session problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
kristie380
Forum Commoner
Posts: 36
Joined: Sun Oct 09, 2005 10:51 pm

session problem

Post by kristie380 »

When I try and use my session login script, I keep getting an error around the password part. Here is the login script:

Code: Select all

<?php
if ((!$_POST['email']) || (!$_POST['password'])) {
header("Location: login.php");
exit;
}

    // authenticate. 

        if (!get_magic_quotes_gpc()) { 
                $_POST['email'] = addslashes($_POST['email']); 
        } 

        $sql = "SELECT * FROM `signup` WHERE `email` = '$_POST[email]'"; 
		$result = mysql_query($sql,$db) or die(mysql_error());
		$number= mysql_num_rows($result);
		$info = mysql_fetch_array($result);

        if ($number == 0) { 
                die('That email does not exist in our database.'); 
        }   

        // check passwords match 

        $_POST['password'] = stripslashes($_POST['password']); 
        $info['password'] = stripslashes($info['password']); 
        $_POST['password'] = md5($_POST['password']); 

        if ($_POST['password'] != $info['password']) { 
                die('Incorrect password, please try again.'); 
        } 
		

        // if we get here username and password are correct, 
        //register session variables and set last login time. 

        $date = date('m d, Y'); 

        $sql2 = "UPDATE `signup` SET `last_login` = \"$date\",  WHERE `email` = '$_POST[email]'";
		$result2 = mysql_query($sql2,$db) or die(mysql_error());


        $_POST['email'] = stripslashes($_POST['email']); 
        $_SESSION['email'] = $_POST['email']; 
        $_SESSION['password'] = $_POST['password']; 
?>
Apparently the $_POST[password] and $info[password] aren't matching up. If I take out the line above that with the md5 in it, I can go to the login screen but none of my session variables are stored. So there has to be a problem in that area. Can anyone help?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You shouldn't need to stripslashes() the data from the database unless you've doubled the slashes.

addslashes() isn't the best (it has security holes) function to use for escaping. mysql_real_escape_string() is preferred.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Try something like this and see what is getting echo'd. NOTE: This is for testing only as it exposes the passed values and database values for password!

Code: Select all

<?php
if ( !isset($_POST['email']) || !isset($_POST['password']) ) {
    header("Location: http://www.fullurihere.com/login.php");
	exit;
}

$email = $_POST['email'];
// authenticate.
if (!get_magic_quotes_gpc()) 
{
	$email = addslashes($email);
}

// Shouldn't this have a limit clause, or do you make 
//sure there are no more than email addresses like 
//this in the table somewhere else?
$sql = "SELECT * FROM `signup` WHERE `email` = '$email'";
$result = mysql_query($sql,$db) or die(mysql_error());
$number= mysql_num_rows($result);
$info = array();
while ($row = mysql_fetch_array($result))
	$info = $row;
}

if ($number == 0) {
	die('That email does not exist in our database.');
}   

// check passwords match

$password = md5($_POST['password']);
if ($password != $info['password']) {
	die('Incorrect password, please try again. DEBUGGING: What we have is ' . $info['password'] . ' and what was passed is ' . $password . '...');
}

// if we get here username and password are correct,
//register session variables and set last login time.

$date = date('m d, Y');

$sql2 = "UPDATE `signup` SET `last_login` = \"$date\",  WHERE `email` = '$email'";
$result2 = mysql_query($sql2,$db) or die(mysql_error());
$_SESSION['email'] = $email;

// NOTICE THIS CHANGES THE SESSION'D PASSWORD TO A HASH INSTEAD OF PLAIN TEXT?
$_SESSION['password'] = $password;
?>
Post Reply