Error handling

[dotkpay]

Hello,

Am writing a script that involves user input.

Take an example: a user fills in a wrong username or password at the page login.php, my login processor (processor.php) detects it, how is the error "WRONG USERNAME OR PASSWORD" supposed to be transferred back to login.php.

So far I have been using a session variable to transfer the error but am sure there is a better way to do this without displaying the error on processor.php itself.

 

Thanx in advance

[spiderwell]

use a header redirect and use a query string?  which will leave it visible in the url bar, not sure if thats an issue for you or not.

[dotkpay]

The problem with that method is that users will be able to play around with errors. For example if you call header with the location "login.php?error=17" and then require an error handling file such as error.php to translate $_GET['error']=17 as "WRONG USERNAME OR PASSWORD", then a curious user or hacker could intentionally enter "login.php?error=25" into the address bar to force an error.

[dcro2]

The problem with that method is that users will be able to play around with errors. For example if you call header with the location "login.php?error=17" and then require an error handling file such as error.php to translate $_GET['error']=17 as "WRONG USERNAME OR PASSWORD", then a curious user or hacker could intentionally enter "login.php?error=25" into the address bar to force an error.

Why is that a problem? It's not a real error since it's just displaying a string based on the error number.

 

Does login.php submit the username/password form to process.php?

[dotkpay]

I was actually wondering how some sites are able to display errors without adding variables to the url.

[Pikachu2000]

For a simple login, you can just submit the form to itself. Paste this into a new file, play with it and see how it works. It should give you some ideas as to how to accomplish what you're trying to do.

 

<?php
if( isset($_POST['submitted']) && $_POST['submitted'] == 'yes' ) { //check for hidden field value to indicate form has been submitted
$errors = array(); // initialize an array to hold validation errors
$_POST = array_map('trim', $_POST); // trim all $_POST array values

if( !empty($_POST['name']) ) { // validate the name field
	if( !ctype_alpha($_POST['name']) ) {
		$errors['name'][] = 'Name must be alphabetic characters only.'; // if name has non alpha chars, store error
	}
	if( strlen($_POST['name']) < 3 || strlen($_POST['name'] > 20) ) {
		$errors['name'][] = 'Name must be from 3 to 20 characters.'; // if name has too many/few chars, store error
	}
} else {
	$errors['name'][] = 'Name is a required field.'; // if name is empty, store error
}

if( !empty($_POST['number']) ) { // same validations as in name, above.
	if( !ctype_digit($_POST['number']) ) {
		$errors['number'][] = 'Number must be numeric.';
	}
	if( strlen($_POST['number']) < 5 || strlen($_POST['number']) > 10 )  {
		$error = 'Number must be from 3 to 20 digits. It is currently ' . strlen($_POST['number']) . ' digit';
		$error .= strlen($_POST['number']) == 1 ? '.' : 's.';
		$errors['number'][] = $error;
	}
} else {
	$errors['number'][] = 'Number is a required field.';
}
if( !empty($errors) ) {  // if the $errors array is not empty, display the errors to allow the user to correct them and resubmit the form
	$echo = array();
	foreach( $errors as $v ) {
		if( is_array($v) ) {
			$echo[] = implode('<br>', $v );
		} else {
			$echo[] = $v;
		}
	}
	$err_echo ="<font color=\"red\">The following errors were detected:<br>";
	$err_echo .= implode("<br>\n", $echo);
	$err_echo .= '</font>';
}
}
if( (isset($_POST['submitted']) && !empty($errors)) || !isset($_POST['submitted']) ) {
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<style type="text/css" media="screen">
body {
font-family: helvetica, arial, sans-serif;
font-size: 0.85em;
line-height: 1.25em;
letter-spacing: -0.5px;
}
input {
border: 1px solid #336699;
padding: 0.1em;
margin: 5px;
color: #113366;
}
input.error {
background-color: #F2BDCA;
color: #850310;
border: 1px solid red;
}
input.good {
background-color: #D3F5D3;
border: 1px solid #156B15;
color: #156B15;
}
input.submit {
background-color: #CCCCCC;
border: 1px solid #888888;	color: #333333;
padding: 2px;
margin: 0;
font: 0.9em helvetica, arial sans-serif;
}
</style>
<title> Work In Progress</title>
</head>
<body>
<?php
echo !empty($err_echo) ? $err_echo : '';
?>
<form method="post" action="">
Name (3-20 letters):
<input type="text"
class="<?php if( isset($_POST['submitted']) ) { echo !empty($errors['name']) ? 'error' : 'good'; } ?>"
name="name"
value="<?php echo isset($_POST['name']) ? $_POST['name'] : ''; ?>">
<br>
Number (5-10 numbers):
<input type="text"
class="<?php if( isset($_POST['submitted']) ) { echo !empty($errors['number']) ? 'error' : 'good'; } ?>"
name="number" value="<?php echo isset($_POST['number']) ? $_POST['number'] : ''; ?>">
<br>
<input type="hidden" name="submitted" value="yes">
<input class="submit" type="submit" name="submit" value="
<?php echo !empty($errors) ? 'Re-Submit' : 'Submit'; ?>
">
</form>
<?php
} else {
// Form was submitted, and validated with no errors. OK to run db insert, display success message, etc.
echo "Successful submission!";
}
?>
</body>
</html>

[/code]