Topic: Basic PHP Session problem (Page 1 of 1) Pages that link to <a href="https://ozoneasylum.com/backlink?for=28365" title="Pages that link to Topic: Basic PHP Session problem (Page 1 of 1)" rel="nofollow" >Topic: Basic PHP Session problem <span class="small">(Page 1 of 1)</span>\

 
Orion
Neurotic (0) Inmate
Newly admitted

From:
Insane since: Aug 2006

posted posted 08-25-2006 01:13

Hi, very n00b to php but not to ozone. I used to have an account but it was probably removed anyways I was doing basic script and was trying to get my session to work. I think I'm placing them in the wrong way. Basically here's what i have (roughly):


Login.php

code:
<?

session_start();

if (!isset($username) && !isset($password)) {
    //run the login form
}

?>





index.php

code:
<?
include ("Login.php");

echo '<a href="edit.php">Edit</a>';
?>



edit.php

code:
<?

session_start();

echo $username;

?>




in edit.php it cannot show $username, and if i in exchange use include("Login.php"); instead of session_start(); it will as to login again. Am I placing the session_start(); incorrectly?

H][RO
Paranoid (IV) Inmate

From: Australia
Insane since: Oct 2002

posted posted 08-25-2006 02:35

Ah where are you getting $username from? You're not using globals are you?


Use this instead, its safer and wont break if register globals is turned off.

code:
$_SESSION['username]




You should be including the login at the top of all of your scripts, and it should check to ensure that the person is logged in, otherwise they can go directly to edit.php bypassing the login.

I normally do:

code:
session_save_path('/some_dir_here');

session_start();
header("Cache-control: private");

// print session_id();
            
// Check for a logout command first              
 if(isset($_POST['userLogout']) && $_POST['userLogout'] == 1)
{
    LogoutUser();
}

// Check for the sessions vars
if(isset($_SESSION['user_login']) && isset($_SESSION['str_random']))
{
    // Verify username etc
}
else
{
    // Denied
}



Also try checking the session ID it is setting, make sure it is the same from page to page. I have had problems where it wasn't for some reason. Make sure you have a writeable directory set to store the sessions, i useually set my own place and you can go and physically see whats going on with the session files.

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 08-25-2006 10:09

I suggest not to set session_save_path. That's a server side setting that you should not have to change in your scripts.
(If it isn't in the rigth place on your box,change it in php.ini. Not per script, that will only lead to trouble when you're moving hosts).

Otherwise:
Use $_SESSION to access the session variables. php->register_globals might ( and should! ) be off.

Please show us how you're setting $username, ie. how you're handling the login form.
Otherwise we do have a session tutorial that might be worth a read: Basic PHP Session Tutorial

So long,

->Tyberius Prime

Orion
Obsessive-Compulsive (I) Inmate

From:
Insane since: Aug 2006

posted posted 08-25-2006 10:25

oh sorry yea... let me copy it now that i'm on my laptop... oh the thing is if i put it in the edit.php it'll ask me to login again.

login.php

code:
<?

session_start();

if(!isset($username) | !isset($password)) {
	$fail = 0;
	login($fail);
	exit();
}

$_SESSION['username'];
$_SESSION['password']; 

$result = mysql_query ("SELECT password, name, user, level FROM user WHERE username = '$username'", $connect);
$row = mysql_fetch_row($result);
$pass = $row[0];
$name = $row[1];
$user = $row[2];
$level = $row[3];

if(($password == $pass) && ($password != "")) {
    $valid_user = 1;
    $_SESSION['name'];
	$_SESSION['user'];
	$_SESSION['level'];
}
else {
    $valid_user = 0;
}

mysql_close($connect);

//User has logged in
$_SESSION[$valid_user];

if (!($valid_user))
{
	//Clear the variables
	session_unset();   
	session_destroy(); 

	$fail = 1;
	login($fail);
	
	exit();
}

function login($fail) {
?>
	<br><br><br>
	<div id="box-top" style="width:400px" align="left"><div id="box-top-in"><table border="0" cellpadding="0" cellspacing="0" height="20"><tr><td valign="middle"><font class="box-title">Login</font></td></tr></table></div></div>
	<div id="box-cont" style="width:400px">
	<? if ($fail==1) { echo 'Incorrect login username and/or password.'; } ?><br>
	<form action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>" method="POST">
	USERNAME&nbsp;&nbsp;<input type="text" name="username" size="50"><br>
	PASSWORD&nbsp;&nbsp;<input type="password" name="password" size="50"><br>
	<input type="submit" value="Login">
	</form>
	<font class="cookies">Please Note: Cookies must be enabled to (1) Login to FE Core and (2) Gain access to the documents and programs inside. Check your internet settings if you don't know how to activate cookies.</font>
	</div></div>
<?
}
?>



some of the variables and function comes from the index.php... the index.php is pretty much similar to what i have now.

H][RO
Paranoid (IV) Inmate

From: Australia
Insane since: Oct 2002

posted posted 08-25-2006 11:05
quote:

Tyberius Prime said:
I suggest not to set session_save_path. That's a server side setting that you should not have to change in your scripts.



It shouldn't cause any problems changing servers, if you set the session direction in or below your own web root then it should never be a problem (i believe its less of a problem personally!)

If you set it to some random directory that you have no control over on the server, obviously that could be a problem when you move so don't do that.

Unless you are referring to some other problem i'm not aware of.



Orion: Alot of your script doesn't seem quite right, have to go out now will take a better look later if someone doesn't get ot it first.

Orion
Obsessive-Compulsive (I) Inmate

From:
Insane since: Aug 2006

posted posted 08-25-2006 12:05

ok thanks... please do point out programming errors


i was wondering. By using session_save_path.. do i have to set lets say in edit.php a way to retrieve the session?

i've played around with the order of things... doesn't make it any better i guess

code:
<?

include("../../../Core.inc");

session_start();

//If the login was done before
if (!isset($username) && !isset($password)) {
	//not logged in
	$fail = 0;
	login($fail);
	exit();

} else {
	//check authenticity
	list ($accept, $name, $user, $level) = checkLogin($username, $password, $connect);
	
	//if the login fails
	if (!($accept)) {
				
		$fail = 1;
		login($fail);
		exit();
	} else {
		//if the login succeeds then reg vars
		$_SESSION['username'];
		$_SESSION['password']; 
		
		//other information
		$_SESSION['name'];
		$_SESSION['user'];
		$_SESSION['level'];
	}
}

//Check if they are logged in
function checkLogin($username, $password, $connect) {
	$result = mysql_query ("SELECT password, name, user, level FROM user WHERE username = '$username'", $connect);
	$row = mysql_fetch_row($result);
	$pass = $row[0];
	$name = $row[1];
	$user = $row[2];
	$level = $row[3];
	
	if(($password == $pass) && ($password != "")) {
		
		$access = TRUE;
	} else {
		$access = FALSE;
	}
	
	mysql_close();
	
	return array($access, $name, $user, $level);
}

//Login Form
function login($fail) {
?>
	<br><br><br>
	<div id="box-top" style="width:400px" align="left"><div id="box-top-in"><table border="0" cellpadding="0" cellspacing="0" height="20"><tr><td valign="middle"><font class="box-title">Login</font></td></tr></table></div></div>
	<div id="box-cont" style="width:400px">
	<? if ($fail==1) { echo 'Incorrect login username and/or password.'; } ?><br>
	<form action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>" method="POST">
	USERNAME&nbsp;&nbsp;<input type="text" name="username" size="50"><br>
	PASSWORD&nbsp;&nbsp;<input type="password" name="password" size="50"><br>
	<input type="submit" value="Login">
	</form>
	<font class="cookies">Please Note: Cookies must be enabled to (1) Login to FE Core and (2) Gain access to the documents and programs inside. Check your internet settings if you don't know how to activate cookies.</font>
	</div></div>
<?
}
?>



(Edited by Orion on 08-25-2006 12:06)

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 08-25-2006 13:12

Ok, this is a bit more rantish than I had aimed at... but there are many issues with this seemingly simple piece of code.

