|
|
Posted by Darko on 11/09/07 21:48
On Nov 9, 9:13 pm, Ezechiele <esechi...@wolfland.it> wrote:
> > I wander where's Steve to kick your ass for such flagrant formatting. I
> > give up.
>
> <?php
> session_start();
> error_reporting(E_ALL);
> if (!defined("BASE_PATH")) define('BASE_PATH', isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : substr($_SERVER['PATH_TRANSLATED'],0, -1*strlen($_SERVER['SCRIPT_NAME'])));
> $_SERVER['DOCUMENT_ROOT']=BASE_PATH;
> include($_SERVER['DOCUMENT_ROOT']."/script/dbconnect.php");
> if (!isset($_SESSION['Login'])) $_SESSION['Login']=false;
> //echo "SESSION[Login]:".$_SESSION['Login'];
> $IdUser=session_id();
> $data=date('Y-m-d');
> if (!isset($HTTP_COOKIE_VARS["TeachingOnLine"])) setcookie("TeachingOnLine",$IdUser,time()+60*60*24*365);
> else
> $IdUser=$HTTP_COOKIE_VARS["TeachingOnLine"];
> // Apertura tabelle dei dati
> //mysql_select_db($dbname);
> $username=$_POST["username"];
> if (strlen($username)<=3)
> {
> session_write_close();
> if (isset($_SERVER['HTTP_REFERER']))
> $url=$_SERVER['HTTP_REFERER'];
> else
> $url='http://'.$SERVER['HTTP_HOST']."/index.php";
> header("Location: $url");}
>
> $username=mysql_escape_string($username);
> $password=$_POST["password"];
> $password=mysql_escape_string($password);
> $tabella="utenti";
> // Ricerca nella tabella Utenti la coppia UserName e UserPassword
> $query="Select IdUser, Username, UserPassword from $tabella where ('$password'=UserPassword) and ('$username'=Username)";
> $result=mysql_query($query) or die(mysql_error());
> // Legge IdUser
> $record=mysql_fetch_array($result);
> //$UserId=$record["IdUser"];
> //$Username=$record["Username"];
> //echo "UserId=".$UserId;
> //echo " Username=".$Username;
> // Se esiste l'utente con username e password allora consenti il login if
> (mysql_affected_rows()==1)
> {
> $_SESSION['Login']=True;
> //echo "SESSION[Login]:".$_SESSION['Login'];
> $_POST['Login']=False;
> ////echo '<input type="hidden" name="Login" value='.$_SESSION['Login'].">";
> $UserId=$record['IdUser'];
> $Username=$record["Username"];
> //echo "UserId=".$UserId;
> $permessi="permessiutente";
> $query_permessi="Select IdUtente, TipoPermesso from $permessi where (IdUtente='$UserId')";
> $risultato=mysql_query($query_permessi) or die (mysql_error());
> if (mysql_affected_rows()>0)
> {
> $record=mysql_fetch_array($risultato);
> $permit=$record["TipoPermesso"];
> //echo "Permesso ".$permit;
> if (!isset($_SESSION["TipoPermesso"]))
> $_SESSION["TipoPermesso"]=$permit;
> ////echo '<input type="hidden" name="TipoPermesso" value='.$_SESSION['TipoPermesso'].">";
> //echo "Tipo Permesso :". $_SESSION['TipoPermesso'];
> }
> $url='http://'.$HTTP_SERVER_VARS['HTTP_HOST']."/index.php";
> //echo "Referer: ".$url;
> //echo "Login:".$_SESSION['Login'];
> session_write_close();
> header("Location: $url");}
>
> else // Invia l'utente sulla pagina di registrazione {
> $_SESSION['Login']=False;
> //echo "SESSION[Login]:".$_SESSION['Login']; $_POST['Login']=False;
> $url='http://'.$HTTP_SERVER_VARS['HTTP_HOST']."/script/RegistraUtente.php";
> session_write_close();
> header ("Location: $url");}
>
> ?>
>
> I hope now it is ok :-(
>
> --http://www.itp-news.com
I'm not sure, but I also think redirection is the problem. When you
visit a page that sets session values,
the page automatically transmits the session id in cookies. However,
if you redirect the user in the header,
I don't think the browser will bother to read and place the cookies
locally, but will automatically cancel
everything and go to the given address. So, you should try sending
<meta> redirection directives instead of
this, or use Javascript, whatever.
As for the rest of code, consider the following advices:
* Use $_COOKIE and $_SERVER instead of $HTTP_COOKIE_VARS and
$HTTP_SERVER_VARS, respectively; $_COOKIE
and $_SERVER are superglobal, while using HTTP_COOKIE_VARS and
HTTP_SERVER_VARS requires calling
global() on them. Also, unless you're using PHP 4.1.0 or older,
$_COOKIE and $_SERVER are recommended
by the manual, for they are newer.
* While debugging, error_reporting( E_STRICT ) is recommended, since
E_ALL doesn't imply E_STRICT which might help
* Check mysql_query() for errors differently. Don't use die() since
the users will be left with a blank page.
* Use mysql_real_escape_string instead of mysql_escape_string. Look up
the manual for explanation and
confirmation that it's recommended.
* Don't just redirect the user to the previous page; it doesn't have
to mean they have bad intentions
if they don't fill the data right. If you just take them back to
previous page, they will be confused.
Use error reports instead.
* mysql_affected_rows doesn't count the number of SELECT-ed rows. It
serves the purpose of counting
how many rows were affected by last INSERT, UPDATE, REPLACE or
DELETE queries.
* Don't "calculate" base path, index page, etc. Use some form of
Config class or .ini files to define these values.
Regards,
Darko
Navigation:
[Reply to this message]
|