Jump to content

Recommended Posts

Okay I had made a php script to check if a user is valid.

I include it in every page, except the homepage,login and register ofcourse,

 

but I found out that $userid and $nationid, don't contain a value, altough I'm not redirected to the loginpage...

 

Can somebody please say what I've done wrong?

 

checkuserid.php

<?php
if(isset($_SESSION['userid'])){
$userid = $_SESSION['userid'];
if(isset($_SESSION['nationid'])){
	$nationid = $_SESSION['nationid'];
}elseif(isset($_GET['nationid'])){
	$nationid = $_GET['nationid'];
}else{
	$query = "SELECT nation_id FROM users WHERE user_id = '$userid'";
	$result = mysql_query($query);
	list($nationid) = mysql_fetch_row($result);
}
}else{
header('location:./login.php');
}
?>

Link to comment
https://forums.phpfreaks.com/topic/163890-solved-user-check-fails/
Share on other sites

What makes you positive you have no values?  I mean if you take out all of the nationid stuff you will see clearly that you should be redirected if the session userid is not set.

 

<?php
if(isset($_SESSION['userid'])){
   $userid = $_SESSION['userid'];
}else{
   header('location:./login.php');
}
?>

 

Try running this before your script to see what session variables are actually set.

 

<?php
session_start();
Print_r ($_SESSION);
?> 

should I make a function of it?

 

functions.php

<?php
function checkuserid(){
if(isset($_SESSION['userid'])){
   $userid = $_SESSION['userid'];
   if(isset($_SESSION['nationid'])){
      $nationid = $_SESSION['nationid'];
   }elseif(isset($_GET['nationid'])){
      $nationid = $_GET['nationid'];
   }else{
      $query = "SELECT nation_id FROM users WHERE user_id = '$userid'";
      $result = mysql_query($query);
      list($nationid) = mysql_fetch_row($result);
   }
}else{
   header('location:./login.php');
}
}
?>

Okay the function didn't work at all :),

 

but I saw somewhere this:

<?php

session_start();

require_once 'config.php';		// our database settings
$conn = mysql_connect($dbhost,$dbuser,$dbpass)
or die('Error connecting to mysql');
mysql_select_db($dbname);
$query = sprintf("SELECT id FROM users WHERE UPPER(username) = UPPER('%s')",
		mysql_real_escape_string($_SESSION['username']));
$result = mysql_query($query);
list($userID) = mysql_fetch_row($result);
if(!$userID) {
// not logged in!
header('Location: login.php');	

?>

 

Why would this work(and it does), but the script I made doesn't?

The script I wrote even don't have to connect to the database so its faster.

 

<?php
if(isset($_SESSION['userid'])){
$userid = $_SESSION['userid'];
$query = "SELECT nation_id FROM users WHERE user_id = '$userid'";
$result = mysql_query($query);
list($nationid) = mysql_fetch_row($result);
}else{
header('location:./login.php');
}
?>

 

I really don't get why I'm not redirected.

If I use print_r($_SESSION), I get the right userid, but if I just print $_SESSION['userid'] it contains nothing!?

Where are you setting the initial session variable? Are you sure it is being set properly, like it is not in an if statement that never gets ran?

 

Also, where are you using $userid at, that it is not working. If it is inside of a function or class, it will not work because it has not been set as global.

I checked some things and It's verry weird:

 

If I login $_SESSION['userid'] is declared, and I'm auto redirected towards Overview.php,

I printed the sessions and It gave me the right userid and nationid,  but if i go to attack.php (manually in the browser) I use the same checkuserid.php script but tje userid and nationid aren't displayed?!

What do you mean with my initial session variable?

 

Are you sure it is being set properly when the user logs in? Somewhere along the way $_SESSION['userid'] is not being set, or got corrupted some how.

 

Also, are you calling session_start before the checkuserid script somewhere? (Just figured I would verify that as well). As both sets of code, I do not see that. Which would cause you an issue if it is not.

See In the login script the folowing lines is written:

$_SESSION['userid'] = $id;
header('location:./overview.php');

 

I echo'd $userid using the checkuserid.php on the overview.php page

and I got the right userid!

 

I did the same on attack.php

but that didn't work...

 

checkuserid.php

<?php
session_start();
require_once './config.php';
if(isset($_SESSION['userid'])){
$userid = $_SESSION['userid'];
$query = "SELECT nation_id FROM users WHERE user_id = '$userid'";
$result = mysql_query($query);
list($nationid) = mysql_fetch_row($result);
}else{
header('location:./login.php');
}
?>

