Page 1 of 1

Validate user before starting a session

Posted: Fri Dec 11, 2009 1:38 pm
by st89
I have the following code stored as "validate.php" (It is passed two $_POST variables from a basic log-in form: $_POST['name'] and $_POST['password']):

Code: Select all

session_start();
mysql_connect('localhost', 'user', 'password');
mysql_select_db('mydatabase');
$query = mysql_query("SELECT * FROM user");
$user = mysql_fetch_array($query);
 
// Check if $_POST['name'] exists in the `user` table:
if ($user['name'] == $_POST['name']) {
  // If it does, select that row:
  $query = mysql_query('SELECT * FROM user WHERE name='.$_POST['name']); 
 
  // ... and add it to an array:
  $user = mysql_fetch_array($query);
 
  // Now check if the password matches:
  if ($user['password'] == $_POST['password']) {
    // If it does, forward to correct page with session data:
    $_SESSION['name'] = $_POST['name'];
    $_SESSION['password'] = $_POST['password'];
    header('Location: http://localhost.localdomain/home.php');
  }
  // If the password doesn't match, return to login form to try again:
  else {
    header('Location: http://localhost.localdomain/index.php');
  }
}
// If the name doesn't exist in `user` table, return to login form to try again:
else {
  header('Location: http://localhost.localdomain/index.php');
}
Home.php is here:

Code: Select all

<?php
// Require the class file
require('classes.php');
 
// Instantiate the required objects
$load_xml = new DomDocument;
$load_xsl = new DomDocument;
$xslt = new XsltProcessor();
$xml = new xml();
$xsl = new xsl();
 
// Modify XSL
$xsl->__set('content', 'Name = '.$_SESSION['name'].'. Password = '.$_SESSION['password']);
 
// Transform to HTML
$load_xml->loadXML($xml->output());
$load_xsl->loadXML($xsl->output());
$xslt->importStylesheet($load_xsl);
echo $xslt->transformToXML($load_xml);
When I use the log-in form with a correct name and password combination I get:

Code: Select all

Notice: Undefined variable: _SESSION in /var/www/html/home.php on line 13
 
Notice: Undefined variable: _SESSION in /var/www/html/home.php on line 13
..in my web browser. I know home.php isn't at fault because it works fine when $xsl__set('content') is something non-superglobal.

validate.php is doing something right because it is forwarding me to home.php (rather than back to index.php where the login form resides). I'd be grateful if someone could point out where I've gone wrong.

Thanks in advance for any help/tips/pointers :D

Re: Validate user before starting a session

Posted: Fri Dec 11, 2009 1:50 pm
by AbraCadaver
Maybe put a session_start() in home.php?

Re: Validate user before starting a session

Posted: Fri Dec 11, 2009 4:26 pm
by flying_circus
I think AbraCadaver solved your error messages, but really, you need to bone up a little bit on SQL Injection. Mordred (A poster on this site) has put together a great article here: http://www.webappsec.org/projects/articles/091007.shtml. I think you will find this very helpful.

Re: Validate user before starting a session

Posted: Thu Dec 17, 2009 2:35 am
by st89
flying_circus wrote:I think AbraCadaver solved your error messages, but really, you need to bone up a little bit on SQL Injection. Mordred (A poster on this site) has put together a great article here: http://www.webappsec.org/projects/articles/091007.shtml. I think you will find this very helpful.
Thanks that's a great article. There's nothing I won't be using from it