Page 1 of 1

Need help with login code - session starts on 2nd attempt

Posted: Sun Jan 27, 2008 9:15 am
by moleculo
Hello. I having trouble getting this login code to work on the first attempt. This script is called login.php. When I enter a valid username and password, it posts to login.php, starts a session, and redirects back to login.php. On the first attempt, it's not recognizing the session so it goes back to the login page. On the 2nd attempt, it works fine, but it recognizes the session from the first attempt, even if I entered an invalid username and password on the 2nd attempt. I tried moving session_start(); all over the script, and still the same result... Anyone have any ideas what's missing here? Thanks.

login.php:

Code: Select all

 
<?php
ob_start("ob_gzhandler");
session_start();
$e = $_SESSION['ship_email'];
echo "$e"; //for testing
?>
<html>
<head>
<SCRIPT language="JavaScript">
function submitform()
{
  document.myform.submit();
}
</SCRIPT>
<link rel="stylesheet" href="http://domain.com/new/css.css" type="text/css">
<!--[if IE]><style type="text/css">@import "ie.css";</style><![endif]-->
</head>
<body>
<div align="center">
<table information...>
<?php
if(isset($_SESSION['ship_email']))
{
    $e = $_SESSION['ship_email'];
    ?>
    <div class="header">
    <ul>
      <li><a href="http://domain.com/new">Home</a></li>
      <li><a href="http://domain.com/new/index.php?page=products">Products</a></li>
</table>
    <?php
    require_once('mysqladmin.php');
    $query = "SELECT * FROM cust WHERE ship_email='$e'";
    $result = mysql_query($query);
    $num = mysql_num_rows($result); 
    $row = mysql_fetch_array($result, MYSQL_NUM);
    echo "Welcome $row[4] $row[5]";
}
else if(isset($_POST['login_submit'])) //form has just been submitted
{
require_once('mysqladmin.php');
    if(empty($_POST['user']))//if email is not entered
    {
        $ship_email = FALSE;
        echo '<B><P ALIGN=RIGHT>YOU FORGOT TO ENTER YOUR EMAIL!</p></B>';
    }
    else//  email is entered, parse it
    {
        $ship_email = $_POST['user'];
    }
    if(empty($_POST['password']))//if password is not entered
    {
        $p = FALSE;
        echo '<P ALIGN=RIGHT><B>YOU FORGOT TO ENTER A PASSWORD!</B></P>';
    }
    else //password entered, parse it
    {
        $p = $_POST['password'];
    }
        if($ship_email && $p)//username and password are OK - QUERY DATABASE
    {
        $query = "SELECT * FROM cust 
        WHERE ship_email='$ship_email' AND password=PASSWORD('$p')";
        $result = @mysql_query($query);
        $row = mysql_fetch_array($result, MYSQL_NUM);
        if($row)
        {
            session_start();
            $_SESSION['ship_email'] = $row[15];
            $e = $_SESSION['ship_email'];
?>
            <table>
            <div class="header">
            <ul>
              <li><a href="http://domain.com/new">Home</a></li>
              <li><a href="http://domain.com/new/index.php?page=products">Products</a></li>
            </div>
            </table>
 
            <META HTTP-EQUIV="Refresh" CONTENT="3; 
            URL=http://www.domain.com/new/login.php">                       
            <?php
            echo "$e"; //for testing
            ob_end_flush();
        }//if($row)
        else//  username and password are not found in the database
        {
            echo '<P ALIGN=RIGHT><B>THE USERNAME-PASSWORD DO NOT MATCH OUR DATABASE!</B></P>';
        }
    }//if($ship_email && $p)
    else
    {   
        echo '<P ALIGN=RIGHT><B>PLEASE TRY AGAIN!</B></P>';
    }
    mysql_close();
}//if(isset($_POST['login_submit']))
 
?>
else
{
    ?>
        <div class="header">
            <ul>
              <li><a href="http://domain.com/new">Home</a></li>
              <li><a href="http://domain.com/new/index.php?page=products">Products</a></li>
        </div>
        </table>
        <table>
        <tr>
        <form name="myform" action="http://domain.com/new/login.php" method="post">
        <td>Email address:</td>
        <td></td>
        <td><p class="regbox">
        <input type="Text" name="user" value="" size="70" /></td>
        </tr>
        <tr>
        <td><p class="regbox">
        <input type="password" name="password" value="" size="70" /></td>
        </tr>
        <tr>
        <td><a href="javascript&#058; submitform()">
        <input type="hidden" name="login_submit" value="Login">Login</td>
        </tr>
<?php
}
?>
 
</div>
</body>
</html>
 
 

Re: Need help with login code - session starts on 2nd attempt

Posted: Sun Jan 27, 2008 12:14 pm
by Mordred
What happens if you put session_start at the very beginning of the script?
Also put a error_reporting(E_ALL); above it to make sure you're catching all possible errors.

Also read up on SQL Injection, you have it all over.

Re: Need help with login code - session starts on 2nd attempt

Posted: Sun Jan 27, 2008 12:31 pm
by Christopher
I notice that there is a blank like before <?php. Are headers being sent?

Re: Need help with login code - session starts on 2nd attempt

Posted: Sun Jan 27, 2008 12:39 pm
by moleculo
Mordred wrote:What happens if you put session_start at the very beginning of the script?
Also put a error_reporting(E_ALL); above it to make sure you're catching all possible errors.

Also read up on SQL Injection, you have it all over.
If I put session_start at the very beginning, and remove ob_start, I get the same exact result.

I just tried error_reporting(E_ALL); and it gave me 2 errors:

Notice: A session had already been started - ignoring session_start() on line 69

Notice: ob_end_flush() [ref.outcontrol]: failed to delete and flush buffer.
No buffer to delete or flush. on line 85

So I removed that session_start and the ob_end_flush, and I am still getting the same exact result: Login works on the 2nd attempt.

I've never heard of SQL injection. I will read up on it. Thanks for the tip.

Re: Need help with login code - session starts on 2nd attempt

Posted: Sun Jan 27, 2008 12:43 pm
by moleculo
arborint wrote:I notice that there is a blank like before <?php. Are headers being sent?
Sorry, no blank on the actual script. I forgot to remove the space after <code> when posting here. The headers are being sent on the 2nd attempt using <META HTTP-EQUIV="Refresh" CONTENT="1;
URL=http://www.domain.com/new/login.php">
Is this what you mean?