Page 1 of 1

what would kill session variables?

Posted: Mon Jun 05, 2006 1:19 pm
by mblinch
ok, i have session variables set up for when a user logs in, they stay logged in

however, as soon as I reach this page, it just will not work.

any ideas on why this particular page would kill session variables?

ps, im not very good at php, alot of this what cut and paste work

Code: Select all

<?php include("auth.php"); ?>
<?php include("header.php"); ?>
<body>
<table width="602" border="0" align="center">
  <tr>
    <td width="193"><a href="main.php"><img src="images/rtr.gif" alt="Reuters Logo"  border="0" /></a></td>
   <td width="393"><?php include("menu.php"); ?></td>
  </tr>
  <tr>
    <td valign="top"><?php include ("username.php"); ?></td>
    <td valign="top">
	<?php
require('db_connect.php');	// database connect script.
?>
<title>Register an Account</title>
<body>
<?php include ("auth_admin.php") ?>
<?php

if (isset($_POST['submit'])) { // if form has been submitted
	/* check they filled in what they supposed to, 
	passwords matched, username
	isn't already taken, etc. */

	if (!$_POST['uname'] | !$_POST['passwd'] | !$_POST['passwd_again'] | !$_POST['email']) {
		die('You did not fill in a required field.');
	}

	// check if username exists in database.

	if (!get_magic_quotes_gpc()) {
		$_POST['uname'] = addslashes($_POST['uname']);
	}



	$name_check = $db_object->query("SELECT rtrusername FROM users WHERE rtrusername = '".$_POST['uname']."'");

	if (DB::isError($name_check)) {
		die($name_check->getMessage());
	}

	$name_checkk = $name_check->numRows();

	if ($name_checkk != 0) {
		die('Sorry, the username: <strong>'.$_POST['uname'].'</strong> is already taken, please pick another one.');
	}

	// check passwords match

	if ($_POST['passwd'] != $_POST['passwd_again']) {
		die('Passwords did not match.');
	}

	// check e-mail format

	if (!preg_match("/.*@.*..*/", $_POST['email']) | preg_match("/(<|>)/", $_POST['email'])) {
		die('Invalid e-mail address.');
	}

	// no HTML tags in username, website, location, password

	$_POST['uname'] = strip_tags($_POST['uname']);
	$_POST['passwd'] = strip_tags($_POST['passwd']);




	// check show_email data

	if ($_POST['show_email'] != 0 & $_POST['show_email'] != 1) {
		die('Nope');
	}

	/* the rest of the information is optional, the only thing we need to 
	check is if they submitted a website, 
	and if so, check the format is ok. */


	// now we can add them to the database.
	// encrypt password

	$_POST['passwd'] = md5($_POST['passwd']);

	if (!get_magic_quotes_gpc()) {
		$_POST['passwd'] = addslashes($_POST['passwd']);
		$_POST['email'] = addslashes($_POST['email']);

	}



	$regdate = date('m d, Y');

	$insert = "Insert INTO users (
			rtrusername, 
			rtrpassword, 
			permissions,
			regdate, 
			email, 
			show_email, 
			last_login) 
			VALUES (
			'".$_POST['uname']."', 
			'".$_POST['passwd']."', 
			'".$_POST['permissions']."', 
			'$regdate', 
			'".$_POST['email']."', 
			'".$_POST['show_email']."', 
			'Never')"; 


	$add_member = $db_object->query($insert);

	if (DB::isError($add_member)) {
		die($add_member->getMessage());
	}

	$db_object->disconnect();
	
	if ($permissions == 2) {
		$path = "d:/pixstore/{$uname}";
		mkdir($path);}
	
	if ($permissions == 3) {
		$path = "d:/pixstore/{$uname}";
		mkdir("$dirname");}
	
?>
<span class="boldtextbig">Registered</span>


<br />
The user 
<?php  echo $_POST['uname'];?> 
has been added to the database <?php if ($permissions == 2) { echo "and a folder named {$uname}  has been created in PixStore";} if ($permissions == 3) { echo "and a folder named {$uname}  has been created in PixStore";}?>. <br />
<br />
<a href="admin_register.php">Add another user</a><?php

} else {	// if form hasn't been submitted

?>
<span class="boldtextbig">Register A New User</span>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table align="center" border="0" cellspacing="0" cellpadding="3" width="100%">
<tr><td>Username*:</td><td>
<input type="text" name="uname" maxlength="40">
</td></tr>
<tr><td>Password*:</td><td>
<input type="password" name="passwd" maxlength="50">
</td></tr>
<tr><td>Confirm Password*:</td><td>
<input type="password" name="passwd_again" maxlength="50">
</td></tr>
<tr>
  <td>Permissions*:</td>
  <td><select name="permissions">
  <option value="1" selected="selected">Limited Access</option>
  <option value="2">Stringer Access</option>
  <option value="3">Admin Access</option>
  </select></td>
</tr>
<tr><td>E-Mail*:</td><td>
<input type="text" name="email" maxlength="100">
</td></tr>

