Page 1 of 1

Passing session var's

Posted: Sat Sep 02, 2006 6:46 am
by abhorsen
I have been trying tinkering now for over a week, so out of desperation i am posting it here too, the guys over at php Freaks have had a look for me a mentiond trying session arrarys, as they might be the answer but thought mabye some one here could spot the error in my code, thanks in addvance.

http://www.phpfreaks.com/forums/index.p ... #msg426467

Posted: Sat Sep 02, 2006 7:54 am
by feyd
We generally prefer that people post their actual problems and not links to other sites where we'd have to go and read up on your problem. Maybe you think that's a bit lazy, but you're coming to us for help.

Posted: Sat Sep 02, 2006 12:10 pm
by abhorsen
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Well i posted the link so that ideas that where already disucs where not discused again, but hay one huge post of code comeing up.

Bascially i have it so that it should be passing  "username" accorsse but for some reaosn the user name never makes it, but if i swap  user name with first_name it will pass that no problem.

test user 

user: test
pass: c9rtn77r

Login.php

Code: Select all

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Conver to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
	include 'login_form.html';
	exit();
}

// Convert password to md5 hash
$password = md5($password);

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
	while($row = mysql_fetch_array($sql)){
	foreach( $row AS $key => $val ){
		$$key = stripslashes( $val );
	}
		// Register some session variables!
		session_register('username');
		$_SESSION['username'] = $username;
		session_register('email_address');
		$_SESSION['email_address'] = $email_address;
		session_register('special_user');
		$_SESSION['user_level'] = $user_level;
		
		mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");
		
		header("Location: login_success.php");
	}
} else {
	echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
	Please try again!<br />";
	include 'login_form.html';
}
?>

login_success.php

Code: Select all

<?
session_start();

echo "Welcome ". $_SESSION['username']." You have made it to the members area!<br /><br />";

echo "Your user level is ". $_SESSION['user_level']." which enables you access to the following areas: <br />";

if($_SESSION['user_level'] == 0){
	echo "- Forums<br />- Chat Room<br />";
}
if($_SESSION['user_level'] == 1){
	echo "- Forums<br />- Chat Room<br />- Moderator Area<br />";
}

echo "<br /><a href=add.php>add</a>";
echo "<br /><a href=logout.php>Logout</a>";

?>

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Sun Sep 03, 2006 7:32 am
by bmcewan
Firstly, when using the header() function an absolute uri is advisable and i would also lose the calls to session_register().

Code: Select all

header("Location: http://www.example.com/yourpage.php");
The rest of your code, in theory, should work. But i would probably try a couple of things to trace the route of the issue.

Somewhere along the line the $username variable is being overwritten.try rewriting this section

Code: Select all

while($row = mysql_fetch_array($sql)){ 
        foreach( $row AS $key => $val ){
                $$key = stripslashes( $val );
        }
                // Register some session variables!
                session_register('username');
                $_SESSION['username'] = $username;
                session_register('email_address');
                $_SESSION['email_address'] = $email_address;
                session_register('special_user');
                $_SESSION['user_level'] = $user_level;
               
                mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");
               
                header("Location: login_success.php");
        }
like this

Code: Select all

while($row = mysql_fetch_array($sql)){ 
                // Register some session variables!
                // removed calls to session_register
                $_SESSION['username'] = $username; // use the entered username, we know its fine as it checked out with mysql
                $_SESSION['email_address'] = $row['email_address']; 
                $_SESSION['user_level'] = $row['user_level']; 
               
                mysql_query("UPDATE users SET last_login=now() WHERE userid='".$row['userid']."'");
               
                header("Location: login_success.php"); //  edit this to have an absolute uri
        }
If you are still having issues then, for peace of mind, you can try testing the contents of the session var by doing the following;

Code: Select all

//              header("Location: login_success.php");
                print_r($_SESSION);

Posted: Sun Sep 03, 2006 8:43 am
by volka
Never mix _SESSION and session_register.
With register_globals on, using $_SESSION['username'] and $username can cause unwanted effects.
The script is vunerable to sql injections, http://en.wikipedia.org/wiki/SQL_Injection
I suppose username is unique in your table `users`. There's no need for a while-loop if you want to pull 0 or 1 record.
Why do you extract all those variables to the global variable scope?

untested:

Code: Select all

<?php
require 'db.php';
session_start();

if( !isset($_POST['username'], $_POST['password']) ) {
	require 'login_form.html';
	exit();
}

$query = "SELECT
		userid, username, email_address, user_level
	FROM
		users
	WHERE
		username='" . mysql_real_escape_string($_POST['username']) . "'
		AND password='" . md5($_POST['password']) . "'
		AND activated=1";

$sql = mysql_query($query); // for debuging purposes:  $sql=mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($sql, MYSQL_ASSOC);
if ( $row ) {
	foreach( array('userid', 'username', 'email_address', 'user_level') as $idx) {
		$_SESSION[$idx] = $row[$idx];
	}
	$query = 'UPDATE
			users
		SET
			last_login=now()
		WHERE
			userid=' . $row['userid']; // user is numeric?
	mysql_query($query);
	header('Location: login_success.php');
}
else {
	echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
		Please try again!<br />";
	include 'login_form.html';
}
?>

Posted: Sun Sep 03, 2006 12:30 pm
by abhorsen
Guys i can not thank you enuth for takign the time to have a look at this for me.

Saddly nether cod snipit worked. I tried adding in print_r($_SESSION); to both bits of code, and for some reson the username is still beeing lost.

Welcome You have made it to the members area!

Code: Select all

Your user level is 0 which enables you access to the following areas:
- Forums
- Chat Room
Array ( [first_name] => wesley [last_name] => jones [email_address] => *snip*  [special_user] => [user_level] => 0 )
add
Logout

Posted: Sun Sep 03, 2006 2:40 pm
by volka
abhorsen wrote:Welcome You have made it to the members area!

Code: Select all

Your user level is 0 which enables you access to the following areas:
- Forums
- Chat Room
Array ( [first_name] => wesley [last_name] => jones [email_address] => *snip*  [special_user] => [user_level] => 0 )
add
Logout
That's probably from login_success.php. Can you show us the code of that script?

Posted: Mon Sep 04, 2006 1:15 pm
by abhorsen
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


yep that is the login sucsses, is there some where on longin.php you want me to paste that print code?

Code: Select all

<?
session_start();

echo "Welcome ". $_SESSION['username']." You have made it to the members area!<br /><br />";

echo "Your user level is ". $_SESSION['user_level']." which enables you access to the following areas: <br />";

if($_SESSION['user_level'] == 0){
	echo "- Forums<br />- Chat Room<br />";
}
if($_SESSION['user_level'] == 1){
	echo "- Forums<br />- Chat Room<br />- Moderator Area<br />";
}
//              header("Location: login_success.php");
                print_r($_SESSION);
echo "<br /><a href=add.php>add</a>";
echo "<br /><a href=logout.php>Logout</a>";

?>

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Tue Sep 05, 2006 4:37 pm
by abhorsen
One thing i have just thought of is that on the loginsuccses.php when printing out he session the following are displayed.

out put to screen
Array ( [first_name] => wesley [last_name] => jones [email_address] => *snip* [special_user] => [user_level] => 0 )


the vars put into the array, 'userid', 'username', 'email_address', 'user_level'

Even thou the code does not put the outputted var's into the seession, so is there something else that it could be, but i do not see how seeing as the session is only created in one place.