Joseph Witchard Posted September 7, 2008 Share Posted September 7, 2008 <?php // include the connection settings define('DB_HOST', 'hostname'); define('DB_USER', 'user'); define('DB_PWD', 'password'); define('DB_NAME', 'database'); // connect to the database $conn = new mysqli(DB_HOST, DB_USER, DB_PWD, DB_NAME); // process the form if (array_key_exists('login', $_POST) && ! empty($_POST['login'])) { // create an empty array for missing fields $missing = array (); /* here, I'm going to create an array to hold the form fields. if the form fields are empty, I'll add them to the $missing array. */ $fields = array ("F_Username"=>$_POST['username'], "F_Pwd"=>$_POST['pwd']); foreach ($fields as $field=>$value) { if ( empty($field)) { array_push($missing, $field); } else { echo 'Missing is empty!<br>'; } } // if $missing is empty, continue the processing if ( empty($missing)) { // assign the form fields to variables $username = $fields["F_Username"]; $pwd = $fields["F_Pwd"]; // $query = "SELECT user_id, username, FROM usersu WHERE username= ? AND pwd = ? LIMIT 1"; // prepare the statement if ($stmt = $conn->prepare("SELECT user_id, username, FROM usersu WHERE username= ? AND pwd = ? LIMIT 1")) { echo 'MySQL statement is prepared<br>'; // bind the parameters $stmt->bind_param('ss', $username, $pwd); // execute if ($stmt->execute()) { echo 'MySQL statement executed OK<br>'; $stmt->bind_result($id, $username); if ($stmt->fetch()) { echo 'MySQL found a result<br>'; session_set_cookie_params(900); session_start(); $_SESSION['id'] = $id; $_SESSION['username'] = $username; $stmt->close(); header("Location: http://www.uhrebirth.com/staff/admin_center.php"); exit ; } else { echo 'MySQL could not find a match<br>'; die ("Invalid Login!"); } } else { echo 'MySQL could not execute the prepared statement<br>'; } } else { echo 'MySQL could not prepare the statement<br>'; } } else { echo 'Missing is NOT empty!<br>'; } } else { echo 'Array key is NOT set!<br>'; } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Rebirth Test Page</title> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <meta http-equiv="cache-control" content="no-cache"> <link href="/css/general.css" rel="stylesheet" type="text/css"> </head> <body> <div align="center"> <form id="AdminLogIn" name="AdminLogIn" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <input type="text" id="username" name="username"><br> <label for="username">Username</label><br> <input type="password" id="pwd" name="pwd"><br> <label for="password">Password</label> <br><br> <input type="submit" id="login" name="login" value="Login"> <input type="reset" value="Reset"><br><br> <?php if ($_POST && $test1) { echo "<p><b>Execution was successful</b></p>"; } if ($_POST && $test3) { echo "<p><b>Binding the result was successful</b></p>"; } if ($_POST && isset($_SESSION['id'])) { echo "<p><b>The session ID is set</b></p>"; } else { echo "<p><b>The session ID is not set</b></p>"; } if ($_POST && isset($_SESSION['username'])) { echo "<p><b>The session username is set</b></p>"; } else { echo "<p><b>The session username is not set"; } ?> </form> </div> </body> </html> That is my login script, and for some reason, it doesn't work. When I submit the form, it says that the statement can't be prepared (I'm using MySQL Improved). A lot of people have been helping me and making edits to the script, and nothing ever works. Anyone here who has any advice to offer, your help would be greatly appreciated. Some things to keep in mind: Some of the echos used in the actual HTML form (the ones to warn me about errors) have been retired. I just haven't removed the echos yet. I'm well aware that this script isn't as secure as it should be. I'm very new to SQL coding and databases, so right now, I'm just testing and getting my feet wet. This script is not the final version that I'm going to implement on my website. Thanks! Quote Link to comment Share on other sites More sharing options...
burn1337 Posted September 7, 2008 Share Posted September 7, 2008 Well first I would try to stay away from having everything bundled inside flow controls, use flow control directly on the $_POST variable, from there transfer your $_POST variables into their own variables withint he flow control. Use a varaible (not sure if my spelling is correct) for your statement i.e. $statment = "select * from tbl_name where username='$UserName' and password='$Password'"; then do your query with the variable instead of that longgated statment (btw the statement, doesn't seem that your passing the crudentials into the statement that could be your problem as is) and I would use the 'or die('')' to the query. Use a varaible to get the row count and then use an if to make sure it is 1 (or even keep your limit 1, problem is that if there is another of the same username it will bring that up regardless, unless both are using the same pass, if you have your registration script setup so that it makes sure there isn't another of the same Username you shouldn't have to worry about the count) then set your session variables (remember to call session_start() before hand and of course in every page to retrive the session varaibles) ... Quote Link to comment Share on other sites More sharing options...
