Wednesday, October 26, 2011

Check Login Details against the Database

After rewriting my business rules in JavaScript, the time now really had come to create the live database interface. So I busily changed the file extension back to .php and added back the include() statement, and started adding PHP code to the JavaScript function called by the button click event, and paused when I needed to pass a javascript variable to PHP. I had a feeling that what I was doing would not work, and a quick Google search confirmed that it would not.

The whole point of converting my business rules to JavaScript was to keep the field input checking local. But as PHP scripts run on the server, you need to call something on the server, and pass any variables to that.

It was a bit frustrating because neither of the login page examples I'd found on the web used any business rules at all; they just called a PHP script from the form submit button, one on the same page, one on another.

As a first pass I tried AJAX.

I had sidestepped the issue in my business rules test page with the line:

alert ("Well Done. Your username and password were correctly entered.");

I now replaced this with:

if (window.XMLHttpRequest) //format and create request variable according to browser type
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
} //end of current option
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
} // end of old option
xmlhttp.onreadystatechange=function()
{ // this code displays response text
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("untencell1").innerHTML=xmlhttp.responseText;
}
} //the code below calls the php script on the server
xmlhttp.open("POST","logincheck.php?id="+subname+"&pw="+subpass,true);
xmlhttp.send();

I also added one more division to receive a message back from the PHP script:

<div id=untencell1></div>

This cell was placed under the button but within the form division. The PHP script was:

<?php
include('newinfo.php');// collect database variables.
$id = $_GET['id']; // collect passed variable 1
$pw = $_GET['pw']; // collect passed variable 2
// To protect MySQL injection
$id = stripslashes($id);
$pw = stripslashes($pw);
// $id = mysql_real_escape_string($id);
// $pw = mysql_real_escape_string($pw);

// Connect to server and select databse.
$con = mysql_connect( $dbhost, $dbuser, $dbpass );
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db($dbname, $con);
$query = "SELECT Softid, PartPass FROM $table1 WHERE Softid = '$id' and PartPass = '$pw'";
$result = mysql_query($query) or die(mysql_error() . $query );
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
if($count==1){
echo"<p>Hooray you are logged in</p>";
} else {
echo"<p>Oh Dear! Something went wrong. Query: <br/>$query </p>";
}
mysql_close($con);
?>

A couple of things still need fixing. First the user is not taken anywhere useful after logging in successfully. That is because there is currently nowhere to go. The second is that the diagnostic display of the query on login failure needs removing, after everything is definitely working.

After a successful login, the page currently looks as shown below:

No comments: