Redirect con PHP... ma a certe condizioni!

01-09-2009, 14.05.51

Ciao a tutti
dopo un form di login vorrei fare un redirect ad una pagina opportuna in base al tipo di privilegi che ha l'utente... il problema è che la funzione header mi restituisce un warning poichè, come regola vuole, deve essere messa in cima all'output. Il problema è che nella pagina login.php c'è dell'output, che consiste in un form per l'utente... Vi posto il codice per essere più diretto:

Codice PHP:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Login</title>
    <link href="style.css" rel="stylesheet" type="text/css" />
</head>

<body>
    <?php
        // Include configuration file
        include("conf.php");
        // If there isn't an active session...
        if ( (!isset($_SESSION["username"])) && (!isset($_SESSION["password"])) && (!isset($_SESSION["admin"])) ) {
            // Print the login form in the page
            echo('<div id="login_form">
                      <form name="login_form" action="' . $_SERVER['PHP_SELF'] . '" method="post">
                        <input type="text" name="username" style="position: absolute; top: 55px; left: 95px;" />
                        <input type="text" name="password" style="position: absolute; top: 95px; left: 95px;" />
                        <input type="submit" value="login" style="position: absolute; top: 138px; left: 193px;" />  
                      </form>
                  </div>');
            if ( (isset($_POST["username"])) && (isset($_POST["password"])) ) {
                // Connect to the database
                $connect = mysql_connect(db_host, db_username, db_password)
                    or die("Can't connect to the database... Wrong username or password");
                mysql_select_db(db_name, $connect)
                    or die("Can't connect to the database... The database doesn't exist");
                // Prevent sql_injections
                $username = stripslashes($_POST["username"]);
                $password = stripslashes($_POST["password"]);
                $username = mysql_real_escape_string($username);
                $password = mysql_real_escape_string($password);
                // Define the query for finding a user in the database
                $search_user = "SELECT username, password, admin FROM " . db_tblprefx . "user WHERE username = '" . $_POST["username"] . "' AND password = '" . md5($_POST["password"]) . "';";
                // Search the database for the user who's trying to login
                $res = mysql_query($search_user, $connect)
                    or die("Query failed (user)");
                // If user exists and the passwords match
                if (mysql_num_rows($res) == 1) {
                    // Create a record with the result
                    while ($r = mysql_fetch_assoc($res)) {
                        $_SESSION["username"] = $r["username"];
                        $_SESSION["password"] = $r["password"];
                        $_SESSION["admin"] = $r["admin"];
                    }
                    if ($_SESSION["admin"] == 1)
                        header("Location: admin/index.php");
                    else
                        header("Location: index.php");
                } else echo("Wrong username or password");
                // Close mysql connection
                mysql_close($connect);
            }
        }
    ?>
</body>
</html>

Come vedete a fondo script, se il valore admin è uguale ad 1 vorrei un redirect alla pagina di amministrazione, piuttosto che a quella di visualizzazione dei contenuti se è un utente normale. Grazie in anticipo ^___^

01-09-2009, 15.18.46

Codice PHP:


<?php

  session_start(); // se la session_start() è già presente in conf.php allora elimina questa riga



  // Include configuration file

  include("conf.php");

  

  $errormessage = '';



  // check form data

  if ( (isset($_POST["username"])) && (isset($_POST["password"])) ) {



    // Connect to the database

    $connect = mysql_connect(db_host, db_username, db_password) 

        or die("Can't connect to the database... Wrong username or password");

    mysql_select_db(db_name, $connect)

        or die("Can't connect to the database... The database doesn't exist");



    // Prevent sql_injections

    $username = stripslashes($_POST["username"]);

    $username = mysql_real_escape_string($username);



    // Define the query for finding a user in the database

    $search_user = "

       SELECT 

           username

         , password

         , admin 

       FROM " . db_tblprefx . "user 

       WHERE username = '" . $username . "' 

       AND password = '" . md5($_POST["password"]) . "';

    ";



    // Search the database for the user who's trying to login

    $res = mysql_query($search_user, $connect)

                    or die("Query failed (user)");



