php function help

[SN1P3R_85]

hi, I am trying to make a function that will check a users status when viewing certain pages, to make sure they're logged on. If a user exists, then the variable $user will be true. So i made this function:

 

<?php

function user_valid()

{

if (!$user)

{

header('Location:http://www.mysite.com/access_denied.php');

}

}

?>

 

Then i made a test file to see if my function would work, and it didn't. I logged myself on, and then ran this code, and it said that I wasn't logged on, even though i was. here is the code:

 

<?php

include( '../user.inc' );          //contains my function, and is also where i declare $user.

 

user_valid();

 

echo "you're logged in!";

 

?>

 

It keeps saying im not logged on, even though i am. Can php functions be used like this?

[jonsjava]

you need to set a session variable.  If you want help with that, just ask.

[SN1P3R_85]

hmm, why start a session variable? I'm just curious. If i do this it works:

 

<?php

include('../user.inc');

if ($user)

{

include( 'forum_menu.inc' );

}

else

{

header('Location:http://www.mysite.com/access_denied.php');

}

?>

 

its just when i put it in a function to try make it easier, it wont' work.

[jonsjava]

you are asking if a variable exists. if it exists, then consider them logged in.  You need to make sure they are truly logged in. Logout, then try it. I bet it will say that you are logged in.

[SN1P3R_85]

it says im logged out no matter what. If i do it while im logged out, it tries to make me log in, if i do it logged in, it tries to make me log in again. If i take the contents of the function and put it in place of the function, it works.

[jonsjava]

example of using session variables:

login.php

<?php
session_start();
$_SESSION['user_name'] = "me";
$_SESSION['is_valid'] = true;
$_SESSION['user_level'] = "admin";
header("location:main.php");
?>

logout.php

<?php
session_start();
session_unset();
session_destroy();
header("location:main.php");
exit();
?>

main.php

<?php
session_start();
if (isset($_SESSION['is_valid']) && $_SESSION['is_valid'] == true){
print "<a href='logout.php'>Logout</a><br />You are logged in as ".$_SESSION['username']."<br />Userlevel: ".$_SESSION['user_level'];
}
else{
print "<a href='login.php'>Login</a>";
}
?>

[SN1P3R_85]

ok, im gonna post my entire user script so you can see how it works. I already have something along the lines of this, im just trying to make a nifty function i can put into anything i don't want non-users to see. Ok, here is the user script:

 

<?php

 

if ( array_key_exists( 'id', $_COOKIE ) && array_key_exists( 'pass', $_COOKIE ))        //this checks that id and password cookies are set

{

 

include( 'SQL_PASS.inc' );    //my sql login info

 

 

$sql_fetch = "SELECT * FROM login WHERE Id = '{$_COOKIE['id']}' AND Password = '{$_COOKIE['pass']}' LIMIT 1";

 

$lgn_result = mysql_query($sql_fetch);

 

if (!$lgn_result)

{

die('Could not run query: ' . mysql_error());

}

 

if (mysql_num_rows($lgn_result) == 0)

{

die('Wrong username or password, exiting');

}

 

 

$user = mysql_fetch_object( $lgn_result );

}

else

{

$user = false;

}

 

function user_valid()

{

if ($user) {}

else

{

header('Location:http://www.caidenhome.com/access_denied.php');

}

}

 

?>

[jonsjava]

the way you do it is generate a cookie with the username in it, and verify the user each time they hit a page, by looking them up in the DB. that will generate tons of overhead.  It's best not to generate the cookie until they are verified.

[SN1P3R_85]

hmm, So when someone logs on i should make a session variable, and then just check for the session variable? Is there anyway to manipulate session variables, im worried about security. I would also have to make it so it checked if the cookie existed, and if it did, remake the session variable. I could do it that way if its better.

[jonsjava]

sessions are stored server-side. only thing stored client side is a pointer to the session id.

 

edit*

forgot to mention: the sessions are unique to that browser that is opened.  if they close it, the session dies.  You can also set a lifetime on the session.

[SN1P3R_85]

hmm, ok, well, i guess i'll start rewriting my userscript. Do you know why my function didn't work though? it may have been inefficient, but it should have still worked. Did you see anything wrong with it?

[jonsjava]

actually, no idea.  With that said, I shiver looking at the code. Just noticed you store the username and password in the cookie. Cookies are easy to steal via xss (cross site scripting).

[SN1P3R_85]

i have been programming php for like 2 weeks i need to learn how to do this stuff right. Thanks for your help, im gonna start rewriting all this code

[jonsjava]

Well, we all started out at one point or another. You came to the right place to get help learning.  You're also doing it the right way. Dive in. If you need any other help, feel free to ask.