Joseph Witchard Posted September 8, 2008 Author Share Posted September 8, 2008 Well, I got the script to work better, but it still isn't working like it should. I did some testing, and it IS able to get the information out of the database. However, when you get sent to the Admin page, the page sends you to the error page like it's supposed to when the sessions aren't set. Even though I'm able to pull the information out of the database, and I assign them to the session variables, it acts as though the session isn't set when you get to the Admin page. The code that checks for the session at the top of the Admin page is: <?php // check to see if the session is set if (!isset($_SESSION['id']) || !isset($_SESSION['username']) || empty($_SESSION)) { // send them to the error page header("Location: http://www.uhrebirth.com/test/permission_error.php"); } else { session_set_cookie_params(900); session_start(); require_once("../admin_logout.php"); } ?> Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted September 8, 2008 Share Posted September 8, 2008 put exit; after your header URL to make sure it does not loop into the next statement Quote Link to comment Share on other sites More sharing options...
Joseph Witchard Posted September 8, 2008 Author Share Posted September 8, 2008 Thanks, I put that in However, it doesn't address the issue I'm having. I should be able to access the Admin page, because it should be able to tell that those session variables are set. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted September 8, 2008 Share Posted September 8, 2008 <?php // if session not set if (!isset($_SESSION['id']) || !isset($_SESSION['username']) || empty($_SESSION)) { // send them to the error page header("Location: http://www.uhrebirth.com/test/permission_error.php"); exit; } //if session is set elseif(isset($_SESSION['id'])||isset($_SESSION['username'])||!empty($_SESSION)) { session_set_cookie_params(900); session_start(); require_once("../admin_logout.php"); } ?> Quote Link to comment Share on other sites More sharing options...
Joseph Witchard Posted September 8, 2008 Author Share Posted September 8, 2008 Made the edit as you suggested, and it still doesn't work. Did the same thing Quote Link to comment Share on other sites More sharing options...
burn1337 Posted September 8, 2008 Share Posted September 8, 2008 ok in order to check to see if the session variable is set or not you must first call session_start() otherwise you will not be able to load the session variables. Hence why I said to make sure your calling the function before the variable. What your doing is like telling a car to run without first putting gas in it. In order to call the session variable you need to first start the session functions. Before the session functions are loaded it will not know where the session variable will be kept, not to mention it will not have gotten access to the session variables. So to better that code up I would do : session_set_cookie_params(900); session_start(); if (!isset($_SESSION['var'])) { Load your error page } else { Load your success page } Also thats good that you did receive the information from the database. I wasn't really sure so thats why I brought that up. Quote Link to comment Share on other sites More sharing options...
Joseph Witchard Posted September 8, 2008 Author Share Posted September 8, 2008 ok in order to check to see if the session variable is set or not you must first call session_start() otherwise you will not be able to load the session variables. Hence why I said to make sure your calling the function before the variable. What your doing is like telling a car to run without first putting gas in it. In order to call the session variable you need to first start the session functions. Before the session functions are loaded it will not know where the session variable will be kept, not to mention it will not have gotten access to the session variables. So to better that code up I would do : session_set_cookie_params(900); session_start(); if (!isset($_SESSION['var'])) { Load your error page } else { Load your success page } Also thats good that you did receive the information from the database. I wasn't really sure so thats why I brought that up. Tried that already. I just tried it again, and it still doesn't work. It simply sends you to the error page you get when the session isn't set Here is my current code: <?php // check to see if the session is set session_start(); if (!isset($_SESSION['id']) || !isset($_SESSION['username']) || empty($_SESSION)) { // send them to the error page header("Location: http://www.uhrebirth.com/test/permission_error.php"); exit; } else { require_once("../includes/admin_logout.php"); } ?> Quote Link to comment Share on other sites More sharing options...
burn1337 Posted September 9, 2008 Share Posted September 9, 2008 Then you need to set your session credentials try changing the directory the session is in, or the session name, also do you have it set for cookies? or is it set up different? you can do this : ini_set('session.name', 'SessionName'); ini_set('session.use.cookies', '1'); session_save_path('/usr/local/apache/htdocs/sessions'); session_start(); //this would make sessions run in cookies, cookie name would be SessionName the session variable's files will be stored in the directory /usr/local/apache/htdocs/sessions Quote Link to comment Share on other sites More sharing options...
Joseph Witchard Posted September 9, 2008 Author Share Posted September 9, 2008 I'm on a shared hosting plan. Do hosts allow you to change the PHP ini settings? Quote Link to comment Share on other sites More sharing options...
burn1337 Posted September 11, 2008 Share Posted September 11, 2008 if you use the code it shouldn't matter, and that could actually be why.. I would check with your host see if it is something on thier systems that is blocking it Quote Link to comment Share on other sites More sharing options...
Joseph Witchard Posted September 11, 2008 Author Share Posted September 11, 2008 I was able to figure it out and get it fixed. Thanks so much for the help! I really appreciate it Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.