Im toying around with these Variables, created as login form,
http://shores-rentals.com/login.php
Upon successfull login (checks a users mysql table) Im trying to set a few session variables
<?php
session_start();
include $_SERVER['DOCUMENT_ROOT'].'/db/config.php';
$user = $_POST['username'];
$pass = $_POST['password'];
$sql = "select * from users where username = '".$user."' && password = '".$pass."' limit 1";
$result = mysql_query($sql);
$info = mysql_fetch_assoc($result);
if(mysql_num_rows($result)!=1){
header("location:login_fail.php");
} else {
$_SESSION['logged'] = '1';
$_SESSION['user'] = $user;
$_SESSION['email'] = $info['email'];
if($info['isAdmin']==1) {
header("location:admin");
} else {
header("location:login_success.php");
}
}
mysql_close($db_connect);
?>
After I login it takes me to the admin section, I look in the top where I have a
echo '<pre>';
var_dump($_SESSION);
echo '</pre>';
and all I see is,
array(1) {
[“user”]=>
string(5) “Admin”
}
Where are the other session variables?
force
October 21, 2013, 9:11pm
2
While this won’t resolve your specific issue, you should be aware that the mysql_* functions have been depreciated and you should be using [URL=“http://php.net/manual/en/book.mysqli.php”]mysqli or [URL=“http://php.net/manual/en/book.pdo.php”]PDO instead.
You should also be escaping and validating your POST variables before using them. As-is, your script is vulnerable to SQL injections.
As for your specific issue, comment out the header redirects and add a var_dump($_SESSION) at the end of the script. Are your session variables still missing?
Yes,m they are, heres the script,
<?php
session_start();
include $_SERVER['DOCUMENT_ROOT'].'/db/config.php';
include $_SERVER['DOCUMENT_ROOT'].'/db/functions.php';
$user = mysql_prep($_POST['username']);
$pass = mysql_prep($_POST['password']);
$sql = "select * from users where username = '".$user."' && password = '".$pass."' limit 1";
$result = mysqli_query($sql);
$info = mysqli_fetch_assoc($result);
if(mysqli_num_rows($result)!=1){
//header("location:login_fail.php");
} else {
$_SESSION['logged'] = '1';
$_SESSION['user'] = $user;
$_SESSION['id'] = $info['id'];
$_SESSION['email'] = $info['email'];
if($info['isAdmin']==1) {
//header("location:admin");
} else {
//header("location:login_success.php");
}
}
mysqli_close($db_connect);
var_dump($_SESSION);
?>
the form that calls the script,
http://shores-rentals.com/login.php
heres the function,
<?php
function mysql_prep( $value ) {
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
if( $new_enough_php ) { // PHP v4.3.0 or higher
// undo any magic quote effects so mysql_real_escape_string can do the work
if( $magic_quotes_active ) { $value = stripslashes( $value ); }
$value = mysql_real_escape_string( $value );
} else { // before PHP v4.3.0
// if magic quotes aren't already on then add slashes manually
if( !$magic_quotes_active ) { $value = addslashes( $value ); }
// if magic quotes are active, then the slashes already exist
}
return $value;
}
?>
Call session_write_close() before the redirect.
Think I found something, if I get rid of the mysqli thing
<?php
session_start();
include $_SERVER['DOCUMENT_ROOT'].'/db/config.php';
include $_SERVER['DOCUMENT_ROOT'].'/db/functions.php';
$user = mysql_prep($_POST['username']);
$pass = mysql_prep($_POST['password']);
$sql = "select * from users where username = '".$user."' && password = '".$pass."' limit 1";
$result = mysql_query($sql);
$info = mysql_fetch_assoc($result);
if(mysql_num_rows($result)!=1){
//header("location:login_fail.php");
} else {
$_SESSION['logged'] = '1';
$_SESSION['user'] = $user;
$_SESSION['id'] = $info['id'];
$_SESSION['email'] = $info['email'];
if($info['isAdmin']==1) {
//header("location:admin");
} else {
//header("location:login_success.php");
}
}
mysql_close($db_connect);
var_dump($_SESSION);
?>
The script produces the session variables
array(4) { ["logged"]=> string(1) "1" ["user"]=> string(1) "1" ["id"]=> string(1) "2" ["email"]=> string(20) "lukemaxpro@excte.com" }
But when I add the i thing at the end of mysql in mysql_query() , the script shows no session variables.
Im running PHP 5.2, is this ok?
force
October 22, 2013, 6:53pm
7
lukeurtnowski:
Think I found something, if I get rid of the mysqli thing
The script produces the session variables
But when I add the i thing at the end of mysql in mysql_query() , the script shows no session variables.
