Form Handler If Condition

[chibineku]

In my login form handler, I want to be able to sign people in with either their username or password, and their email address. First thing I want to check is that that at least one of the first two is set, and that the password is set. I thought I'd use this as my condition:if (((!isset($_POST["username"])) xor (!isset($_POST["email"]))) && (!isset($_POST["password"]))) {But it doesn't seem to like it...I get a blank page. The rest of the code is:

<?phpinclude_once("db_include.php5");doDB();//check for required fields from the formif (((!isset($_POST["username"])) xor (!isset($_POST["email"]))) && (!isset($_POST["password"]))) {header("Location: loginform.php5");}   else if($_POST["username"] && $_POST["password"]){	//create and issue the query	$sql = "SELECT id FROM aromaMaster WHERE username='".$_POST["username"]."' AND password=PASSWORD('".$_POST["password"]."')";	$sql_res =mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));	//get the number of rows in the result set; should be 1 if a match	if(mysqli_num_rows($sql_res) == 1) {	  //if authorized, get the userid	  while($info = mysqli_fetch_array($sql_res)) {		$userid = $_info["id"];	  }	  //set session variables	  $_SESSION["userid"] = $userid;	  //redirect to main page	  header("Location: loginredirect.php5");	} else if($_POST["email"] && $_POST["password"]) {		  //create and issue the query	$sql = "SELECT id FROM aromaMaster WHERE email='".$_POST["email"]."' AND password=PASSWORD('".$_POST["password"]."')";	$sql_res =mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));	//get the number of rows in the result set; should be 1 if a match	if(mysqli_num_rows($sql_res) == 1) {	  //if authorized, get the values of f_name, l_name	  while($info = mysqli_fetch_array($sql_res)) {		$userid = $_info["id"];	  }	  //set session variables	  $_SESSION["userid"] = $userid;	  //redirect to main page	  header("Location: loginredirect.php5");	}	  } else {	  //redirect back to login form	  header("Location: loginform.php5");	}	mysqli_close($mysqli);	}?>

It was working fine until I added this extra condition and copied the login query so that it would fire if the email address and password are set.I've tried a variety of different things, but can't seem to get the right condition.

[justsomeguy]

Why xor? Do you want it to be an error if they fill out both?You're using isset to check values. If they submitted the form, isset is always going to return true and the xor is always going to be false. Use empty instead of isset, you don't want to check if it's set (it is), you want to check if it's empty. Look up the difference between isset and empty.You should never see a blank page in development. Enable error messages, use error logging if you want to. It doesn't do you any good if the server doesn't display an error when it happens.If you want to redirect if both the username and email are blank, or if they have a blank password, how about just this:if ((empty($_POST['username']) && empty($_POST['email'])) || empty($_POST['password']))

[chibineku]

I know, I know, I just got to the empty/isset thing before you mentioned it. The condition you wrote works if all fields are filled in, and if the username and password are, but not the email and password. I'm sure that's just an error in the query.I don't know why I get blank pages - I will set error reporting to E_ALL - however you do that. I have it set to that on my local development server but I'm testing this on a remote webhost.

[justsomeguy]

There might not even be an error, that script doesn't actually have any output. It redirects in a few places, but it doesn't output anything. It would be good just to add some output statements so it can tell you what it's doing, once it's working you can remove those and have it redirect again.

[chibineku]

True, although surely the redirect is enough? Btw I tried adding error_reporting(E_ALL); and it still gave me a blank page. Cheeky.

[justsomeguy]

True, although surely the redirect is enough?

I don't know, is it? Can you track the flow of logic if all the page does is redirect?

[chibineku]

Okay,well this thread did improve the script, since I have a better condition and use empty() and now free my mysqli results, AND it highlighted the need to make sure that the user has registered an e-mail address...I'm an idiot. Thanks again, JSG!Btw, you are right, and I started adding echos throughout the script and found where it broke. Half the time such simple error checking strategies appear obvious to me, half the time..well, I'm an idiot.

[justsomeguy]

How about this: what happens if the first if statement fails, but the username is empty? Where does the execution go? What about if the first if statement fails, username and password are not empty, the first query doesn't find any results, the email and password are not empty, and the second query doesn't find any results? In both situations you end up with no redirect, and no output.You've got the idea though.

[chibineku]

Egads! It's a nightmare!

[justsomeguy]

Make sure to check your brackets, I don't think this statement is attached to what you think it is:else if($_POST["email"] && $_POST["password"]) {

[chibineku]

I know, I checked all my braces and they have been fixed. As for empty input fields, I run a script on keyup that matches each input field against a regexp. The only dubioud fields are address fields because they can legitimately contain spaces. But if I also use empty() to verify my forms, that will catch fields consisting of only spaces, right?As far as chrcking that people don't have duplicate records, do you think it's enough to try a select from query using the info from the registration form and if the number of affected rows is == 1 then the user is already registered? I

[justsomeguy]

A string of spaces is not considered empty. You can use trim though to remove leading and trailing spaces around a string. Select queries don't have affected rows, but you can use mysql_num_rows or you can use a count query.

[chibineku]

Select queries don't have affected rows, but you can use mysql_num_rows or you can use a count query.

That's what I meant :-pI will trim the strings, then, that sounds like the easiest solution. Trim them, check if they're empty, and if they pass both of those, and have been stripped of illegal characters by my input script and mysqli_real_escape_string and htmlspecialchars, that ought to make user input pretty safe, right? Right?

[justsomeguy]

Yeah, that should be fine.

[chibineku]

Wheee! *spins on chair with glee*

[chibineku]

nm