Need help with login code - session starts on 2nd attempt

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
moleculo
Forum Newbie
Posts: 18
Joined: Thu Nov 15, 2007 9:05 am

Need help with login code - session starts on 2nd attempt

Post by moleculo »

Hello. I having trouble getting this login code to work on the first attempt. This script is called login.php. When I enter a valid username and password, it posts to login.php, starts a session, and redirects back to login.php. On the first attempt, it's not recognizing the session so it goes back to the login page. On the 2nd attempt, it works fine, but it recognizes the session from the first attempt, even if I entered an invalid username and password on the 2nd attempt. I tried moving session_start(); all over the script, and still the same result... Anyone have any ideas what's missing here? Thanks.

login.php:

Code: Select all

 
<?php
ob_start("ob_gzhandler");
session_start();
$e = $_SESSION['ship_email'];
echo "$e"; //for testing
?>
<html>
<head>
<SCRIPT language="JavaScript">
function submitform()
{
  document.myform.submit();
}
</SCRIPT>
<link rel="stylesheet" href="http://domain.com/new/css.css" type="text/css">
<!--[if IE]><style type="text/css">@import "ie.css";</style><![endif]-->
</head>
<body>
<div align="center">
<table information...>
<?php
if(isset($_SESSION['ship_email']))
{
    $e = $_SESSION['ship_email'];
    ?>
    <div class="header">
    <ul>
      <li><a href="http://domain.com/new">Home</a></li>
      <li><a href="http://domain.com/new/index.php?page=products">Products</a></li>
</table>
    <?php
    require_once('mysqladmin.php');
    $query = "SELECT * FROM cust WHERE ship_email='$e'";
    $result = mysql_query($query);
    $num = mysql_num_rows($result); 
    $row = mysql_fetch_array($result, MYSQL_NUM);
    echo "Welcome $row[4] $row[5]";
}
else if(isset($_POST['login_submit'])) //form has just been submitted
{
require_once('mysqladmin.php');
    if(empty($_POST['user']))//if email is not entered
    {
        $ship_email = FALSE;
        echo '<B><P ALIGN=RIGHT>YOU FORGOT TO ENTER YOUR EMAIL!</p></B>';
    }
    else//  email is entered, parse it
    {
        $ship_email = $_POST['user'];
    }
    if(empty($_POST['password']))//if password is not entered
    {
        $p = FALSE;
        echo '<P ALIGN=RIGHT><B>YOU FORGOT TO ENTER A PASSWORD!</B></P>';
    }
    else //password entered, parse it
    {
        $p = $_POST['password'];
    }
        if($ship_email && $p)//username and password are OK - QUERY DATABASE
    {
        $query = "SELECT * FROM cust 
        WHERE ship_email='$ship_email' AND password=PASSWORD('$p')";
        $result = @mysql_query($query);
        $row = mysql_fetch_array($result, MYSQL_NUM);
        if($row)
        {
            session_start();
            $_SESSION['ship_email'] = $row[15];
            $e = $_SESSION['ship_email'];
?>
            <table>
            <div class="header">
            <ul>
              <li><a href="http://domain.com/new">Home</a></li>
              <li><a href="http://domain.com/new/index.php?page=products">Products</a></li>
            </div>
            </table>
 
            <META HTTP-EQUIV="Refresh" CONTENT="3; 
            URL=http://www.domain.com/new/login.php">                       
            <?php
            echo "$e"; //for testing
            ob_end_flush();
        }//if($row)
        else//  username and password are not found in the database
        {
            echo '<P ALIGN=RIGHT><B>THE USERNAME-PASSWORD DO NOT MATCH OUR DATABASE!</B></P>';
        }
    }//if($ship_email && $p)
    else
    {   
        echo '<P ALIGN=RIGHT><B>PLEASE TRY AGAIN!</B></P>';
    }
    mysql_close();
}//if(isset($_POST['login_submit']))
 
?>
else
{
    ?>
        <div class="header">
            <ul>
              <li><a href="http://domain.com/new">Home</a></li>
              <li><a href="http://domain.com/new/index.php?page=products">Products</a></li>
        </div>
        </table>
        <table>
        <tr>
        <form name="myform" action="http://domain.com/new/login.php" method="post">
        <td>Email address:</td>
        <td></td>
        <td><p class="regbox">
        <input type="Text" name="user" value="" size="70" /></td>
        </tr>
        <tr>
        <td><p class="regbox">
        <input type="password" name="password" value="" size="70" /></td>
        </tr>
        <tr>
        <td><a href="javascript&#058; submitform()">
        <input type="hidden" name="login_submit" value="Login">Login</td>
        </tr>
<?php
}
?>
 
</div>
</body>
</html>
 
 
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Need help with login code - session starts on 2nd attempt

Post by Mordred »

What happens if you put session_start at the very beginning of the script?
Also put a error_reporting(E_ALL); above it to make sure you're catching all possible errors.

Also read up on SQL Injection, you have it all over.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Need help with login code - session starts on 2nd attempt

Post by Christopher »

I notice that there is a blank like before <?php. Are headers being sent?
(#10850)
moleculo
Forum Newbie
Posts: 18
Joined: Thu Nov 15, 2007 9:05 am

Re: Need help with login code - session starts on 2nd attempt

Post by moleculo »

Mordred wrote:What happens if you put session_start at the very beginning of the script?
Also put a error_reporting(E_ALL); above it to make sure you're catching all possible errors.

Also read up on SQL Injection, you have it all over.
If I put session_start at the very beginning, and remove ob_start, I get the same exact result.

I just tried error_reporting(E_ALL); and it gave me 2 errors:

Notice: A session had already been started - ignoring session_start() on line 69

Notice: ob_end_flush() [ref.outcontrol]: failed to delete and flush buffer.
No buffer to delete or flush. on line 85

So I removed that session_start and the ob_end_flush, and I am still getting the same exact result: Login works on the 2nd attempt.

I've never heard of SQL injection. I will read up on it. Thanks for the tip.
moleculo
Forum Newbie
Posts: 18
Joined: Thu Nov 15, 2007 9:05 am

Re: Need help with login code - session starts on 2nd attempt

Post by moleculo »

arborint wrote:I notice that there is a blank like before <?php. Are headers being sent?
Sorry, no blank on the actual script. I forgot to remove the space after <code> when posting here. The headers are being sent on the 2nd attempt using <META HTTP-EQUIV="Refresh" CONTENT="1;
URL=http://www.domain.com/new/login.php">
Is this what you mean?
Post Reply