Infinite/Repeat Loading a Page

[Renegade605]

I created a page called login.php which is (obviously) for logging into the system. On this page I have a statement that checks if you've sent form data to the page, if so, it logs you in and redirects you to index.php (with header(...)). If you did not send form data, it prints the form. However, the page doesn't load, instead it just sits at whatever page you were at before you went to login.php. The tab on my browser (Flashpeak SlimBrowser) also flickers. Sometimes it does this when you first try to load the page, sometimes it does it after submitting the form. Does anyone know why this may happen? Code below:

<?php	session_start();		if (isset($_REQUEST['username']))	{		if (!file_exists("users/" . sha1($_REQUEST['username']) . ".txt")) { header("Location: login.php?error=nouser"); exit; }		$userfile = fopen("users/" . sha1($_REQUEST['username']) . ".txt","r");		$HASH = trim(fgets($userfile));		$HASH2 = trim(fgets($userfile));		fclose($userfile);				$_SESSION['username'] = $_REQUEST['username'];		$_SESSION['password'] = $_REQUEST['password'];				switch ($HASH2)		{			case sha1("admin"):			$_SESSION['loginname'] = "admin";			break;						case sha1("power"):			$_SESSION['loginname'] = "power";			break;			case sha1("regular"):			$_SESSION['loginname'] = "regular";			break;		}		if (!isset($_SESSION['loginname'])) { header("Location: login.php?error=noaccess"); exit; }				if (sha1($_SESSION['password']) == $HASH)		{			switch ($_SESSION['loginname'])			{				case 'regular':		$_SESSION['password'] = "**********";		break;				case 'power':		$_SESSION['password'] = "**********";		break;				case 'admin':		$_SESSION['password'] = "**********";		break;			}		}		else { header("Location: login.php?error=badpass"); exit; }				setcookie("username", $_REQUEST['username']);				if ($_REQUEST['remember'])			setcookie("password", $_REQUEST['password']);				if ($_REQUEST['return'] == "")			$_REQUEST['return'] = "index.php";				header("Location: " . $_REQUEST['return']);	}	else	{		if (isset($_REQUEST['error'])) { session_destroy();	}		if (isset($_COOKIE['password'])) { header("Location: login.php?username=" . $_COOKIE['username'] . "&password=" . $_COOKIE['password'] . "&return=" . $_REQUEST['return']); exit; }	?>	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252" x-undefined><title>Member CP</title><link rel="stylesheet" type="text/css" href="../external/stylesheet.css" /><link rel="stylesheet" type="text/css" href="cpstyles.css" /><style type="text/css">td		{ border-width: 0px; }table	{ border-width: 0px; }</style></head><body><div class="body"><?php include("top.php"); ?><hr /><div class="center"><div class="main" style="float:none;"><img src="../images/borders/body_top.gif" alt="BORDER" /><?php	if (isset($_REQUEST['error']))	{?><p style="margin-left:10%;margin-right:10%;"><span class="error"><?php		if ($_REQUEST['error'] == "nouser")		{	?>	Sorry, but we could not find a user with that username in our records. Please 	remember usernames are case-sensitive.	<?php		}		if ($_REQUEST['error'] == "noaccess")		{	?>	A fatal error that should never occur has occured within our user records; 	please advise Lieutenant General Renegade immediately!	<?php		}		if ($_REQUEST['error'] == "badpass")		{	?>	Sorry, but the password you entered did not match the one in our records. 	Please remember passwords are case-sensitive. Forgot Password?	<?php		}		if ($_REQUEST['error'] == "logout")		{	?>	You are now logged out.	<?php		}?></span></p><?php	}?><form method="post" action="login.php"><input type="hidden" name="return" value="<?php echo $_REQUEST['return']; ?>" />	<div class="center">	<table>		<tr>			<td style="text-align: right;">UserName:</td>			<td><input id="userfield" name="username" type="text" value="<?php echo $_COOKIE['username']; ?>"></td>		</tr>		<tr>			<td style="text-align: right;">Password:</td>			<td><input id="passfield" name="password" type="password"></td>		</tr>		<tr>			<td style="text-align: right;"><input type="checkbox" name="remember" value="true" /> Remember Me</td>			<td><input type="submit" value="Login"></td>		</tr>	</table>	</div></form></div><script type="text/javascript">document.getElementById("<?php if (isset($_COOKIE['username']))	echo "passfield"; else echo "userfield"; ?>").focus();</script></div></div><?php include("../external/footer.php"); ?></body></html><?php	}?>

[justsomeguy]

Every time you have a redirect, add a line before the redirect where it writes a line to the file telling which redirect it's using so that you can look at the file and at least figure out what the script is doing.file_put_contents(dirname(__FILE__) . '/debug.txt', 'Redirecting at line ' . __LINE__ . "\n", FILE_APPEND);

[Renegade605]

So it looks like the script is getting as far as line 50 where it redirects to "login.php?error=badpass" because the password doesn't match the one on file. But upon redirecting to itself, the $_REQUEST['username'] variable is still set for some reason, so it just keeps looping through the first 50 lines of the script. I don't know why this would happen, it's not supposed to repost the username variable to itself.

[jlhaslip]

You are using the POST method on the Form. Would it make a difference to use the POST Array instead of REQUEST?

[Natechs]

$_REQUEST can be used for both GET and POST but you generally should use $_GET or $_POST depending on what you use.

[Renegade605]

You are using the POST method on the Form. Would it make a difference to use the POST Array instead of REQUEST?

