Stopping Html From Being Sent

[noan]

Hi.I am working on a PHP login script, which is designed to be placed at the top of a HTML page. If the user enters an incorrect password I want the script to stop the server from sending the HTML page to the user (instead i will either insert some sort of dummy page or simply redirect them to an error page). the problem is i can't find a way of stopping the rest of the page from being sent. does anyone know of any function or something that can do this. i know i could place the whole page inside a PHP variable and ECHO it, but i'm writing this for someone else and i want to make it as simple as possible so that it can just be put in the page without any further modification to the code.thanks.

[boen_robot]

You could have

<?php//logic codeif ($error) {?><form><!--etc.--></form><?php } ?>

Where $error of course is the error condition.

[Mencarta]

Use an if else statement. Example:

$user = $_POST["user"];$pass = $_POST["pass"];if ($user == "Me" && $pass == "You") {header("Location: members.php");}else {echo "HEY BUDDY! DON'T YOU TRY GETTING ACCESS TO MY PAGE!";}

[jeffman]

The more typical plan is to have the login form and the login script contained in the same document. The form submits to itself, and PHP reads the POST variables. It checks them against the registration database.If the login passes, you set a session variable so that all other pages will know that the user is logged in. Then the script redirects to some other page. Every restricted page has a little bit of code that checks for the session variable.If the login fails, you adjust the login page somehow (an embedded message, a red X, something like that) and just reprint it.

[noan]

@mencarta - thats fine but then what stops someone from just going straight to members.php and bypassing the access control. i want to place my validation script at the top of each private page (which basically checks a session variable set by the main login page), and only allow the private page to be loaded by the browser if the user is logged in (session variables correct).@boen_robot - i'm not sure if i understand that script. i presume that <!--etc--> is where the private content goes (does it have to be inside <FORM> tags?). or would that be were the error page goes?

[defiant1970]

@mencarta - thats fine but then what stops someone from just going straight to members.php and bypassing the access control. i want to place my validation script at the top of each private page (which basically checks a session variable set by the main login page), and only allow the private page to be loaded by the browser if the user is logged in (session variables correct).@boen_robot - i'm not sure if i understand that script. i presume that <!--etc--> is where the private content goes (does it have to be inside <FORM> tags?). or would that be were the error page goes?

on the top of the members page you should have your security stating that you must have a valid session_id to see the page if not return to the login page

[jeffman]

<?php   session_start();   if (!isset($_SESSION['user']) ) {	  header ('Location: login.php');	  exit;   }?>

That's the top of every restricted document. It could be an include file, too, but really this is not a lot of code and its intention is 100% clear. The actual html comes after that.Obviously, this assumes that users have first gone through a login script and that $_SESSION['user'] was set if the login validated.

[noan]

@deirdre's dad - thanks for that. can i just confirm one thing. say i had this page:

<?php   session_start();   if (!isset($_SESSION['user']) ) {      header ('Location: login.php');      exit;   }?><html><head><title>My Page</title></head><body><p>Some private content...</p></body></html

if the user wasn't logged in, would this script stop the rest of the page (the part between the two HTML tags) from being sent, and send only the redirect header, or would it send the redirect header followed by the rest of the page as normal?

[justsomeguy]

The exit statement will stop execution, so it only sends a header.

[noan]

thanks everyone

[boen_robot]

@boen_robot - i'm not sure if i understand that script. i presume that <!--etc--> is where the private content goes (does it have to be inside <FORM> tags?). or would that be were the error page goes?

"etc." means "and others", "and so on", "more"... in other words - "the rest of your code".What the whole script tries to show is that you can stop PHP at any time by typing "?>", and resume it at a later point with "<?php". Everything you have with PHP "off" is simply being outputted "as is". If you start a condition at some point (as is the case in the sample script), and turn off PHP within the "if" body, you'll only output the HTML if the condition is true.