Page 1 of 1

Switching to "$_SESSION" from "session_regis

Posted: Sun Mar 11, 2007 5:24 am
by Noobie
Hi

I implemented a fairly simple login script to protect a members-only area of a site. It all worked fine. Then, after reading several posts here I realised that the method I used - session_register was now deprecated in favour of $_SESSION. So I've attempted to change the script to fit unfortunately something's not right.

The following is the processing page which is sent the info by the form.

Code: Select all

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from signup form
  
   $myusername=$_POST['myusername'];
   $mypassword=$_POST['mypassword'];

   $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
   $result=mysql_query($sql);

// Mysql_num_row is counting table row
   
   $count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

   if($count==1){

// Register $myusername, $mypassword and redirect

   $_SESSION['myusername'] = $username;
   $_SESSION['mypassword'] = $password;

   header("location:members/news.html");
   }
      else {
            header("location:/userlogin1.html");
            }
?>
The following is the code at the top of the news page that the members are redirected to when the preceding script completes correctly.

Code: Select all

<?
session_start();
if (!isset($_POST['username']) && !isset($_POST['password']))
header("location: /index.html");

?>
What's happening is that when the user reaches the news page with the session_start etc on it, they're being redirected to the index page as if the session isn't being stored.

I'm not sure which bit I've messed up!

Any help gratefully accepted.

Posted: Sun Mar 11, 2007 5:42 am
by volka
try

Code: Select all

<?php
error_reporting(E_ALL); ini_set('display_errors', true);
session_start();

// Connect to server and select databse.
// ## no need for "$var", just $var
$mysql = mysql_connect($host, $username, $passwort) or die(mysql_error());
mysql_select_db($db_name, $mysql) or die(mysql_error());

// username and password sent from signup form
// ## sql injections
$myusername=mysql_real_escape_string($_POST['myusername'], $mysql) or die(mysql_error());
$mypassword=mysql_real_escape_string($_POST['mypassword'], $mysql) or die(mysql_error());
$sql="SELECT username FROM $tbl_name WHERE username='$myusername' and password='$mypassword' LIMIT 1";
$result=mysql_query($sql) or die(mysql_error());
// If result matched $myusername and $mypassword, table row must be 1 row
if( 1==$mysql_num_rows($result)) {
	// Register $myusername, $mypassword and redirect
	// ## $username? You used that in mysql_connect.
	// ## There's usually no need to store the password.
	$_SESSION['myusername'] = $_POST['myusername'];
	header("Location: members/news.html");
}
else {
	header("Location: /userlogin1.html");
}
?>

Code: Select all

<?
session_start();
if (!isset($_POST['username']) && !isset($_POST['password']))
header("location: /index.html");

?>
Why do you test _POST when the values are stored in _SESSION?
username or myusername, make your choice but stick with it.

Posted: Sun Mar 11, 2007 6:06 am
by Noobie
Hi

Thanks for the quick response!

When I add your changes I get an error saying that the index "username" is undefined.

Far as why I'm checking POST rather than SESSION? Ignorance on my part probably- trying to add bits of code to the previous script that I don't really understand! :oops:

Posted: Sun Mar 11, 2007 6:17 am
by volka
volka wrote:username or myusername, make your choice but stick with it.
When you store _SESSION['myusername'] you also have to check _SESSION['myusername'] not _SESSION['username']

Posted: Sun Mar 11, 2007 6:21 am
by Noobie
Yes, thanks - that was from the original script but I've dumped all reference to myusername in favour of straight username.

Still getting the undefined index error...

Posted: Sun Mar 11, 2007 6:28 am
by Noobie
Sorry - that was my fault - forgot to change the form :roll:

Ok now I'm getting the following error
Undefined variable: mysql_num_rows in /home/ndqircyc/public_html/checklogin.php on line 24

With this code:

Code: Select all

<?php
error_reporting(E_ALL); ini_set('display_errors', true);
session_start();

$host="localhost"; // Host name
$username="whatever"; // Mysql username
$password="whatever"; // Mysql password
$db_name="whatever"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
// ## no need for "$var", just $var
$mysql = mysql_connect($host, $username, $password) or die(mysql_error());
mysql_select_db($db_name, $mysql) or die(mysql_error());


// username and password sent from signup form
// ## sql injections
$username=mysql_real_escape_string($_POST['username'], $mysql) or die(mysql_error());
$password=mysql_real_escape_string($_POST['password'], $mysql) or die(mysql_error());
$sql="SELECT username FROM $tbl_name WHERE username='$username' and password='$password' LIMIT 1";
$result=mysql_query($sql) or die(mysql_error());
// If result matched $myusername and $mypassword, table row must be 1 row
if( 1==$mysql_num_rows($result)) {
        // Register $myusername, $mypassword and redirect
        // ## $username? You used that in mysql_connect.
        // ## There's usually no need to store the password.
        $_SESSION['username'] = $_POST['username'];
        header("Location: members/news.html");
}
else {
      
			  header("Location: /userlogin1.html");
}

?>

Posted: Sun Mar 11, 2007 6:30 am
by volka
my typo
$mysql_num_rows($result)
remove the $

Posted: Sun Mar 11, 2007 6:35 am
by Noobie
Thank you so much volka - that sorted it!

I've replaced the code on the other page with this which seems to work fine too - just to check, does it look right to you?

Code: Select all

<?
session_start();
  if (!isset($_SESSION['username']) && !isset($_SESSION['password']))
    header("location: /index.html");

?>

Posted: Sun Mar 11, 2007 8:40 am
by volka
Still no need to keep the user's password

Code: Select all

session_start();
if ( !isset($_SESSION['username']) )
{
  header("location: /index.html"); 
  die();
}

Posted: Sun Mar 11, 2007 8:59 am
by Noobie
Thanks for all your help!

Posted: Sun Mar 11, 2007 9:03 am
by feyd
It may be noted that you should also use full URLs only with header() based redirection.

Posted: Sun Mar 11, 2007 11:11 am
by Noobie
Ok - thanks Feyd - I'll change the URLs.