Finishing Off Error Messages

Hi,

I have a login page which I have added a number of error messages. However there is one set which I just cant get to work. The set at the bottom of the post provide when the button is pressed however they do not compare the what is being entered against what is in the database.

I’m trying to check if the email address in the database, the password matches and if the character ‘Y’ is in the “accountconfirmed” column.

Can anyone advise how I can finish these error messages off or why the are displayed as soon as the page is viewed?



 <?php
                 if ($_SESSION['userLoggedIn'])

                        session_start();
                $_SESSION['userLoggedIn'] = 0;
                $_SESSION['userEmail'] = '';
                $_SESSION['userID'] = '';
$_SESSION['userfirstname'] = '';
$_SESSION['usersurname'] = '';

                // Reset errors and success messages
                $errors = array();
                $success = array();

                                                  if(($password) ==($row['password'])) {
                $errors['incorrectpassword'] = "Your password is incorrect.";
        }



                        if($email != ($row['email']))
                        $errors['incorrectpassword'] = 'Your passwords did not match.';



        // Login attempt
        if(isset($_POST['loginSubmit']) && $_POST['loginSubmit'] == 'true')
        {
                $loginEmail = filter_var(trim($_POST['email']), FILTER_VALIDATE_EMAIL);
                $loginPassword  = trim($_POST['password']);

                        $accounty = ('y');


                if(count($errors) === 0)
                {
$loginPassword = md5($loginPassword);
$query = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($loginEmail) . '" AND password = "' . $loginPassword . '" AND accountconfirmed = "' . $accounty . '"LIMIT 1';
                        $result = mysql_query($query);
                        if (!$result)
                        {
                                die('Invalid query: ' . mysql_error());
                        }

                        if(mysql_num_rows($result) === 1)
                        {
                                $row = mysql_fetch_assoc($result);
                                $_SESSION['userLoggedIn'] = 1;
                                $_SESSION['userEmail'] = $loginEmail;
                                $_SESSION['userID'] = $row['id'];
                                $_SESSION['userfirstname'] = $row['firstname'];
                                $_SESSION['usersurname'] = $row['surname'];

                                header('Location: /index1.php');
                                exit;
                        } else {
                                $errors['login'] = 'No user was found with the details provided.1.';
                        }
                }
        }
        /*
          The rest of your login page code
        */

  // Reset errors and success messages
        $errors = array();
        $success = array();
        // Login attempt
        if(isset($_POST['loginSubmit']) && $_POST['loginSubmit'] == 'true'){
                $loginEmail = trim($_POST['email']);
                $loginPassword  = trim($_POST['password']);

        }


                if(!isset($loginEmail) || empty($loginEmail)) {
                $errors['loginEmail'] = "Please enter your email.";
        }



        if(!isset($loginPassword) || empty($loginPassword)) {
                $errors['loginPassword'] = "Please enter your password.";
        }
        
$accounty = ('Y');


                                                          if(($email) != ($row['email'])) {
                $errors['incorrectemail'] = "Your email is incorrect.";
        }

                          if(($accounty) != ($row['accountconfirmed'])) {
                $errors['confirmedaccount'] = "Your account has not yet been confirmed.  Please request a confirmation email.";
        }

                 if(($password) != ($row['password'])) {
                $errors['incorrectpassword'] = "Your password is incorrect.";
        }

        ?>

                  <?php if($errors['incorrectemail']) print '<div class="invalid">' . $errors['incorrectemail'] . ''; ?>
                  <?php if($errors['confirmedaccount']) print '<div class="invalid">' . $errors['confirmedaccount'] . ''; ?>
                  <?php if($errors['incorrectpassword']) print '<div class="invalid">' . $errors['incorrectpassword'] . ''; ?>  

Not an answer to your question, but something I don’t quite understand:


if ($_SESSION['userLoggedIn'])
                        session_start();
$_SESSION['userLoggedIn'] = 0;

$_SESSION[‘userLoggedIn’] will never be set at that moment, because first you have to session_start(). Do that always, without a condition.

And then immediately after you set $_SESSION[‘userLoggedIn’] to 0. Why? Someone that is already logged in has to log in every time again?

Hi,

This is the login page so I am not creating or continuing a session. Do I need to be doing this?

session_start is somewhat misnamed. It essentially does this (in pseudocode):

function session_start() {
if(isset($_SESSION’PHPSESSID’ { //If a session already exists
set_session_timeout($now + $sessionTimeoutLength); //Extend the session until the new timeout.
} else {
create_new_session($sessionTimeoutLength); //Create a new session.
}
}

You can put things in a $_SESSION array, but that array will be lost between pageloads, because you havent defined a session to be started.

Consider it this way; What the lines that guido has pointed out says is equivilant to:
If the user has bought an apple, sell him an apple. If not, he cant buy an apple.

You will never sell a user an apple, because they can never get to the point that you will sell them an apple.

The general rule of thumb is; if you’re going to be using sessions anywhere in your site, you should be ‘starting’ a session for every user, logged in or not, on every page.

Hi,

I have this in connection code on each page.

ob_start(); session_start();

When I log in the pages that I want people to be loggin in remain logged in. Im not totally sure what the issue is?

Does this affect the error messages?