Jump to content


Photo

Session issues


  • Please log in to reply
4 replies to this topic

#1 anthonydamasco

anthonydamasco
  • Members
  • PipPipPip
  • Advanced Member
  • 92 posts

Posted 10 August 2006 - 08:15 PM

The problem I am having is a little complex, well to me at least.

I developed a very simple - register - login script using what little php knowlage I have and The more i test it, the more holes I find. My session variables dont work, and it lets anyone who acesses Login_success.php without checking for login name and a valid password, what do i have to change to fix this?


This is my login script
<?php
/* Check User Script */
session_start();  // Start Session


$conn = mysql_connect("localhost","www2","****");
$db = mysql_select_db("accu") or die( "Unable to select database");

$username="";
$password="";

// Conver to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

// Convert password to md5 hash
$password = md5($password);

$sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";
mysql_query($sql);
$login_check = mysql_num_rows($sql);
mysql_close();

if($login_check = 0){
    while($row = mysql_fetch_array($sql)){
    foreach( $row AS $$key => $val ){
        $$key = stripslashes( $val );
    }
        session_register('firstname');
        $_SESSION['firstname'] = $firstname;
        session_register('lastname');
        $_SESSION['lastname'] = $lastname;
        session_register('email');
        $_SESSION['email'] = $email;
        session_register('user_level');
        $_SESSION['user_level'] = $user_level;
        
        mysql_query("UPDATE staff SET last_login=now() WHERE userid='$userid'");
        
        header("Location: login_success.php");
    }
} else {
    echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
    Please try again!<br />";
}

?>


 
and here is my login success script:
<?php
session_start();

echo "Welcome ". $_SESSION['firstname'] ." ". $_SESSION['lastname'] ."!
    You have made it to the members area!<br /><br />";

echo "Your user level is ". $_SESSION['user_level']." which enables
    you access to the following areas: <br />";

if($_SESSION['user_level'] == 0){
    echo "- Forums<br />- Chat Room<br />";
}
if($_SESSION['user_level'] == 1){
    echo "- Forums<br />- Chat Room<br />- Moderator Area<br />";
}
if($_SESSION['user_level'] == 2){
    echo "- Forums<br />- Chat Room<br />- Moderator Area - Rapid response form search<br />";
}
if($_SESSION['user_level'] == 3){
    echo "- Forums<br />- Chat Room<br />- Moderator Area staff management<br />";
}
if($_SESSION['user_level'] == 4){
    echo "- Forums<br />- Chat Room<br />- Moderator Area admin tools!<br />";
}
echo "<br /><a href=logout.php>Logout</a>";

?>


#2 mewhocorrupts

mewhocorrupts
  • Members
  • PipPipPip
  • Advanced Member
  • 36 posts
  • LocationParker, CO

Posted 10 August 2006 - 08:45 PM

Are you testing this from the same computer that you're logging in with?  If you are, the session might be saved, and when you access the login page, it's pulling from an old session that's stored on your computer.

Also, as a side note, session_register() is deprecated.  You don't have to include that any longer to create session variables.
-mewhocorrupts

#3 anthonydamasco

anthonydamasco
  • Members
  • PipPipPip
  • Advanced Member
  • 92 posts

Posted 10 August 2006 - 08:50 PM

I just tried to goto "login_success.php" from another PC and it goes right through

#4 SharkBait

SharkBait
  • Members
  • PipPipPip
  • Advanced Member
  • 845 posts
  • LocationMetro Vancouver, BC

Posted 10 August 2006 - 08:57 PM

This part might be your issue.
<?php
$sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";
mysql_query($sql);
$login_check = mysql_num_rows($sql);
mysql_close();

if($login_check = 0){
?>

If I am reading it right.. you continue if $login_check equals 0.  Well if it finds the login name, it will return at least 1 wont it??

Try changing it to
<?php 
if($login_check > 0) {
?>


#5 yyboo

yyboo
  • Members
  • Pip
  • Newbie
  • 9 posts
  • LocationFlorida

Posted 24 August 2006 - 06:58 PM

wouldn't be if ($login_check==0){}

anyway? (two equals signs)

if you wanted the zero..
-----------------------------
www.mommatown.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users