Jump to content

Recommended Posts

I have just transferred a site across to another server.

 

The sessions were working fine for my login area on my old server, but appear to be ignored on my new one.

 

I have a form which processes checklogin.php:

 

<?php
$host="localhost"; // Host name
$username="***"; // Mysql username
$password="***"; // Mysql password
$db_name="***"; // Database name
$tbl_name="***"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$encrypted_mypassword=md5($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$encrypted_mypassword = stripslashes($encrypted_mypassword);
$myusername = mysql_real_escape_string($myusername);
$encrypted_mypassword = mysql_real_escape_string($encrypted_mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
header("location:index.php");
}
else {
echo "Wrong Username or Password";
}
?>

 

and in each of the admin panel files I have at the top:

 

<?
session_start();
if(!session_is_registered(myusername)){
header("location:login.php");
}
?>

 

This worked absolutely fine on old server, but on the new server I can just bypass the login by typing the direct URL, and the sessions are ignored.

 

A screenshot of my phpinfo:

 

http://yfrog.com/0gpicture2hqyp

 

 

I'm running PHP Version 4.3.11 on the new server (DOESNT WORK) and PHP Version 5.2.5 on old server (DOES WORK).

 

 

Any help much appreciated - I feel this is a server issue rather than my code, given it works on my old server fine.

Why does your 'new' server have an older version of php? The end of life and end of support for php4 was almost one and half years ago. There is no excuse for a web host to still be using any php4 version.

 

The checklogin.php code also needs several changes -

 

1) Add a session_start(); statement as the first line after the first opening <?php tag.

2) Change session_register("myusername"); to $_SESSION['myusername'] = $myusername;

3) Add an exit; statement after the header(...); statement.

 

In the code that you are placing at that top of each page to check if the visitor is logged in -

 

1) Only use full php opening tags <?php to insure your php code will always be seen as php code. Don't use short open tags <?

2) In the line gervans posted, use isset() to avoid generating error messages when the visitor is not logged in - if(!isset($_SESSION['myusername'])){

3) Add an exit; statement after the header(...); statement.

 

Session_register and session_is_registered were depreciated long ago (in php4.2 sometime in the year 2002) and have been completely removed in php6.

Great, thanks for the replies, definitely helped me clean up the code.

 

The problem was actually in a logout.php script being missing, therefore the session was saved rather than destroyed, allowing the person who logged in to bypass the login for a while.

 

The issue with php4 on my 'new' server: what i'm doing is moving a site from my personal hosting (php5) to a client hosting (php4). Not a lot I can do about the php version really, other than have a word and see if they can upgrade. When I said 'new' i didnt actually mean the server was any 'newer' technology wise.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.