Jump to content

Session issues


anthonydamasco

Recommended Posts

The problem I am having is a little complex, well to me at least.

I developed a very simple - register - login script using what little php knowlage I have and The more i test it, the more holes I find. My session variables dont work, and it lets anyone who acesses Login_success.php without checking for login name and a valid password, what do i have to change to fix this?


This is my login script
[code=php:0]
<?php
/* Check User Script */
session_start();  // Start Session


$conn = mysql_connect("localhost","www2","****");
$db = mysql_select_db("accu") or die( "Unable to select database");

$username="";
$password="";

// Conver to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

// Convert password to md5 hash
$password = md5($password);

$sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";
mysql_query($sql);
$login_check = mysql_num_rows($sql);
mysql_close();

if($login_check = 0){
    while($row = mysql_fetch_array($sql)){
    foreach( $row AS $$key => $val ){
        $$key = stripslashes( $val );
    }
        session_register('firstname');
        $_SESSION['firstname'] = $firstname;
        session_register('lastname');
        $_SESSION['lastname'] = $lastname;
        session_register('email');
        $_SESSION['email'] = $email;
        session_register('user_level');
        $_SESSION['user_level'] = $user_level;
       
        mysql_query("UPDATE staff SET last_login=now() WHERE userid='$userid'");
       
        header("Location: login_success.php");
    }
} else {
    echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
    Please try again!<br />";
}

?>
[/code]


[hr]
and here is my login success script:
[code=php:0]
<?php
session_start();

echo "Welcome ". $_SESSION['firstname'] ." ". $_SESSION['lastname'] ."!
    You have made it to the members area!<br /><br />";

echo "Your user level is ". $_SESSION['user_level']." which enables
    you access to the following areas: <br />";

if($_SESSION['user_level'] == 0){
    echo "- Forums<br />- Chat Room<br />";
}
if($_SESSION['user_level'] == 1){
    echo "- Forums<br />- Chat Room<br />- Moderator Area<br />";
}
if($_SESSION['user_level'] == 2){
    echo "- Forums<br />- Chat Room<br />- Moderator Area - Rapid response form search<br />";
}
if($_SESSION['user_level'] == 3){
    echo "- Forums<br />- Chat Room<br />- Moderator Area staff management<br />";
}
if($_SESSION['user_level'] == 4){
    echo "- Forums<br />- Chat Room<br />- Moderator Area admin tools!<br />";
}
echo "<br /><a href=logout.php>Logout</a>";

?>
[/code]
Link to comment
Share on other sites

Are you testing this from the same computer that you're logging in with?  If you are, the session might be saved, and when you access the login page, it's pulling from an old session that's stored on your computer.

Also, as a side note, session_register() is deprecated.  You don't have to include that any longer to create session variables.
Link to comment
Share on other sites

This part might be your issue.
[code]
<?php
$sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";
mysql_query($sql);
$login_check = mysql_num_rows($sql);
mysql_close();

if($login_check = 0){
?>
[/code]

If I am reading it right.. you continue if $login_check equals 0.  Well if it finds the login name, it will return at least 1 wont it??

Try changing it to
[code]
<?php
if($login_check > 0) {
?>
[/code]
Link to comment
Share on other sites

  • 2 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.