Page 1 of 1

Need urgent help - Session username wrong!

Posted: Sun Jan 31, 2010 1:58 pm
by synical21
Hello Guru's for the secound time today :(

Ever since my site was created I kept the users username is a session, this was never utilized until today when i tried to use it. To my shock when I echo'd the username session i got the wrong username! 8O I tested it on another user and the same problem happened although it is not a different username depending on the user it is the same one username which must be in every users session. Why is the same username in everyones username session when it should be their own username? That is my question as i have tried to fix it but i can not see the problem. Let me show you how the session is created.

Login.php

Code: Select all

 
include 'dbc.php';
 
// use filter where $data where post used.
foreach($_POST as $key => $value) {
    $data[$key] = filter($value);
}
 
if ($_POST['doLogin']=='Login')
{
$user_email = mysql_real_escape_string($_POST['usr_email']);
$md5pass = hash('sha256',$data['pwd']);
 
 
if (strpos($user_email,'@') === false) {
    $user_cond = "user_name='$user_email'";
} else {
      $user_cond = "user_email='$user_email'";
    
}
 
 
$sql = "SELECT `id`,`full_name`,`approved`,`user_name`,`user_money`,`jobs_completed`,`jobs_failed`,`user_earning`,`banned` FROM users WHERE 
           $user_cond
            AND `pwd` = '$md5pass' AND `banned` = '0'
            "; 
 
 
            
$result = mysql_query($sql) or die (mysql_error()); 
$num = mysql_num_rows($result);
  // Match row found with more than 1 results  - the user is authenticated. 
    if ( $num > 0 ) { 
    
    list($id,$full_name,$approved,$user_name,$user_money,$jobs_completed,$jobs_failed,$user_earning) = mysql_fetch_row($result);
    
    if(!$approved) {
    $msg = "Account not activated. Please check your email for activation code";
    header("Location: login.php?msg=$msg");
     exit();
     }
 
     // this sets session and logs user in 
       session_start(); 
       // this sets variables in the session 
        $_SESSION['user_id']= $id;  
        $_SESSION['user_realname'] = $full_name;
        $_SESSION['user_name'] = $user_name;
        $_SESSION['user_money'] = $user_money;
        $_SESSION['jobs_completed'] = $jobs_completed;
        $_SESSION['jobs_failed'] = $jobs_failed;
        $_SESSION['user_earning'] = $user_earning;
        
        //set a cookie witout expiry until 60 days
        
       if(isset($_POST['remember'])){
                  setcookie("user_id", $_SESSION['user_id'], time()+60*60*24*60, "/");
                  setcookie("user_name", $_SESSION['user_name'], time()+60*60*24*60, "/");
                   }
        
        session_write_close();  
        header("Location: http://url/user.php");
        }
        else
        {
    
        $msg = urlencode("Invalid Login. Please try again with correct username and password. ");
        header("Location: login.php?msg=$msg");
    }
    
}
 
As you can see their is an included file which could be the problem so ill show you it aswell.
dbc.php

Code: Select all

 
function page_protect() {
    
session_start();
 
//check for cookies && isset($_COOKIE['user_name'])
 
if(isset($_COOKIE['user_id'])&& isset($_COOKIE['user_name'])){
      $_SESSION['user_id'] = $_COOKIE['user_id'];
      $_SESSION['user_name'] = $_COOKIE['user_name'];
      $_SESSION['user_earning'];
      $_SESSION['jobs_failed'];
      $_SESSION['jobs_completed'];
      $_SESSION['user_money'];
      $_SESSION['user_realname'];
   }
 
session_write_close();
 
if (!isset($_SESSION['user_id']))
{
    
header("Location: login.php");
}
/*******************END********************************/
}
 
 
function filter($data) {
    $data = trim(htmlentities(strip_tags($data)));
    
    if (get_magic_quotes_gpc())
        $data = stripslashes($data);
    
    $data = mysql_real_escape_string($data);
    
    return $data;
}
 
 
 
function EncodeURL($url)
{
$new = strtolower(ereg_replace(' ','_',$url));
return($new);
}
 
function DecodeURL($url)
{
$new = ucwords(ereg_replace('_',' ',$url));
return($new);
}
 
function ChopStr($str, $len) 
{
    if (strlen($str) < $len)
        return $str;
 
    $str = substr($str,0,$len);
    if ($spc_pos = strrpos($str," "))
            $str = substr($str,0,$spc_pos);
 
    return $str . "...";
}   
 
function isEmail($email){
  return preg_match('/^\S+@[\w\d.-]{2,}\.[\w]{2,6}$/iU', $email) ? TRUE : FALSE;
}
 
function isUserID($username)
{
    if (preg_match('/^[a-z\d_]{5,20}$/i', $username)) {
        return true;
    } else {
        return false;
    }
 }  
 
function isURL($url) 
{
    if (preg_match('/^(http|https|ftp):\/\/([A-Z0-9][A-Z0-9_-]*(?:\.[A-Z0-9][A-Z0-9_-]*)+):?(\d+)?\/?/i', $url)) {
        return true;
    } else {
        return false;
    }
} 
 
function checkPwd($x,$y) 
{
if(empty($x) || empty($y) ) { return false; }
if (strlen($x) < 4 || strlen($y) < 4) { return false; }
 
if (strcmp($x,$y) != 0) {
 return false;
 } 
return true;
}
 
The dbc page is a page used to protect every page of my site from users not logged in. It contains mainly functions which i use through out the site but there is also some session data which could be the problem. Im pretty sure its one of these two pages causing my problem but i dont see the problem. I really hope you can :banghead:

Re: Need urgent help - Session username wrong!

Posted: Sun Jan 31, 2010 2:02 pm
by infolock
If I were you, i'd check a number of things.

#1, issue the exact query that you are using to obtain the information you wanting to store in a mysql console. View the results and make sure you aren't getting more than 1 record.

#2, make sure that you don't have multiple usernames for the same email address

#3, echo out your results in a controlled environment and check the data you are returning.


Sounds to me like you have duplicate data and one is over-riding the next. Since you're looking for "one" user, you shouldn't be doing a loop of your results. You should only be using one record to use as the user's information. I think you'll see the issue quick enough.

Re: Need urgent help - Session username wrong!

Posted: Sun Jan 31, 2010 2:30 pm
by synical21
I have done them three, i see no problems. There can not be duplicate data as the registration does not allow duplicate usernames or emails but i did the SQL check anyway and it returns one record. Any other ideas.

Whats weird is every other session is working fine and unique to that user when i echo'd it all out :? Just not the username

EDIT: i echo'd out the sessions, when i echo'd the values going into the sessions it was the correct username

EDIT: Finally i see a light at the end of the tunnel, i tested the session variable on other pages and it came up with the correct username.... so its just the page where users go straight after login where the session variable is wrong. At least i know the page now

EDIT: If i echo the session near the end of the body it will be wrong if i echo it near the start its correct..

I cant find a real fix, i just set the variable in the head $username = "$_SESSION[user_name]"; then i can use it on the rest of the page correctly.

Re: Need urgent help - Session username wrong!

Posted: Sun Jan 31, 2010 4:07 pm
by infolock
Nice debugging! Try issuing an echo of the session along with the line number throughout the page. Do this until you find the exact spot where the session is getting changed. If you can't figure it out, show us where in the code the session is changing and maybe we can figure it out further from there.