Page 1 of 1

session problem and i check my code is okay

Posted: Sat Dec 23, 2006 9:48 am
by ms_dos10
I have problem with session , anyone can help me to fixed it .
Am working package called Xampp for Windows Version 1.4.16 .
everything is good till i face this problem with session . When am trying to log in from admincp.php to student_list.php it redirect to same page admincp.php . I'm wrote code when that happen means user wrote user name and password wrong .
If someone have solve or face problem like this till me can do . Because that very important me to know , i don't want to get like that again .
Maybe problem with my php.ini or any setting of php . Ask me I'll check and tell what the value i have . Here my to page admincp.php and student_list.php

Code: Select all

<?php
ob_start();
session_start();
if(isset($_POST['submit']))
{
       $name = $_POST['user'];
       $pws  = $_POST['pws'];

       $sql ="SELECT * FROM tbl_student WHERE name ='".$name."'and pws='".$pws."'";
       include("includes/config.php");
       $result = mysql_query($sql);
       if(mysql_num_rows($result) == 1)
       {
                $_SESSION['sessref'];
                header("location:student_list.php");
                exit();
       }
       else
       {
               session_destroy();
               header("loaction:admincp.php");
               exit();
       }
}
ob_end_flush();
?>
<html>
<head>
<link href = "includes/admin.css" type = "text/css" rel = "stylesheet">
<title>Admin Panel</title>
</head>
<body valign="top">
<br>
<br>
<table width="600" align="center" border="1">
<form name="frm" method="post" action="">
<tr>
    <th colspan="2" align="center">Admin Panel</th>
</tr>
<tr>
    <th colspan="2" align="center">Admin Panel Student For Project</th>
</tr>

<tr>
     <td align="right">Admin Name:</td>
     <td align="left"><input type="text" name="user" value=""/></td>
</tr>
<tr>
     <td align = right>Admin Password:</td>
     <td align="left"><input type="password" name="pws" value=""/></td>
</tr>
<tr>
     <td align="right"><input type="submit" name="submit" value="Login" onclick="return checkdata()"/></td>
     <td align="left"><input type="reset" name="reset" value="Clear"/></td>
</tr>
</form>
</table>
<table width="600" align="center" border="0">
<tr>
       <td align="left"><a href="add_student.php">Registration</a></td>
</tr>
<table>
</body>
</html>
student_list.php

Code: Select all

<?php
session_start();
if(!isset($_SESSION['sessref']))
{
        session_destroy();
        header("location:admincp.php");
        exit();
}
if(isset($_GET['msg']))
{
         $msg = $_GET['msg'];
         echo"<br><br>";
        echo "<center><font color=\"red\" size=3>".$msg."</font></center>";
}
?>
<html>
<head>
<link href = "includes/admin.css" type = "text/css" rel = "stylesheet">
<title>Student List</title>
</head>
<body valign = top>
<table width = 600 align = center border = 1>
<tr>
    <th colspan = 6 align = center>List of Student</th>
</tr>
<tr>
   <td align = center>S.No.</td>
   <td align = center>Student Name</td>
   <td align = center>S.Image</td>
   <td align = center>S.E-mail</td>
   <td align = center>Action</td>
</tr>
<?
include("includes/config.php");
$result = mysql_query("select * from tbl_student");

if(mysql_num_rows($result)== 0)
{
        echo "<td colspan=\"6\" align=\"center\"><font size=\"3\">"."*** No Data In My DataBase ***"."</font></td>\n";
}

$i = 1;
while($row = mysql_fetch_row($result))
{
             echo "<tr>\n";
             echo "<td align = center>".$i++."</td>\n";
             echo "<td align = center>".$row[1]."</td>\n";
             echo "<td align = center><img src=".$row[3]." width = 150 height = 80></td>\n";
             echo "<td align = center>".$row[4]."</td>\n";
             echo "<td align = center>\n";
             echo "<a href = check_pin_code.php?id=".$row[0].">Edit</a>   \n";
             echo "<a href = check_pin_del.php?id=".$row[0].">Delete</a>\n";
             echo "</tr>\n";

}
?>
</table>
</body>
</html>

Posted: Sat Dec 23, 2006 10:40 am
by volka
$_SESSION['sessref'];
that doesn't do much. You might want to assign a value to that element, e.g. the username.
Also take a look at http://en.wikipedia.org/wiki/SQL_injection
try

Code: Select all

ob_start();
session_start();
if( isset($_POST['user'], $_POST['pws']) ) {
	require 'includes/config.php';
	
	$name = mysql_real_escape_string($_POST['user']);
	$pws  = mysql_real_escape_string($_POST['pws']);
	
	$sql ="SELECT * FROM tbl_student WHERE name ='".$name."'and pws='".$pws."'";
	$result = mysql_query($sql) or die(mysql_error());
	if(mysql_num_rows($result) == 1)
	{
		$_SESSION['sessref'] = $_POST['user'];
		header("location:student_list.php");
	}
	else
	{
		$_SESSION = array();
		session_destroy();
		header("loaction:admincp.php");
	}
	exit();
}

Posted: Sat Dec 23, 2006 11:15 am
by timvw
Please have a look at viewtopic.php?t=61184 it is a very similar script.. And we've annotated it with possible things the developer should be aware of...

(Your problem is probably solved by calling session_write_close before you call header ('Location'...)

