tecmeister Posted August 30, 2009 Share Posted August 30, 2009 Hi guys, I'm having a problem with setting a $_SESSION for login. The script worked at first, but for some reason it stopped working. I thought it was because of the ob_start() I entered. so I removed it and fixed the header() problem I had. But I was still having the same problem. This is the script where I set the $_SESSION: <?php if((isset($_GET['signin'])) && ($_GET['signin'] == "check")){ require_once("include/class.php"); $database->dbConnect(); //------------Collect $_POST---------\\ $user = $_POST['user']; $pass = $_POST['pass']; //-------------disable account ----------------\\ $sql = "SELECT * FROM disable"; $result = $database->query($sql); $row = mysql_fetch_array($result); if(($user == $row['user']) && ($row['disabled'] != 0)){ header("Location: [url]http://members.aerialfusion.co.uk/index.php?disabled=[/url]".$user."&by=".$_SERVER['REMOTE_ADDR']); } //-------------Connect to personal ----------------\\ $sql = "SELECT * FROM personal WHERE user='$user'"; $result = $database->query($sql); $row = mysql_fetch_array($result); //-----------------------Log in Empty---------------------------\\ if((empty($user) && empty($pass))){ header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=formEmpty[/url]"); } //-----------------------Password Error---------------------------\\ if(($user == $row['user']) && ($pass != $row['pass'])){ header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=passwordError[/url]"); } //-----------------------Password Empty---------------------------\\ if((!empty($user)) && (empty($pass))){ header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=passwordEmpty[/url]"); } //-----------------------Not Activated---------------------------\\ if(($user == $row['user']) && ($pass == $row['pass']) && ($row['active'] != 1)){ header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=notActivated[/url]"); } //-----------------------SESSION Log In---------------------------\\ [color=#ff0000] if(($user == $row['user']) && ($pass == $row['pass']) && ($row['active'] == 1)){ $_SESSION['user'] = $row['user']; header("location: [/color][url=http://members.aerialfusion.co.uk/index.php?session=][color=#ff0000]http://members.aerialfusion.co.uk/index.php?session=[/color][/url][color=#ff0000]".$_SESSION['user']); }[/color] //-----------------------COOKIE Log In---------------------------\\ if(($user == $row['user']) && ($pass == $row['pass']) && ($row['active'] == 1) && ($_POST['stayIn'] == "on")){ setcookie("user",$row['user'],time()+31536000,"/","aerialfusion.co.uk"); header("location: [url]http://members.aerialfusion.co.uk/index.php?user=[/url]".$row['user']); } }else{ header("location: [url]http://www.aerialfusion.co.uk/index.php[/url]"); } ?> Thanks for your help, tecmeister. Quote Link to comment https://forums.phpfreaks.com/topic/172490-_session-problem/ Share on other sites More sharing options...
RussellReal Posted August 30, 2009 Share Posted August 30, 2009 idk about your problem but like.. I see two ISSUES right here $sql = "SELECT * FROM disable"; $result = $database->query($sql); $row = mysql_fetch_array($result); if(($user == $row['user']) && ($row['disabled'] != 0)){ header("Location: http://members.aerialfusion.co.uk/index.php?disabled=".$user."&by=".$_SERVER['REMOTE_ADDR']); } the query will pull ALL results from the database.. THEN pull the first result from the resultset then the if statement will check if the user is the FIRST result in the table.. which is not very secure if you disabled an account and he is the SECOND result.. you should use a WHERE clause in the query.. SELECT * FROM disable WHERE user = '$user' the SECOND issue there is.. header("Location: http://members.aerialfusion.co.uk/index.php?disabled=".$user."&by=".$_SERVER['REMOTE_ADDR']); the Location header needs a valid url.. ........ is not a valid url.. and your whole detirmination process is redundant.. you should do something like this: <?php $s = "SELECT * FROM personal WHERE user = '{$user}' AND password = '{$pass}'"; $r = $database->query($s); if ($z = mysql_fetch_assoc($r)) { // if user and password were correct.. if (!$z['active']) { // if user is not active } else { // log the user in.. } } else { if ((!strlen($user)) || (!$strlen($pass))) { // form was not filled out fully } else { // invalid username and password } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-909360 Share on other sites More sharing options...
tecmeister Posted September 6, 2009 Author Share Posted September 6, 2009 Hi RussellReal, How do I know what a valid URL is? Could you please tell me what I have entered wrong with the URL. Thanks, tecmeister. Quote Link to comment https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-913466 Share on other sites More sharing options...
RussellReal Posted September 6, 2009 Share Posted September 6, 2009 mybad.. I was trying to but it evaluated the bbcode lmao [url]....[/url] is not a valid url Quote Link to comment https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-913469 Share on other sites More sharing options...
