as is when username=username.

  
if ($login) {
$sqlresult = mysql_query("SELECT Username,Password FROM User");
while ($row = mysql_fetch_array($sqlresult)) {
$userdata[$Username] = $row["Username"]; }

if ($userdata[$Password] = $row["Password"]) {
// set cookie

/* I CANT REVEAL THIS CODE, BUT IT SHOULDNT AFFECT ANYTHING THE
WAY THIS CODE IS FAILING. IT SIMPLY LOGS THE USER INTO THE
SYSTEM AND LOADS THE ADMIN PAGE */
} }


assuming this finds a matching user name and then breaks the loop:
  
$userdata[$Username] = $row["Username"];


then this is checking password

  
if ($userdata[$Password] = $row["Password"])


In ASP I''d search through each record as its returned and break when username = loginname then test password=password. I''d also only allow unique loginnames.


Hope this helps.

,Jay

Share this post


Link to post
Share on other sites
$row is temporary object holding a username and password. $row is set for each row in the table, and then the $userdata is a hash-table of the form $userdata[$username] = $password. the while is exited when all the rows in the table are used.

Then, assuming that $userdata[$Username] = $Password ($Username and $Password are the values from the form), the user is logged into the system. but, none of this matters. my web server says that login.php (this file) is unaccessable to me. yet, it lets me use it when $login does not exist (that is, when i havent logged in yet). but when i hit the button and the page loads, POSTing the login data, i cant access the php file at all!

(http://www.ironfroggy.com/)
(http://www.ironfroggy.com/pinch)

Share this post


Link to post
Share on other sites
Check the case and try changing the method to 'get', no "". You might want to try giving the form an ID or a Name like "login".

    
<form ACTION="login.php" METHOD="POST">




,Jay

Edited by - Jason Zelos on February 18, 2002 5:59:30 PM

Share this post


Link to post
Share on other sites
using GET would put a password bluntly into the address. i dont want something like that. plus, i try to stay to XHTML conformities as much as i can. quotes are required for attribute valyes in XML.

(http://www.ironfroggy.com/)
(http://www.ironfroggy.com/pinch)

Share this post


Link to post
Share on other sites
i dont want to use GET. I know that works, but id rather fix a problem than run away from it.

After setting the cookie, it includes another file (admin.php) which displays a simple with links to different site management tools im working on.

(http://www.ironfroggy.com/)
(http://www.ironfroggy.com/pinch)

Share this post


Link to post
Share on other sites