Im running PHP 5.2, is this ok?
Sorry, I didn’t catch that you changed that.
mysqli_* and PDO are not a drop-in replacements for mysql_*. You will need to read the documentation on using it that I liked to in my previous post.
Regardless of what version of PHP you are running, you should start migrating your code over to mysqli or PDO since mysql_* will be removed from future versions of PHP.
Here’s a guide on getting started with PDO: http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
thanks for the link!
I thought session variables can easily be transferred to other php pages. Once I use the form to login
http://shores-rentals.com/login.php
im rediredted to login_success.php
Heres the scriiipt where the redirection happens
<?php
session_start();
include $_SERVER['DOCUMENT_ROOT'].'/db/config.php';
include $_SERVER['DOCUMENT_ROOT'].'/db/functions.php';
$user = mysql_prep($_POST['username']);
$pass = mysql_prep($_POST['password']);
$sql = "select * from users where username = '".$user."' && password = '".$pass."' limit 1";
$result = mysql_query($sql);
$info = mysql_fetch_assoc($result);
if(mysql_num_rows($result)!=1){
header("location:login_fail.php");
} else {
$_SESSION['logged'] = '1';
$_SESSION['user'] = $user;
$_SESSION['id'] = $info['id'];
$_SESSION['email'] = $info['email'];
if($info['isAdmin']==1) {
header("location:admin");
} else {
header("location:login_success.php");
}
}
mysql_close($db_connect);
//var_dump($_SESSION);
?>
So I gather the 4 session variables are set
but heres login_success.php
<?php
session_start();
var_dump($_SESSION);
?>
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="/css/style.css">
</head>
<body>
<div id="background">
<div id="outer-wrapper">
<div id="inner-wrapper">
<header>
<?php include 'inc/header.php'; ?>
</header>
<div id="content">
<div id="success">
<h2>Welcome <?=$_SESSION['user']?></h2>
<p align="center">Thank you for Logging in. You may now <a href="rentals/add_a_rental.php">add a rental</a><br><br>
<?php
$success = array('success.jpg','success1.jpg','success2.jpg','success3.jpg','success4.jpg','success5.jpg','success6.jpg','success7.jpg');
echo "<img src=\\"images/".$success[array_rand($success)]."\\" class=\\"result\\" />";
?>
</p>
</div>
</div><!--END CONTENT-->
<footer>
<?php include 'inc/footer.html'; ?>
</footer>
</div><!--END INNER-WRAPPER-->
</div><!--END OUTER-WRAPPER-->
</div><!--END BACKGROUND-->
</body>
</html>
why aren’t the variables being transferred?
great article, im going to maker the move to the PDO thing.
QMonkey
October 22, 2013, 10:27pm
10
Do you want to try it? I’ve seen this before.
yes, I put it before the code
<?php
session_start();
include $_SERVER['DOCUMENT_ROOT'].'/db/config.php';
include $_SERVER['DOCUMENT_ROOT'].'/db/functions.php';
$user = mysql_prep($_POST['username']);
$pass = mysql_prep($_POST['password']);
$sql = "select * from users where username = '".$user."' && password = '".$pass."' limit 1";
$result = mysql_query($sql);
$info = mysql_fetch_assoc($result);
if(mysql_num_rows($result)!=1){
header("location:login_fail.php");
} else {
$_SESSION['logged'] = '1';
$_SESSION['user'] = $user;
$_SESSION['id'] = $info['id'];
$_SESSION['email'] = $info['email'];
if($info['isAdmin']==1) {
header("location:admin");
} else {
session_write_close();
header("location:login_success.php");
}
}
mysql_close($db_connect);
//var_dump($_SESSION);
?>
But I get redirected, but the var_dump thing s hows an empty array
k, think something mat be wrong with my server or something
Attached 2 screenshots, the first is after I submit the authentication form, which shows the 4 session variables, then I click on the link to see if they are available (this is all I have on it)
<?php
session_start();
echo "<pre>";
var_dump($_SESSION);
echo "</pre>";
?>
It shows an empty array, shouldn’t there be four?
Drummin
October 23, 2013, 1:49am
13
And how about with using this line instead?
<h2>Welcome <?php echo "{$_SESSION['user']}"; ?></h2>
No, that doesn’t work, all I get is <h2>welcome</h2>
the idiots at my server never set up the session save path, so its all set up now, its in the php.ini file, just did a php_info();
force
October 23, 2013, 1:42pm
16
lukeurtnowski:
the idiots at my server never set up the session save path, so its all set up now, its in the php.ini file, just did a php_info();
Wow, that never even occurred to me. Glad you found the issue. I was wondering what the issue might be since I didn’t see any obvious problems in your code.