<tr><td>Show E-Mail?</td><td>
<select name="show_email">
<option value="1" selected="selected">Yes</option>
<option value="0">No</option></select>
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Sign Up">
</td></tr>
</table>
</form>

<?php

}

?>	</td> 
  </tr>
  <tr>
    <td>&nbsp;</td>
   <td>&nbsp;</td>
  </tr>
</table>
</body>
</html>

Posted: Mon Jun 05, 2006 1:27 pm
by PrObLeM
It looks like you dont have session_start() on that page ( http://www.php.net/session_start )

Posted: Mon Jun 05, 2006 1:41 pm
by mblinch
i actually do.. in auth.php (which is inlcuded on top of the top of the original code i posted)

Code: Select all

<?php

//require the PEAR::DB classes.

require_once 'DB.php';


$db_engine = 'mysql';
$db_user = '**t';
$db_pass = '**';
$db_host = 'localhost';
$db_name = 'users';

$datasource = $db_engine.'://'.
			  $db_user.':'.
			  $db_pass.'@'.
		 	  $db_host.'/'.
	  		  $db_name;


$db_object = DB::connect($datasource, TRUE);

/* assign database object in $db_object, 

if the connection fails $db_object will contain

the error message. */

// If $db_object contains an error:

// error and exit.

if(DB::isError($db_object)) {
	die($db_object->getMessage());
}

$db_object->setFetchMode(DB_FETCHMODE_ASSOC);

// we write this later on, ignore for now.


session_start();
/* check login script, included in db_connect.php. */
if (!isset($_SESSION['rtrusername']) || !isset($_SESSION['rtrpassword'])) {
	$logged_in = 0;
	return;
} else {
// remember, $_SESSION['rtrpassword'] will be encrypted.
if(!get_magic_quotes_gpc()) {
		$_SESSION['rtrusername'] = addslashes($_SESSION['rtrusername']);
	}
// addslashes to session rtrusername before using in a query.
	$pass = $db_object->query("SELECT rtrpassword FROM users WHERE rtrusername = '".$_SESSION['rtrusername']."'");

	if(DB::isError($pass) || $pass->numRows() != 1) {
		$logged_in = 0;
		unset($_SESSION['rtrusername']);
		unset($_SESSION['rtrpassword']);
		// kill incorrect session variables.
	}

	$db_pass = $pass->fetchRow();

	// now we have encrypted pass from DB in 
	//$db_pass['rtrpassword'], stripslashes() just incase:

	$db_pass['rtrpassword'] = stripslashes($db_pass['rtrpassword']);
	$_SESSION['rtrpassword'] = stripslashes($_SESSION['rtrpassword']);



	//compare:



	if($_SESSION['rtrpassword'] == $db_pass['rtrpassword']) { 
		// valid rtrpassword for rtrusername
		$logged_in = 1; // they have correct info
					// in session variables.
	} else {
		$logged_in = 0;
		unset($_SESSION['rtrusername']);
		unset($_SESSION['rtrpassword']);
		// kill incorrect session variables.
	}
}


// clean up
unset($db_pass['rtrpassword']);

$_SESSION['rtrusername'] = stripslashes($_SESSION['rtrusername']);

if ($logged_in == 1) {
	
} else {
	
echo "you are not logged in";

}

?>

Posted: Mon Jun 05, 2006 1:55 pm
by RobertGonzalez
Quick suggestion... when posting PHP code, wrap the code in

Code: Select all

tags so it appears like PHP code.

[quote="mblinch"]ok, i have session variables set up for when a user logs in, they stay logged in

however, as soon as I reach this page, it just will not work.

any ideas on why this particular page would kill session variables?

ps, im not very good at php, alot of this what cut and paste work [/quote]

When you say "not work" and "kill session variables" what exactly do you mean?

Posted: Mon Jun 05, 2006 1:59 pm
by mblinch
thanks for the quick response!

what I mean, is that as soon as the user gets to that page (posted at the top) it will no longer recognize any session variables. its as if they have disapeared out of thin air. i use the second post of mine to check authenticate users visiting every page on the website im building.

funny thing is, is that it works on every page but the one in my first post

thanks for any help in advance!

Posted: Mon Jun 05, 2006 2:18 pm
by mblinch
hey guys..

it was my bonehead mistake..

the page lists a bunch of users in the database.. and i used the same variable name to list them as the session variable for someone who is logged in..

thanks your time anyways,,

Posted: Mon Jun 05, 2006 2:26 pm
by Christopher
mblinch wrote:it was my bonehead mistake..
We were just talking about the "my bonehead mistake" bug in another thread ... I have that bug all the time too ... ;)

Glad you found your problem, sometimes just asking allows you to find the answer.