Page 1 of 1
Trouble getting sessions to transfer to login page
Posted: Thu Feb 10, 2005 5:06 pm
by squatchimo
I've spent all day on this problem and would appreciate any help.
Before the customer is allowed into checkout area, I would like checkout.php to verify that they are logged in. If not, it redirects them to login.php.
Here is my login verification page:
Code: Select all
<?php
session_start();
header("Cache-control: private");/* IE6 fix */
include('../blank/common.php');
$user = $_POSTї'username'];
$pass = $_POSTї'password'];
$sql = mysql_query("SELECT * FROM users WHERE uname='$user' AND pword='$pass'");
$login = mysql_num_rows($sql);
echo mysql_error();
if($login > 0){
$_SESSIONїusername] = $user;
$_SESSIONїpassword] = $pass;
header("Location: http://www.blank.com/blank/checkout.php");
exit();
}else{
echo "That username does not exist!<br>";
include 'login.php';
}
?>
Here is the checkout page:
Code: Select all
<?php
session_start();
header("Cache-control: private");/* IE6 fix */
include('../blank/common.php');
$user = $_SESSIONї'username'];
$pass = $_SESSIONї'password'];
$sql = mysql_query("SELECT * FROM users WHERE uname='$user' AND pword='$pass'");
$login = mysql_num_rows($sql);
echo mysql_error();
if ($login == 0){
header("Location: http://www.blank.com/blank/login.php");
exit();
}else{
***REST OF CODE***
As of now, when I login with a valid username and password, it still sends me to the login page. Thanks for looking!
Posted: Thu Feb 10, 2005 5:11 pm
by timvw
the usual...
1-) kick in error control
ini_set('error_reporting', E_ALL);
ini_set('display_errors', TRUE);
2-) ask mysql if there are errors....
msyql_error()
3-) use mysql_real_escape_string....
Posted: Thu Feb 10, 2005 5:26 pm
by squatchimo
Thanks for the reply Tim. Which page are you telling me to add this to? I'm not understanding #3 as well.
Thanks.
Posted: Thu Feb 10, 2005 5:29 pm
by timvw
i would add them to all your pages
fe: i nowhere so you perform a mysql_connect....
#3 is about cleaning your data, to avoid sql injection. more can be read at
http://www.php.net/mysql_real_escape_string
Posted: Thu Feb 10, 2005 5:41 pm
by RobertGonzalez
On your login page:
Code: Select all
<?php
session_start();
header("Cache-control: private");/* IE6 fix */
include('../blank/common.php');
$user = $_POSTї'username'];
$pass = $_POSTї'password'];
$sql = mysql_query("SELECT * FROM users WHERE uname='$user' AND pword='$pass'");
$login = mysql_num_rows($sql);
echo mysql_error();
if($login > 0){
$_SESSIONїusername] = $user;
$_SESSIONїpassword] = $pass;
header("Location: http://www.blank.com/blank/checkout.php");
exit();
}else{
echo "That username does not exist!<br>";
include 'login.php';
}
?>
Do you notice that your $_SESSION vars array keys are not quoted? That might be causing some problems.
You might also want to add in some string validation on your password. If you are not encrypting it, you should clean it up by trimming blank spaces, removing quote signs, equal signs, etc. You might also want to look into MD5() or SHA1() encryption to add a bit of ecurity to your code.
Posted: Thu Feb 10, 2005 5:54 pm
by feyd
^^ encryption

hash

Posted: Thu Feb 10, 2005 10:29 pm
by squatchimo
Thanks for all of the comments. I plan on using md5 for the password once I get this session problem sorted out. Also, I am using mysql_error() after each DB connection. What else do I need to use?
I modified the session verbage slightly in the login validation page and added session_write_close() per php.net documentation.
Code: Select all
$_SESSIONї'username'] = $user;
$_SESSIONї'password'] = $pass;
session_write_close();
header("Location: http://www.carenstevens.com/gallery/checkout.php");
Now when this directs me to the checkout page, I get the following error:
"Warning: session_write_close(): write failed: Disk quota exceeded (122) in /home3/www/blank/blank/validate_login.php on line 14
Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in /home3/www/blank/blank/validate_login.php on line 14
Warning: Cannot modify header information - headers already sent by (output started at /home3/www/blank/blank/validate_login.php:14) in /home3/www/blank/blank/validate_login.php on line 15"
I noticed a post from feyd in a prior thread where he suggested if you can't modify the path in php.ini, you should store the session info in the database. I do store the session id in my database, but how do I have the checkout page check for this for validation?
Hopefully I'm making sense. Thanks again for the help everyone!
Posted: Thu Feb 10, 2005 11:14 pm
by feyd
you're wanting to switch to database sessions now, is that it?
viewtopic.php?t=23781
Posted: Thu Feb 10, 2005 11:40 pm
by squatchimo
Thanks for the reply feyd. I actually saw that link in another post here. Now what book(s) do I need to go and buy and read to be able to understand that? Because that's waaay over my head. I spent about 30 minutes studying that post earlier today (because I've been working on this problem ALL day and your post seemed like it would be the answer) but after investing half an hour, I came away confused.
It seems like this should have been a relatively simple thing to accomplish, but since my php.ini file is apparently set wrong (and I can't change it) my only option is to store the session info in the database and I am now lost.
I guess I'll just have to make the customer log in each time they want to access the shopping cart checkout. Maybe you know of a tutorial that may help? I'm really frustrated and ready to give up right about now.
Posted: Thu Feb 10, 2005 11:50 pm
by feyd
invest some time into playing with session_set_save_handler() where you create functions that the session subsystem calls.. that's the major part. The next step is to play with the data packing (as it's in a specific format), and then once you can read the session data, you can then insert it into a database, and retrieve it back out.
Posted: Fri Feb 11, 2005 12:00 am
by squatchimo
Thanks feyd..again. I bookmarked that section in php.net and will tackle it when I have some more time.
Posted: Fri Feb 11, 2005 6:37 pm
by RobertGonzalez
Can't you just use session_start() at the beginning of the sessioned app, add vars to the session using $_SESSION[$var] = $value, then when the sesion is over, kill all the session vars by running $_SESSION through a foreach loop and unset($_SESSION[$var]) for each iteration? I have a fairly sizable application that I wrote using this technique and it seems to work pretty good.