Jump to content

Archived

This topic is now archived and is closed to further replies.

anthonydamasco

Session issues

Recommended Posts

The problem I am having is a little complex, well to me at least.

I developed a very simple - register - login script using what little php knowlage I have and The more i test it, the more holes I find. My session variables dont work, and it lets anyone who acesses Login_success.php without checking for login name and a valid password, what do i have to change to fix this?


This is my login script
[code=php:0]
<?php
/* Check User Script */
session_start();  // Start Session


$conn = mysql_connect("localhost","www2","****");
$db = mysql_select_db("accu") or die( "Unable to select database");

$username="";
$password="";

// Conver to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

// Convert password to md5 hash
$password = md5($password);

$sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";
mysql_query($sql);
$login_check = mysql_num_rows($sql);
mysql_close();

if($login_check = 0){
    while($row = mysql_fetch_array($sql)){
    foreach( $row AS $$key => $val ){
        $$key = stripslashes( $val );
    }
        session_register('firstname');
        $_SESSION['firstname'] = $firstname;
        session_register('lastname');
        $_SESSION['lastname'] = $lastname;
        session_register('email');
        $_SESSION['email'] = $email;
        session_register('user_level');
        $_SESSION['user_level'] = $user_level;
       
        mysql_query("UPDATE staff SET last_login=now() WHERE userid='$userid'");
       
        header("Location: login_success.php");
    }
} else {
    echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
    Please try again!<br />";
}

?>
[/code]


[hr]
and here is my login success script:
[code=php:0]
<?php
session_start();

echo "Welcome ". $_SESSION['firstname'] ." ". $_SESSION['lastname'] ."!
    You have made it to the members area!<br /><br />";

echo "Your user level is ". $_SESSION['user_level']." which enables
    you access to the following areas: <br />";

if($_SESSION['user_level'] == 0){
    echo "- Forums<br />- Chat Room<br />";
}
if($_SESSION['user_level'] == 1){
    echo "- Forums<br />- Chat Room<br />- Moderator Area<br />";
}
if($_SESSION['user_level'] == 2){
    echo "- Forums<br />- Chat Room<br />- Moderator Area - Rapid response form search<br />";
}
if($_SESSION['user_level'] == 3){
    echo "- Forums<br />- Chat Room<br />- Moderator Area staff management<br />";
}
if($_SESSION['user_level'] == 4){
    echo "- Forums<br />- Chat Room<br />- Moderator Area admin tools!<br />";
}
echo "<br /><a href=logout.php>Logout</a>";

?>
[/code]

Share this post


Link to post
Share on other sites
Are you testing this from the same computer that you're logging in with?  If you are, the session might be saved, and when you access the login page, it's pulling from an old session that's stored on your computer.

Also, as a side note, session_register() is deprecated.  You don't have to include that any longer to create session variables.

Share this post


Link to post
Share on other sites
This part might be your issue.
[code]
<?php
$sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";
mysql_query($sql);
$login_check = mysql_num_rows($sql);
mysql_close();

if($login_check = 0){
?>
[/code]

If I am reading it right.. you continue if $login_check equals 0.  Well if it finds the login name, it will return at least 1 wont it??

Try changing it to
[code]
<?php
if($login_check > 0) {
?>
[/code]

Share this post


Link to post
Share on other sites
wouldn't be if ($login_check==0){}

anyway? (two equals signs)

if you wanted the zero..

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.