Here we go...

You are not even setting the username & password in the session!
How would you ever expect it to get to the second page?

You should never check on $username.
Either you're checking on $_POST['username'], coming from the form, or $_SESSION['username'] after you've set it in the session via
$_SESSION['username'] = $_POST['username']; after the auth succeded.


Your checkLoginfunction will fail spectaculary when the user isn't in the database. You need to check if mysql_num_rows() > 0 or $row !== false.

Your form looks like it was written in 1999 . Tables, Inline styles, Font tags... That's so very much last century.

You are not escaping your sql strings. Get in the habit. Now!. Otherwise, it will be terribly easy to hack your system by posting
a username of "' OR 1 = 1" ( ok, that will only lead the database to return something now. But it might also have been a drop table!. Or an insert statement, or other bad things). Read up on php->mysql_real_escape_string()


You should never require to pass in the mysql connection id. Your design is seriously problematic if you ever need more than one.
(I know there are exceptions when you actually need two databases. Not in your typical web app though!).


Mysql_close() is not what you want. You won't be able to do any queries without reconnecting to the server ( expensive ) after that. You are looking for php->mysql_free_result()

$PHP_SELF and $QUERY_STRING come from $_SERVER. User $_SERVER['PHP_SELF'], etc, or you will suffer when ( not if ) register_globals is turned of on a host - as it should be for security reasons if it were not for the gazillion broken scripts out there.

If you're checking for a boolean, say that. Don't say $fail == 1. That obscures your meaning. Say either if ( $fail ) , or if ( $fail == true ) (which both are identical).


There was something else, but I forgot it .
Take care,

->Tyberius Prime

H][RO
Paranoid (IV) Inmate

From: Australia
Insane since: Oct 2002

posted posted 08-26-2006 02:44

As TP Mentioned make sure you escape your variables before using them in your query string:

Make sure you use mysql_escape_string or something on the data you are getting from post or session for that matter, before querying your database.
http://au2.php.net/manual/en/function.mysql-escape-string.php

You also need to check your magic quotes setting, do some googling on this. I always work with magic quotes off and run my post data etc through a function which escapes it just before you use them in the sql.

If you google for a tutorial on website login or secure login there should be plenty of php samples out there for you to work off.

Orion
Obsessive-Compulsive (I) Inmate

From:
Insane since: Aug 2006

posted posted 08-26-2006 10:23

wow thanks for so much information and thanks for all the help... i'm gonna try the suggestion in order first to see the results

i read up a lot on the magic_get_quote() i just didn't implemented yet cuz still a lil unsure how to implement it yet.

TP do you have any good css and html design tutorial... cuz all i've read up are basics which i thought was just it.

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted posted 08-26-2006 16:08
quote:

Orion said:

TP do you have any good css and html design tutorial... cuz all i've read up are basics which i thought was just it.



One stop shop

There's also CSSZen Garden to show you what you can do with a well formated xhtml document. PIE is a good resource for problems between browsers and other tips and tricks.

There's really a ton of them but these are some of my favorite. As far as "design" goes...that's really up to your creativity. Something that I lack

Later,

C:\

Orion
Obsessive-Compulsive (I) Inmate

From:
Insane since: Aug 2006

posted posted 08-28-2006 05:26

thanks cpromt those are good tuts...


i've tried using (isset($_SESSION['username'])) but weird enough... it couldn't detect it.... i tried echo $_SESSION['username'] but it doesn't echo it but if i do $username it does...