No can do, because when the login is automatic due to cookies, it sends the info by GET method. (Line 56)

$_REQUEST can be used for both GET and POST but you generally should use $_GET or $_POST depending on what you use.

Really? Why is that? (In this particular case it's necessary, but in other scripts I have...)

[Natechs]

With the $_GET global, you can use a url to put in form elements.ExampleNot sure with the $_POST variable but that is what most programmers tell me.

[Renegade605]

I know what it is, what I want to know is why you think it's better to use the specific $_GET or $_POST instead of $_REQUEST

[Jesdisciple]

I can't think of any type of situation in particular, but it's best, especially when dealing with user input, to avoid the unexpected if possible. If you send post-data and use $_REQUEST to get it, the input could come from an unexpected source (cookies or get-data). I know that's a very abstract objection, but it's all I have.

[justsomeguy]

This is probably a case study on why you shouldn't use $_REQUEST. You're saying that it redirects when it detects a bad password (why does it redirect instead of just showing an error?), and when it redirects it finds that $_REQUEST['username'] is set, and you're wondering why. You say that you only use $_REQUEST because it could be either $_GET or $_POST. So why don't you just check $_GET and $_POST, why use $_REQUEST? Do you know what's in $_REQUEST? Because if it's getting set and neither $_GET nor $_POST is set then obviously $_REQUEST is more than just get and post. The fact that you don't know why $_REQUEST['username'] is set in the first place is one indication that you shouldn't be using $_REQUEST. Be specific in your code, only get exactly what you need. When you use things like $_REQUEST that combine information from more than one place then you're opening your script up for unexpected behavior when information gets put there and you don't know why.

if (isset($_POST['username']))  $username = $_POST['username'];elseif (isset($_GET['username']))  $username = $_GET['username'];else  $username = '';

You can add checking a cookie if you want.

[Renegade605]

I can't think of any type of situation in particular, but it's best, especially when dealing with user input, to avoid the unexpected if possible. If you send post-data and use $_REQUEST to get it, the input could come from an unexpected source (cookies or get-data). I know that's a very abstract objection, but it's all I have.

What do you know, using $_POST and $_GET works. Obviously $_REQUEST uses cookies or something else too.

This is probably a case study on why you shouldn't use $_REQUEST. You're saying that it redirects when it detects a bad password (why does it redirect instead of just showing an error?), and when it redirects it finds that $_REQUEST['username'] is set, and you're wondering why. You say that you only use $_REQUEST because it could be either $_GET or $_POST. So why don't you just check $_GET and $_POST, why use $_REQUEST? Do you know what's in $_REQUEST? Because if it's getting set and neither $_GET nor $_POST is set then obviously $_REQUEST is more than just get and post. The fact that you don't know why $_REQUEST['username'] is set in the first place is one indication that you shouldn't be using $_REQUEST. Be specific in your code, only get exactly what you need. When you use things like $_REQUEST that combine information from more than one place then you're opening your script up for unexpected behavior when information gets put there and you don't know why.

if (isset($_POST['username']))  $username = $_POST['username'];elseif (isset($_GET['username']))  $username = $_GET['username'];else  $username = '';

You can add checking a cookie if you want.

What you're saying makes perfect sense, I only used $_REQUEST because I remember reading somewhere that it was better to use $_REQUEST instead of $_GET or $_POST . I assumed $_REQUEST took data from the post and get form methods only, I guess that was the wrong assumption to make.Anyway, thanks all, it's working now. I guess now I have to go though all my scripts and change $_REQUEST to either $_GET or $_POST.Renegade

[justsomeguy]

FWIW, this is the current function I use to get a value from either $_GET or $_POST. It checks $_POST first, then $_GET, so if a value is found in $_POST it will take precedence if the same thing is found in $_GET. It will trim the value and strip slashes if get_magic_quotes is enabled, and will also work if the value in $_POST is an array.

function form_var($var){  $retval = '';  if (isset($_POST[$var]))	$retval = $_POST[$var];  elseif (isset($_GET[$var]))	$retval = $_GET[$var];  if (is_array($retval))  {	foreach ($retval as $k => $v)	{	  $retval[$k] = trim($v);	  if (get_magic_quotes_gpc())		$retval[$k] = stripslashes($v);	}  }  else  {	$retval = trim($retval);	if (get_magic_quotes_gpc())	  $retval = stripslashes($retval);  }  return $retval;}

$username = form_var('username');

[Renegade605]

huh.. thanks for that, maybe I'll use itnow I'm curious though, what is get_magic_quotes_gpc() and why would it only be necessary to stripslashes() when the magic_quotes is true?

[justsomeguy]

If a certain config option is set, PHP will add automatically escape values in $_GET, $_POST, and $_COOKIE by adding slashes before quotes. So if magic quotes is enabled, the function will strip the slashes that PHP added. The point is so that the output of that function is the same thing regardless of how PHP is configured.

[Renegade605]

OIC.but why even have that if (gpc...) line there. if you put the stripslashes() function there regardless of the magic_quotes being set, wouldn't it have no effect on the data? because if there are no slashes, stripslashes() does nothing, so doesn't that mean that the checking for magic_quotes kind of pointless?

[justsomeguy]

You might have slashes in the data that you want to keep, that are part of the actual data. You wouldn't want to strip slashes if PHP did not add them. Or, you only want to strip slashes if PHP added them. Trim is the only thing I do regardless of settings, in almost all circumstances I want the data coming back to be trimmed, that's the only change I make to the raw data though.