 

attack.php

<?php
session_start();
require_once './config.php';
require_once './checkuserid.php';
//checkuserid();
?>
<html>
<head>
	<title>ATTACK!</title>
</head>
<body>
<form action='' method='post'>
<table border='1' height='100%' width='100%'>
<tr>
	<td>
		<table border='0' height='100%' width='100%'>         <!-- Central Part -->
			<tr>
				<td>
					<table border='0' height='100%' width='100%'>
						<tr><td colspan='2'>Step 1: Choose Your Target <?php echo $userid . $nationid; ?></td></tr>
					</table>
				</td>
			</tr>
			<tr>
				<td>
					<table border='0' height='100%' width='100%'>
						<?php
							$query = "SELECT * FROM regions WHERE (in_use = 'No') And (nation_id != '$nationid')";
							$result = mysql_query($query);
							while($NYAR = mysql_fetch_array($result)){ // NYAR Not Your Active Regions
								echo "<tr><td>" . $NYAR['region_name'] . "</td><td><input type='radio' name='radioNYAR' value='" . $NYAR['region_id'] . "'></td></tr>";
							}
						?>
					</table>
				</td>
			</tr>
			<tr>
				<td>
					<table border='0' height='100%' width='100%'>
						<tr><td colspan='2'>Step 2: Choose Your Weapon(s)</td></tr>
					</table>
				</td>
			</tr>
			<tr>
				<td>
					<table border='0' height='100%' width='100%'>
						<?php
							/* CoRTable = Civilian or Ruler Table:       Civilians: user_weapons  Rulers: nation_weapons
							    CoRIdName:   Civilian: user_id  Ruler: nation_id
							    CoRId;    The Id from the user or nation
							    YW:  YourWeapons
							*/
							$query = "SELECT * FROM " . $CoRTable . " INNER JOIN weapons ON " . $CoRTable . ".weapon_id = weapons.weapon_id WHERE " . $CoRIdName . " = '" . $CoRId . "'";
							$result = mysql_query($query);
							while($YW = mysql_fetch_array($result)){
								echo "<tr><td>" . $YW['weapon_name'] . "</td><td><input type='checkbox' name='checkYW' value='" . $YW['weapon_id'] . "'></td></tr>";
							}
						?>
					</table>
				</td>
			</tr>
			<tr>
				<td>
					<table border='0' height='100%' width='100%'>
						<tr><td colspan='2'>Step 3: FIRE!</td></tr>
					</table>
				</td>
			</tr>
			<tr>
				<td>
					<table border='0' height='100%' width='100%'>
						<tr><td colspan='2'><input type='submit' name='submit' value='FIRE!'></td></tr>
					</table>
				</td>
			</tr>
		</table>
	</td>
</tr>
</table>
</form>
</body>
</html>

I think the problem lyes in your login page (or not calling "session_start();" )...

 

Anyway I wrote a thing for you (took some time, but hey I was boReD)...

 

This 'script' needs a database table of which has 3 columns (user_id, nation_id, password) which you should create beforehand...

 

index.php

<?php
echo "<h1>This is the homepage right?</h1>";
echo "<br/><a href='login.php'>Login</a>";
echo "<br/><a href='protected.php'>Protected Page</a>";
echo "<br/><a href='logout.php'>Logout</a>";
?>

 

mysqli_con.php (Remember to change the values)

<?php
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "";
$dbname = "thedatabase";
?>

 

login.php

<?php
session_start();

include "mysqli_con.php";
$mysqli_con = mysqli_connect ("$dbhost","$dbuser","$dbpass","$dbname") 
                      or die;
				  
if (isset($_POST['user_id']) && isset($_POST['password']))
{$user_id = mysqli_real_escape_string($mysqli_con, strip_tags($_POST['user_id']));
   $password = mysqli_real_escape_string($mysqli_con, strip_tags($_POST['password']));

   if (is_numeric($user_id))
    {}
   else
    {die ("User_id is not a number");
}

   $sql_s_users = "SELECT * FROM users WHERE user_id='$user_id'";
   $mq_s_users = mysqli_query($mysqli_con, $sql_s_users)
   						  or die ("Query failed!");
   $users_result = mysqli_fetch_assoc($mq_s_users);
   
   if ($password == $users_result['password'])
    {$_SESSION['user_id'] = $user_id;
  $_SESSION['nation_id'] = $users_result['nation_id'];
  echo "Logged in!";
}
   else
    {echo "incorret";
}
}
?>
<?php
if (isset($_SESSION['user_id']))
{echo "Sorry your already logged in";
}
else
{echo "<h1>This is the login page right?</h1>
	    <form action='{$_SERVER['PHP_SELF']}' method='POST'>
	    Your user ID? <input type='text' name='user_id' />
	    Your password? <input type='text' name='password' />
	    <input type='submit' value='Login'/>
	    </form>";
}
?>

 

checkuserid.php

<?php
if(isset($_SESSION['user_id']))
{$user_id = $_SESSION['user_id'];

   if(isset($_SESSION['nationi_d']))
     {$nation_id = $_SESSION['nation_id'];
 }	 
}
else
{header('Location: /login.php');
}
?>

 

protected.php

<?php
session_start();
include "checkuserid.php";
print_r ($_SESSION);
echo "<br/>If you have gotten so far, it should be solved...!";
?>

 

logout.php

<?php
session_start();
include "checkuserid.php";
if (isset($user_id))
{session_destroy();
  unset ($_SESSION);
  
  echo "Logged out  ";
}
else
{echo "Your not logged in! Oi! ;O ";
}
?>

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.