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 08-28-2006 09:21

Because you are either never setting $_SESSION['username'] ( using $username = 'something'; instead, which will not get it into the session),
or your session isn't started. Which I doubt.

Orion
Obsessive-Compulsive (I) Inmate

From:
Insane since: Aug 2006

posted posted 08-30-2006 00:43

I've used $_SESSION['username'] = $user;


would it be the second case. Because if i add in echo $PHPSESSID... it only displays it after i've logged in a display the script again... any ideas why the session would start?

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 08-30-2006 14:53

Please post all of your current code, I don't think I have the time to glassball this one.

Orion
Nervous Wreck (II) Inmate

From:
Insane since: Aug 2006

posted posted 09-01-2006 10:09

Oki here it is:

code:
<?

include("../../../Core.inc");

session_start();

if (isset($HTTP_POST_VARS['username']) {

	if (checkLogin($HTTP_POST_VARS['username'], $HTTP_POST_VARS['password'], $connect) {
		regUser($HTTP_POST_VARS['username'])
	}
}



//If the login was done before
if (!isset($HTTP_POST_VARS['username']) && !isset($HTTP_POST_VARS['$password'])) {
	if (!isset($username) && !isset($password)) {
		//not logged in
		$fail = FALSE;
		login($fail);
	
		exit();
	} else {
		//check authenticity
		list ($accept, $name, $user, $level) = checkLogin($username, $password, $connect);
		
		//if the login fails
		if (!($accept)) {
				
		$fail = TRUE;
		login($fail);
		exit();
		}
	}

} else {
	//check authenticity
	list ($accept, $name, $user, $level) = checkLogin($HTTP_POST_VARS['username'], $HTTP_POST_VARS['password'], $connect);
	
	//if the login fails
	if (!($accept)) {
				
		$fail = TRUE;
		login($fail);
		exit();
	} else {
		//if the login succeeds then reg vars
		$_SESSION['username'];
		$_SESSION['password']; 
		
		//other information
		$_SESSION['name'];
		$_SESSION['user'];
		$_SESSION['level'];
	}
}

//Check if they are logged in
function checkLogin($username, $password, $connect) {
	$result = mysql_query ("SELECT password, name, user, level FROM user WHERE username = '$username'", $connect);
	$row = mysql_fetch_row($result);
	$pass = $row[0];
	$name = $row[1];
	$user = $row[2];
	$level = $row[3];
	
	if(($password == $pass) && ($password != "")) {
		
		$access = TRUE;
	} else {
		$access = FALSE;
	}
	
	mysql_close();
	
	return array($access, $name, $user, $level);
}

//Register the User
function regUser($user) {
	$_SESSION['username'] = $user;
}

//Login Form
function login($fail) {
?>
	<br><br><br>
	<div id="box-top" style="width:400px" align="left"><div id="box-top-in"><table border="0" cellpadding="0" cellspacing="0" height="20"><tr><td valign="middle"><font class="box-title">Login</font></td></tr></table></div></div>
	<div id="box-cont" style="width:400px">
	<? if ($fail) { echo 'Incorrect login username and/or password.'; } ?><br>
	<form action="<?=$PHP_SELF?><?if($QUERY_STRING){ echo"?". $QUERY_STRING;}?>" method="POST">
	USERNAME&nbsp;&nbsp;<input type="text" name="username" size="50"><br>
	PASSWORD&nbsp;&nbsp;<input type="password" name="password" size="50"><br>
	<input type="submit" value="Login">
	</form>
	<font class="cookies">Please Note: Cookies must be enabled to (1) Login to FE Core and (2) Gain access to the documents and programs inside. Check your internet settings if you don't know how to activate cookies.</font>
	</div></div>
<?
}
?>




i still haven't changed anything extra just tried to get the session thing working first



Post Reply
 
Your User Name:
Your Password:
Login Options:
 
Your Text:
Loading...
Options:


« BackwardsOnwards »

Show Forum Drop Down Menu