jeff5656 Posted August 22, 2009 Share Posted August 22, 2009 I heard that we are not supposed to use session register. So how do I change my code? Here is the protected page: session_start(); if(!session_is_registered(myusername)){ header("location:main_login.php"); } And here is the login-checking code $sql="SELECT * FROM members WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); $row2 = mysql_fetch_array ($result); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "displayactive.php" session_register("myusername"); session_register("mypassword"); $_SESSION['myusername'] = $myusername; $_SESSION['sec_level'] =$row2['sec_level']; header("location:displayactive.php"); } else { echo "Wrong Username or Password"; } ?> What do I change if I shouldn't use session register? Link to comment https://forums.phpfreaks.com/topic/171460-question-about-session_register/ Share on other sites More sharing options...
Goldeneye Posted August 23, 2009 Share Posted August 23, 2009 Remove the session_register() functions and instead just use $_SESSION['example'] = 'some value' <?php $sql="SELECT * FROM members WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); $row2 = mysql_fetch_array ($result); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "displayactive.php" $_SESSION['myusername'] = $myusername; $_SESSION['sec_level'] =$row2['sec_level']; header("location:displayactive.php"); } else { echo "Wrong Username or Password"; } ?> Instead of using if(!session_is_registered(myusername)){ use if(!isset($_SESSION['myusername'])){. Like so: <php session_start(); if(!isset($_SESSION['myusername'])){ header("location:main_login.php"); } ?> Link to comment https://forums.phpfreaks.com/topic/171460-question-about-session_register/#findComment-904196 Share on other sites More sharing options...
PFMaBiSmAd Posted August 23, 2009 Share Posted August 23, 2009 And your header() redirect needs an exit; statement after it to prevent the remainder of the code on the page from being executed. All a hacker needs to do is ignore the redirect and he can still access your "protected" pages when there is not an exit statement after the header() redirect. Link to comment https://forums.phpfreaks.com/topic/171460-question-about-session_register/#findComment-904197 Share on other sites More sharing options...
jeff5656 Posted August 23, 2009 Author Share Posted August 23, 2009 Ok this is weird. I have this part as you said, $sql="SELECT * FROM members WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); $row2 = mysql_fetch_array ($result); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "displayactive.php" //session_register("myusername"); //session_register("mypassword"); $_SESSION['myusername'] = $myusername; $_SESSION['sec_level'] =$row2['sec_level']; header("location:displayactive.php"); } else { But then back to the protected page I have this: <?php session_start(); echo "session user is".$_SESSION['myusername']; and it is blank! Link to comment https://forums.phpfreaks.com/topic/171460-question-about-session_register/#findComment-904202 Share on other sites More sharing options...
Goldeneye Posted August 23, 2009 Share Posted August 23, 2009 There doesn't seem to be anything wrong with the code you posted. Remember that you have to start the session manually with session_start() on any page that uses $_SESSION variables. If that's already taken care of, let's see your entire script. Link to comment https://forums.phpfreaks.com/topic/171460-question-about-session_register/#findComment-904203 Share on other sites More sharing options...
PFMaBiSmAd Posted August 23, 2009 Share Posted August 23, 2009 Edit: Basically says the same as above ^^^ Every page that sets or uses a $_SESSION variable needs a session_start(); statement before any content is output to the browser. session_register() automatically executed a session_start() the first time it is called. Given that session_register(), session_is_registered(), and session_unregister() were disabled when register_globals were turned off by default in php4.2, 7 years ago, I wonder where people that are new to php programming keep coming up with code that uses features that should have disappeared many years ago. Link to comment https://forums.phpfreaks.com/topic/171460-question-about-session_register/#findComment-904205 Share on other sites More sharing options...
jeff5656 Posted August 23, 2009 Author Share Posted August 23, 2009 Thanks that worked, there was no session start in that processing page, as you guessed. Given that session_register(), session_is_registered(), and session_unregister() were disabled when register_globals were turned off by default in php4.2, 7 years ago, I wonder where people that are new to php programming keep coming up with code that uses features that should have disappeared many years ago. When you search for php login in google, that tutorial that uses session_register is one of the first hits, so thatr's why all us newbies use it :-) But thanks to phpfreaks I now do it the correct way Link to comment https://forums.phpfreaks.com/topic/171460-question-about-session_register/#findComment-904207 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.