Posted: Sat Dec 23, 2006 1:09 pm
by ms_dos10
do you mean like this timvm and thanx for volka

Code: Select all

<?php
ob_start();
session_start();
if(isset($_POST['submit']))
{
       $name = $_POST['user'];
       $pws  = $_POST['pws'];

       $sql ="SELECT * FROM tbl_student WHERE name ='".$name."'and pws='".$pws."'";
       include("includes/config.php");
       $result = mysql_query($sql);
       if(mysql_num_rows($result) == 1)
       {
                $_SESSION['sessref'] = $name;
                session_register("sessref");
                header("location:student_list.php");
                exit();
       }
       else
       {
               session_write_close();
               session_destroy();
               header("loaction:admincp.php");
               exit();
       }
}
ob_end_flush();
?>
<html>
<head>
<link href = "includes/admin.css" type = "text/css" rel = "stylesheet">
<title>Admin Panel</title>
</head>
<body valign="top">
<br>
<br>
<table width="600" align="center" border="1">
<form name="frm" method="post" action="">
<tr>
    <th colspan="2" align="center">Admin Panel</th>
</tr>
<tr>
    <th colspan="2" align="center">Admin Panel Student For Project</th>
</tr>

<tr>
     <td align="right">Admin Name:</td>
     <td align="left"><input type="text" name="user" value=""/></td>
</tr>
<tr>
     <td align = right>Admin Password:</td>
     <td align="left"><input type="password" name="pws" value=""/></td>
</tr>
<tr>
     <td align="right"><input type="submit" name="submit" value="Login" onclick="return checkdata()"/></td>
     <td align="left"><input type="reset" name="reset" value="Clear"/></td>
</tr>
</form>
</table>
<table width="600" align="center" border="0">
<tr>
       <td align="left"><a href="add_student.php">Registration</a></td>
</tr>
<table>
</body>
</html>

Posted: Sat Dec 23, 2006 1:17 pm
by volka
session_register() is deprecated, never mix it with $_SESSION.
mysql_real_escape_string is important, please read the wikipedia article about sql injections.

Code: Select all

ob_start();
session_start();
if(isset($_POST['submit']))
{
	require 'includes/config.php';
	$name = mysql_real_escape_string($_POST['user']);
	$pws  = mysql_real_escape_string($_POST['pws']);
	
	$sql ="SELECT * FROM tbl_student WHERE name ='".$name."'and pws='".$pws."'";
	
	$result = mysql_query($sql);
	if(mysql_num_rows($result) == 1)
	{
		$_SESSION['sessref'] = $_POST['user'];
		session_write_close();
		header("Location: student_list.php"); // should be a absolute uri like http://xy.z/student_list.php
		exit();
	}
	else
	{
		$_SESSION = array();
		session_destroy();
		header("Location: admincp.php"); // should be a absolute uri like http://xy.z/admincp.php
		exit();
	}
}
ob_end_flush();

Posted: Sat Dec 23, 2006 2:09 pm
by ms_dos10
Now am in localhost how can i write the a absolute uri .
when i'll go to the real time i'll change . that what you mean ?.

Code: Select all

$_SESSION['sessref'] = $_POST['user'];
i have to use name variable because it clear from any wrong data after using mysql_real_escape_string () same as its here

Code: Select all

$_SESSION['sessref'] = $name;

Posted: Sat Dec 23, 2006 2:26 pm
by ms_dos10
and thanx to everyone help me
i have some question when am going to kill the session i have to write like this every time

Code: Select all

$_SESSION = array();
           session_destroy();
and why we assign array to the session it already array , i have one idea any super variables is array , but here we assign array to it why what is the reason?

and when i need to print that value from session how can i do that ?

when i wanna this session is available or no its ok like this

Code: Select all

session_start();
if(!isset($_SESSION['sessref']))
{
        session_destroy();
        header("location:admincp.php");
        exit();
}

Posted: Sun Dec 24, 2006 7:37 am
by volka
ms_dos10 wrote:

Code: Select all

$_SESSION['sessref'] = $_POST['user'];
i have to use name variable because it clear from any wrong data after using mysql_real_escape_string () same as its here

Code: Select all

$_SESSION['sessref'] = $name;
But $_SESSION doesn't care about those characters that are escaped by mysql_real_escape_string. I believe it clouds the view for real problems when data is encoded, escaped or otherwise needlessly transformed at the "wrong" places without good reason.

Code: Select all

// assigning a new,empty array to $_SESSION
$_SESSION = array();
// => !isset($_SESSION['sessref'])

Posted: Sun Dec 24, 2006 9:23 am
by ms_dos10
thanx for everything god bless you . am still need this answer how can i print that value i assign to session ? i mean syntax to print user value . that all what i need .
thanx again
and when i need to print that value from session how can i do that ?
[/quote]

Posted: Sun Dec 24, 2006 9:26 am
by volka
You can print it like any other value. There's (almost) nothing special about $_SESSION, it's an array, use it as such.
e.g.

Code: Select all

echo '<div>', htmlentities($_SESSION['sessref']), "</div>\n";
// or without html-thingelings
echo $_SESSION['sessref'];

Posted: Sun Dec 24, 2006 9:34 am
by ms_dos10

Code: Select all

echo "Thanx for everything god bless u ";