Following this tutorial to create a safe login system, I came to this problem.
In Part 7 of 8: Create HTML Pages, section 1 Create the login form (index.php), it uses:
<form action="includes/process_login.php" method="post" name="login_form">
Although earlier on the tutorial it states (Part 3 of 8, section 1, first paragraph):
In a production environment you'll probably want to locate this file and all your other include files, outside of the web server's document root. If you do that, and we strongly suggest that you do, you will need to alter your include or require statements as necessary, so that the application can find the include files.
So my includes folder is not inside /var/www/html/mysite/ or /var/www/html/, but in /var/www/, and my form became:
<form action="../../includes/process_login.php" method="post" name="login_form">
(which works for the php includes). But this one don't work, I get this error:
http://localhost/includes/process_login.php The requested URL /includes/process_login.php was not found on this server.
Why is it acting as if my includes was inside /var/www/html/ ? I checked all my /var/www/ folders using
grep -rnw . -e 'process_login.php'
and this is the only occurrence of that string (with the ../../). What am I missing?
I found a workaround by including a file that just includes another, being the first in a public folder and the second in a hidden folder.
The form:
<form action="process_login.php" method="post" name="login_form">
First file (public_folder/mysite/process_login.php):
<?php
include '../../includes/process_login.php';
Second file (../../includes/process_login.php):
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$pwd = $_POST['p']; // The hashed password.
if (login($email, $pwd, $conn) == true) {
// Login success
header('Location: ../coisas/protected_page.php');
} else {
// Login failed
header('Location: ../coisas/index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
Anyway, I still want to understand why this is needed.