Dodgy Sessions - Please help!!

[SilverNova]

Any help here would be GREATLY appreciated!! I'm a complete noob, so be warned  :P

- I'm trying to set up a decent and secure enough log in system using sessions.

Here's the code I have:

[code]
<?php

session_start(); //start a sessions :D

$username = $_POST["username"]; //get the username from the form, as $username
$password = md5($_POST["password"]); //get the password from the form in md5

$members = mysql_connect("localhost", "***_users", "***");
    if(!$users) //error checking :D
        {
            echo "<p>Sorry! We could not log you in at this time. Please Try again later!</p>";
        }

mysql_select_db("***_users");  //select what database to use


$recieve = "SELECT * FROM users WHERE membername='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($password)."'";

echo $receive;

$query = mysql_query($recieve); //do the query

if($rows = mysql_num_rows($query)) //if the query resulted with a row, start the sessions and go to the index

{
    $_SESSION["password"] = $password; //store the users password in a sesions var
    $_SESSION["username"] = $username; //store the username in a session var
   
echo "<meta http-equiv='refresh' content='0; url=index.php' />";

}

else //if not, end incorrect sessions, and go to the index

{
    @session_destroy();
}


?>
[/code]


After logging in with the correct username and password I get:
[code]
Sorry! We could not log you in at this time. Please Try again later!

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/***/public_html/test.php on line 23
[/code]

I realised that there is no defined $rows, does this matter? I'm thinking that my SQL may be wrong?!  ???

Thanks for your help! :)

NOTE: Assume " *** " as the correct info  :D

[king arthur]

Looks like this is your problem.

[code]
$members = mysql_connect("localhost", "lov3dco_users", "PASS");
    if(!$users) //error checking :D
        {
            echo "<p>Sorry! We could not log you in at this time. Please Try again later!</p>";
        }
[/code]

You've assigned the result of the output from mysql_connect to a variable "$members" but then tested for existence of a variable called "$users", which obviously doesn't exist.

[wildteen88]

Wheres the $users variable comming from? Also this error:
[i]Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/***/public_html/test.php on line 23[/i]
Is to do with your SQL query.

[SilverNova]

Ah yeah!

The amount of times I've looked through and must have missed that  :-\

SQL query, ok. How do I get around this? If you dont mind :)

[wildteen88]

Only way to understand why your query is failing is to add an or die clause to the end of the function mysql_query, so change this:
[code]$query = mysql_query($recieve); //do the query[/code]
to this:
[code]$query = mysql_query($recieve) or die("Unable to peform query - " . mysql_error()); //do the query[/code]
When you run your code again it should now return an error from MySQL which should help you understand why your query is failing. From looking at your query I believe its do with the name of your password field - password. MySQL has reserved word/function called password. So what I recommend you to do is to add backticks (`) around the word password within you SQL Query. So your query should now be this:
[code]$recieve = "SELECT * FROM users WHERE membername='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."'";[/code]

[SilverNova]

Wow, someone that offers help - that works! :D

Now getting:

[code]
Unable to peform query - Unknown column 'membername' in 'where clause'
[/code]

Not sure where the column "membername" comes into it? It doesn't exists in my table, but "username" does..

[Buyocat]

Well if you just copied Wild's query it looks like he used membername in it, so replace it with the appropriate column.

[pixy]

^ That means you need to change the query. You're trying to select information from a column called "membername" which doesn't exist.

[code]$recieve = "SELECT * FROM users WHERE username='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."'";[/code]

[SilverNova]

Ok thanks for translation :) hehe

Well it works, as much as it doesn't give an error. I log in via "test.htm" and "test.php" is the script above.

Although this doesn't redirect me to "index.php"..

[code]
{
    $_SESSION["password"] = $password; //store the users password in a sesions var
    $_SESSION["username"] = $username; //store the username in a session var
   
echo "<meta http-equiv='refresh' content='0; url=index.php' />";

}
[/code]

Is this telling me that the session did not start? And if not, how do I check that it has started? :)

Many thanks guys

[wildteen88]

PHP can force a redirect with the header function:
[code]header("Location: index.php");[/code]
Make sure you have session_start(); at the top of everypage that uses sessions.

[SilverNova]

Ok, so I've changed

[code]
{
    $_SESSION["password"] = $password; //store the users password in a sesions var
    $_SESSION["username"] = $username; //store the username in a session var
   
echo "<meta http-equiv='refresh' content='0; url=index.php' />";

[/code]

to

[code]
{
    $_SESSION["password"] = $password; //store the users password in a sesions var
    $_SESSION["username"] = $username; //store the username in a session var
   
header("Location: index.php");

[/code]

but still no redirecting to the index?! ???

the files are found here: http://www.lov3d.com/test.htm

Username = test
Password = test