mds1256 Posted September 4, 2010 Share Posted September 4, 2010 Hi I want to hide the login box's of my webpage once you login. I have thought of two ways of doing it but which one would you say is better practice? 1. use a PHP if statement to echo 'Display: none on css' - when viewing source code it still shows the form but not displayed on page itself 2. use a PHP if statement around the whole <form></form> so it physically doesnt write the html if already logged in? Or if anyone has a better way it would be appreciated if you would share it? Thanks in advance Quote Link to comment Share on other sites More sharing options...
PaulRyan Posted September 4, 2010 Share Posted September 4, 2010 I recommend the second method in all honesty. The first method leaves the form viewable, and open to be abused by a intermediate coder, who could make a script to post the form still. If the form is not there at all they can do that. Just my opinion, but hey who listens to me? Paul. Quote Link to comment Share on other sites More sharing options...
freeloader Posted September 4, 2010 Share Posted September 4, 2010 The second way would be better coding practice. It reduces the html output, makes your page smaller and easier to load. Quote Link to comment Share on other sites More sharing options...
ignace Posted September 5, 2010 Share Posted September 5, 2010 The first method leaves the form viewable, and open to be abused by a intermediate coder, who could make a script to post the form still. If the form is not there at all they can do that. Who would stop me from making a script that would post the exact same variables to his login script using a directory attack? The #2 method is better because some people may have CSS set to off and the form would display to them. That's the only reason as to why #2 is better, not for stopping hackers. You'll have to write custom code to prevent people from submitting a form remotely, like: <?php session_start(); if(!isset($_SESSION)) { $_SESSION['form_token'] = uniqid(true); } if(sizeof($_POST)) { if($_POST['token'] !== $_SESSION['form_token']) { exit('form denied'); } else { if(empty($_POST['username']) || empty($_POST['password'])) { $errors[] = 'username and password are empty'; } else if (..) { } if(sizeof($errors)) { $_SESSION['form_token'] = uniqid(true); // errors detected, generate a new token for next form submission } else { .. } } } $token = $_SESSION['form_token']; ?> <form action="#" method="POST"> <input type="hidden" name="token" value="<?php print $token; ?>"> </form> Quote Link to comment Share on other sites More sharing options...
mds1256 Posted September 12, 2010 Author Share Posted September 12, 2010 Thanks for the replies Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.