Switching to "$_SESSION" from "session_regis

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Switching to "$_SESSION" from "session_regis

Post by Noobie »

Hi

I implemented a fairly simple login script to protect a members-only area of a site. It all worked fine. Then, after reading several posts here I realised that the method I used - session_register was now deprecated in favour of $_SESSION. So I've attempted to change the script to fit unfortunately something's not right.

The following is the processing page which is sent the info by the form.

Code: Select all

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from signup form
  
   $myusername=$_POST['myusername'];
   $mypassword=$_POST['mypassword'];

   $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
   $result=mysql_query($sql);

// Mysql_num_row is counting table row
   
   $count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

   if($count==1){

// Register $myusername, $mypassword and redirect

   $_SESSION['myusername'] = $username;
   $_SESSION['mypassword'] = $password;

   header("location:members/news.html");
   }
      else {
            header("location:/userlogin1.html");
            }
?>
The following is the code at the top of the news page that the members are redirected to when the preceding script completes correctly.

Code: Select all

<?
session_start();
if (!isset($_POST['username']) && !isset($_POST['password']))
header("location: /index.html");

?>
What's happening is that when the user reaches the news page with the session_start etc on it, they're being redirected to the index page as if the session isn't being stored.

I'm not sure which bit I've messed up!

Any help gratefully accepted.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

try

Code: Select all

<?php
error_reporting(E_ALL); ini_set('display_errors', true);
session_start();

// Connect to server and select databse.
// ## no need for "$var", just $var
$mysql = mysql_connect($host, $username, $passwort) or die(mysql_error());
mysql_select_db($db_name, $mysql) or die(mysql_error());

// username and password sent from signup form
// ## sql injections
$myusername=mysql_real_escape_string($_POST['myusername'], $mysql) or die(mysql_error());
$mypassword=mysql_real_escape_string($_POST['mypassword'], $mysql) or die(mysql_error());
$sql="SELECT username FROM $tbl_name WHERE username='$myusername' and password='$mypassword' LIMIT 1";
$result=mysql_query($sql) or die(mysql_error());
// If result matched $myusername and $mypassword, table row must be 1 row
if( 1==$mysql_num_rows($result)) {
	// Register $myusername, $mypassword and redirect
	// ## $username? You used that in mysql_connect.
	// ## There's usually no need to store the password.
	$_SESSION['myusername'] = $_POST['myusername'];
	header("Location: members/news.html");
}
else {
	header("Location: /userlogin1.html");
}
?>

Code: Select all

<?
session_start();
if (!isset($_POST['username']) && !isset($_POST['password']))
header("location: /index.html");

?>
Why do you test _POST when the values are stored in _SESSION?
username or myusername, make your choice but stick with it.
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Post by Noobie »

Hi

Thanks for the quick response!

When I add your changes I get an error saying that the index "username" is undefined.

Far as why I'm checking POST rather than SESSION? Ignorance on my part probably- trying to add bits of code to the previous script that I don't really understand! :oops:
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

volka wrote:username or myusername, make your choice but stick with it.
When you store _SESSION['myusername'] you also have to check _SESSION['myusername'] not _SESSION['username']
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Post by Noobie »

Yes, thanks - that was from the original script but I've dumped all reference to myusername in favour of straight username.

Still getting the undefined index error...
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Post by Noobie »

Sorry - that was my fault - forgot to change the form :roll:

Ok now I'm getting the following error
Undefined variable: mysql_num_rows in /home/ndqircyc/public_html/checklogin.php on line 24

With this code:

Code: Select all

<?php
error_reporting(E_ALL); ini_set('display_errors', true);
session_start();

$host="localhost"; // Host name
$username="whatever"; // Mysql username
$password="whatever"; // Mysql password
$db_name="whatever"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
// ## no need for "$var", just $var
$mysql = mysql_connect($host, $username, $password) or die(mysql_error());
mysql_select_db($db_name, $mysql) or die(mysql_error());


// username and password sent from signup form
// ## sql injections
$username=mysql_real_escape_string($_POST['username'], $mysql) or die(mysql_error());
$password=mysql_real_escape_string($_POST['password'], $mysql) or die(mysql_error());
$sql="SELECT username FROM $tbl_name WHERE username='$username' and password='$password' LIMIT 1";
$result=mysql_query($sql) or die(mysql_error());
// If result matched $myusername and $mypassword, table row must be 1 row
if( 1==$mysql_num_rows($result)) {
        // Register $myusername, $mypassword and redirect
        // ## $username? You used that in mysql_connect.
        // ## There's usually no need to store the password.
        $_SESSION['username'] = $_POST['username'];
        header("Location: members/news.html");
}
else {
      
			  header("Location: /userlogin1.html");
}

?>
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

my typo
$mysql_num_rows($result)
remove the $
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Post by Noobie »

Thank you so much volka - that sorted it!

I've replaced the code on the other page with this which seems to work fine too - just to check, does it look right to you?

Code: Select all

<?
session_start();
  if (!isset($_SESSION['username']) && !isset($_SESSION['password']))
    header("location: /index.html");

?>
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Still no need to keep the user's password

Code: Select all

session_start();
if ( !isset($_SESSION['username']) )
{
  header("location: /index.html"); 
  die();
}
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Post by Noobie »

Thanks for all your help!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It may be noted that you should also use full URLs only with header() based redirection.
Noobie
Forum Commoner
Posts: 85
Joined: Sun May 15, 2005 11:38 am

Post by Noobie »

Ok - thanks Feyd - I'll change the URLs.
Post Reply