BloodyMind Posted September 6, 2009 Share Posted September 6, 2009 I agree with russel: use fetch_assoc() and use WHERE clause because imagine this query on a million user....that would take alot of server overhead I'd recommend that you use session_start() if you didn't already also try to use any encryption function for passwords i.e. md5() or sha1() Validate both inputs if its filled in or not using e.g: if (empty(trim($user)) || empty($pass)){ echo "please fill in your login and password"; } I'd recommend also not to inform the user which of the fields is incorrect for security reasons. tell him invalid user/password hope that helped Quote Link to comment https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-913472 Share on other sites More sharing options...
tecmeister Posted September 7, 2009 Author Share Posted September 7, 2009 I have put start_session() at the beginning of the page and I'm still getting the same problem. I put exit{}; after setting the $_SESSION['user'] = $user, and it is still not setting. This is the code of the page: <?php if((isset($_GET['signin'])) && ($_GET['signin'] == "check")){ require_once("include/class.php"); $database->dbConnect(); //------------Collect $_POST---------\\ $user = $_POST['user']; $pass = $_POST['pass']; //-------------disable account ----------------\\ $sql1 = "SELECT * FROM disable WHERE user='$user'"; $result1 = $database->query($sql1); $row1 = mysql_fetch_assoc($result1); //-------------Connect to personal ----------------\\ $sql = "SELECT * FROM personal WHERE user='$user'"; $result = $database->query($sql); $row = mysql_fetch_assoc($result); //-----------------------Log in Empty---------------------------\\ if((empty($user) && empty($pass))){ header("location: http://aerialfusion.co.uk/index.php?signin=formEmpty"); } //-----------------------Password Error---------------------------\\ if($user == $row['user'] && $pass != $row['pass']){ //-------------------Disable User--------------------------\\ if($row1['disable_no'] > 0){ $sub = $row1['disable_no'] -1; $sql2 = "UPDATE disable SET disable_no='$sub' WHERE user='$user'"; $result2 = $database->query($sql2); } //---------------Sending mail---------------------------\\ if(($row1['disable_no'] == 1) && ($row1['disabled'] == 0)){ $hacker = $_SERVER['REMOTE_ADDR']; $random = md5(uniqid(rand(),true)); $sql3 = "UPDATE disable SET disabled='$random', hacker_ip='$hacker'"; $result3 = $database->query($sql3); //--------------Sending a Email---------------------\\ $to = $row['email']; $subject = "Account Has Been Disabled"; $message = "Dear ".$row['user'].",\n\n"; $message .= "You account was disabled on ".date('d/m/Y')." at ".date('H:m:s a').".\n"; $message .= "The persons IP address that entered you password wrong three times were ".$hacker."\n"; $message .= "To re-activate your acount, please click on the link below.\n"; $message .= "_______________________________________________________________\n\n"; $message .= "http://www.aerialfusion.co.uk/index.php?reactivate_account=".$random."&id=".$row1['id']."\n\n"; $message .= "Kind Reagrds,\n\n"; $message .= "Johnny McCaffery,\n"; $message .= "Founder of Aerial Fusion"; $header = "MIME-Version: 1.0\n"; $header .= "From: donotreplay@aerialfusion.co.uk"; mail($to,$subject,$message,$header); header("Location: http://aerialfusion.co.uk/index.php?account_disabled_by=".$_SERVER['REMOTE_ADDR']); } //--------------------Attemps left-----------------------------------\\ if($row1['disable_no'] > 1){ header("Location: http://aerialfusion.co.uk/index.php?signin=passwordWrong&attemps=".$sub); } //--------------------Account Disabled----------------------\\ if(($row1['disable_no'] == 1) && ($row1['disabled'] != 0)){ header("Location: http://aerialfusion.co.uk/index.php?already_disabled=".$row1['id']); } } //-----------------------Password Empty---------------------------\\ if((!empty($user)) && (empty($pass))){ header("location: http://aerialfusion.co.uk/index.php?signin=passwordEmpty"); } //-----------------------Not Activated---------------------------\\ if($row['active'] != 1){ header("location: http://aerialfusion.co.uk/index.php?signin=notActivated"); } //----------------Username not used----------------\\ if($user != $row['user']){ header("Location: http://aerialfusion.co.uk/index.php?signin=user&username=".$user); } //-----------------------SESSION Log In---------------------------\\ if(($pass == $row['pass']) && ($row['active'] == 1)){ setcookie("user",$row['user'],time()+60*20,"/","aerialfusion.co.uk"); header("location: http://members.aerialfusion.co.uk"); } //-----------------------COOKIE Log In---------------------------\\ if(($pass == $row['pass']) && ($row['active'] == 1) && ($_POST['stayIn'] == "on")){ setcookie("user",$row['user'],time()+31536000*10,"/","aerialfusion.co.uk"); header("location: http://members.aerialfusion.co.uk/index.php?user=".$row['user']); } }else{ header("location: http://www.aerialfusion.co.uk/index.php"); } ?> You have also said something about the headers not being valid URL. Please could you show me a valid URL Thanks, tecmeister. Quote Link to comment https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-914282 Share on other sites More sharing options...
grissom Posted September 7, 2009 Share Posted September 7, 2009 Instead of start_session(); try session_start(); Quote Link to comment https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-914329 Share on other sites More sharing options...
tecmeister Posted September 8, 2009 Author Share Posted September 8, 2009 That was just a typo on here, I did put session_start(). I have tried to start the session on every page but nothing is happening. I have checked in the browsers cookies and all that is happening it PHPSESSID. Have I disabled the session (If that is possible). Please will some one be able to help me with this problem. Thanks, tecmeister. Quote Link to comment https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-914533 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.