    // If user exists and the passwords match

    if (mysql_num_rows($res) == 1) {



      // Create a record with the result

      while ($r = mysql_fetch_assoc($res)) {

        $_SESSION["username"] = $r["username"];

        $_SESSION["password"] = $r["password"];

        $_SESSION["admin"] = $r["admin"];

      }

      if ($_SESSION["admin"] == 1)

        header("Location: admin/index.php");

      else

        header("Location: index.php");

    } else $errormessage = "Wrong username or password";

    

    // Close mysql connection

    mysql_close($connect);

  }

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

    <title>Login</title>

    <link href="style.css" rel="stylesheet" type="text/css" />

</head>



<body>

<?php

    // Print the login form in the page

    echo('<div id="login_form">

                     <form name="login_form" action="' . $_SERVER['PHP_SELF'] . '" method="post">

                        <input type="text" name="username" style="position: absolute; top: 55px; left: 95px;" />

                        <input type="text" name="password" style="position: absolute; top: 95px; left: 95px;" />

                        <input type="submit" value="login" style="position: absolute; top: 138px; left: 193px;" />  

                      </form>

              </div>

              $errormessage');

?>

</body>

</html>

01-09-2009, 15.23.33

Originalmente inviato da tonnaer

Codice PHP:


<?php
  session_start(); // se la session_start() è già presente in conf.php allora elimina questa riga

  // Include configuration file
  include("conf.php");
  
  $errormessage = '';

  // check form data
  if ( (isset($_POST["username"])) && (isset($_POST["password"])) ) {

    // Connect to the database
    $connect = mysql_connect(db_host, db_username, db_password) 
        or die("Can't connect to the database... Wrong username or password");
    mysql_select_db(db_name, $connect)
        or die("Can't connect to the database... The database doesn't exist");

    // Prevent sql_injections
    $username = stripslashes($_POST["username"]);
    $username = mysql_real_escape_string($username);

    // Define the query for finding a user in the database
    $search_user = "
       SELECT 
           username
         , password
         , admin 
       FROM " . db_tblprefx . "user 
       WHERE username = '" . $username . "' 
       AND password = '" . md5($_POST["password"]) . "';
    ";

    // Search the database for the user who's trying to login
    $res = mysql_query($search_user, $connect)
                    or die("Query failed (user)");

    // If user exists and the passwords match
    if (mysql_num_rows($res) == 1) {

      // Create a record with the result
      while ($r = mysql_fetch_assoc($res)) {
        $_SESSION["username"] = $r["username"];
        $_SESSION["password"] = $r["password"];
        $_SESSION["admin"] = $r["admin"];
      }
      if ($_SESSION["admin"] == 1)
        header("Location: admin/index.php");
      else
        header("Location: index.php");
    } else $errormessage = "Wrong username or password";
    
    // Close mysql connection
    mysql_close($connect);
  }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Login</title>
    <link href="style.css" rel="stylesheet" type="text/css" />
</head>

<body>
<?php
    // Print the login form in the page
    echo('<div id="login_form">
                     <form name="login_form" action="' . $_SERVER['PHP_SELF'] . '" method="post">
                        <input type="text" name="username" style="position: absolute; top: 55px; left: 95px;" />
                        <input type="text" name="password" style="position: absolute; top: 95px; left: 95px;" />
                        <input type="submit" value="login" style="position: absolute; top: 138px; left: 193px;" />  
                      </form>
              </div>
              $errormessage');
?>
</body>
</html>

Grazie mille tonnaer ^___^
Permetti una domanda? Per la parte delle SQL Injection, come mai mi suggerisci di controllare soltanto il campo username? Grazie ancora per la tua consulenza

01-09-2009, 15.31.11

Perché la password, prima di usarla nella query, la passi nella funzione md5. Quindi non servono controlli anti-sql-injection.
Ovviamente, se al momento della registrazione di un utente usi strip_slashes e mysql_real_escape_string anche sulla password, qua devi fare la stessa cosa. Altrimenti potrebbe succedere che la password non va più bene. Ma dal punto di vista della sicurezza è superfluo.

Discussione: Redirect con PHP... ma a certe condizioni!

LinkBack

Strumenti discussione

Display

Redirect con PHP... ma a certe condizioni!

Regole di scrittura