Jump to content

Recommended Posts

Hi guys,

 

I'm having a problem with setting a $_SESSION for login.  The script worked at first, but for some reason it stopped working.  I thought it was because of the ob_start() I entered.  so I removed it and fixed the header() problem I had.  But I was still having the same problem.

 

This is the script where I set the $_SESSION:

 

<?php
if((isset($_GET['signin'])) && ($_GET['signin'] == "check")){
   require_once("include/class.php");
   $database->dbConnect();
   //------------Collect $_POST---------\\
   $user = $_POST['user'];
   $pass = $_POST['pass'];
   
   //-------------disable account ----------------\\
   $sql = "SELECT * FROM disable";
   $result = $database->query($sql);
   $row = mysql_fetch_array($result);
   
   if(($user == $row['user']) && ($row['disabled'] != 0)){
      header("Location: [url]http://members.aerialfusion.co.uk/index.php?disabled=[/url]".$user."&by=".$_SERVER['REMOTE_ADDR']);   
   }
   //-------------Connect to personal ----------------\\
   $sql = "SELECT * FROM personal WHERE user='$user'";
   $result = $database->query($sql);
   $row = mysql_fetch_array($result);
   //-----------------------Log in Empty---------------------------\\
   if((empty($user) && empty($pass))){
      header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=formEmpty[/url]");
   }
   //-----------------------Password Error---------------------------\\
   if(($user == $row['user']) && ($pass != $row['pass'])){
      header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=passwordError[/url]");
   }
   //-----------------------Password Empty---------------------------\\
   if((!empty($user)) && (empty($pass))){
      header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=passwordEmpty[/url]");
   }
   //-----------------------Not Activated---------------------------\\
   if(($user == $row['user']) && ($pass == $row['pass']) && ($row['active'] != 1)){
      header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=notActivated[/url]");   
   }
   //-----------------------SESSION Log In---------------------------\\
  [color=#ff0000] if(($user == $row['user']) && ($pass == $row['pass']) && ($row['active'] == 1)){
      $_SESSION['user'] = $row['user'];
      header("location: [/color][url=http://members.aerialfusion.co.uk/index.php?session=][color=#ff0000]http://members.aerialfusion.co.uk/index.php?session=[/color][/url][color=#ff0000]".$_SESSION['user']);
   }[/color]
   //-----------------------COOKIE Log In---------------------------\\
   if(($user == $row['user']) && ($pass == $row['pass']) && ($row['active'] == 1) && ($_POST['stayIn'] == "on")){
      setcookie("user",$row['user'],time()+31536000,"/","aerialfusion.co.uk");   
      header("location: [url]http://members.aerialfusion.co.uk/index.php?user=[/url]".$row['user']);
   }
}else{
   header("location: [url]http://www.aerialfusion.co.uk/index.php[/url]");   
}
?>

 

Thanks for your help,

 

tecmeister.

Link to comment
https://forums.phpfreaks.com/topic/172490-_session-problem/
Share on other sites

idk about your problem but like.. I see two ISSUES right here

 

  $sql = "SELECT * FROM disable";

  $result = $database->query($sql);

  $row = mysql_fetch_array($result);

 

  if(($user == $row['user']) && ($row['disabled'] != 0)){

      header("Location: http://members.aerialfusion.co.uk/index.php?disabled=".$user."&by=".$_SERVER['REMOTE_ADDR']); 

  }

 

the query will pull ALL results from the database.. THEN pull the first result from the resultset then the if statement will check if the user is the FIRST result in the table.. which is not very secure if you disabled an account and he is the SECOND result.. you should use a WHERE clause in the query..

 

SELECT * FROM disable WHERE user = '$user'

 

the SECOND issue there is..  header("Location: http://members.aerialfusion.co.uk/index.php?disabled=".$user."&by=".$_SERVER['REMOTE_ADDR']);

 

the Location header needs a valid url.. ........ is not a valid url..

 

and your whole detirmination process is redundant.. you should do something like this:

 

<?php
$s = "SELECT * FROM personal WHERE user = '{$user}' AND password = '{$pass}'";
$r = $database->query($s);
if ($z = mysql_fetch_assoc($r)) {
	// if user and password were correct..
	if (!$z['active']) {
		// if user is not active
	} else {
		// log the user in..
	}
} else {
	if ((!strlen($user)) || (!$strlen($pass))) {
		// form was not filled out fully
	} else {
		// invalid username and password
	}
}
?>

Link to comment
https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-909360
Share on other sites

I agree with russel:

use fetch_assoc() and use WHERE clause because imagine this query on a million user....that would take alot of server overhead

 

I'd recommend that you use session_start() if you didn't already

 

also try to use any encryption function for passwords i.e. md5() or sha1()

 

Validate both inputs if its filled in or not using

e.g:

if (empty(trim($user)) || empty($pass)){

echo "please fill in your login and password";

}

 

I'd recommend also not to inform the user which of the fields is incorrect for security reasons. tell him invalid user/password

 

hope that helped

 

Link to comment
https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-913472
Share on other sites

I have put start_session() at the beginning of the page and I'm still getting the same problem.

I put exit{}; after setting the $_SESSION['user'] = $user, and it is still not setting.

This is the code of the page:

 

<?php
if((isset($_GET['signin'])) && ($_GET['signin'] == "check")){
require_once("include/class.php");
$database->dbConnect();
//------------Collect $_POST---------\\
$user = $_POST['user'];
$pass = $_POST['pass'];
//-------------disable account ----------------\\
$sql1 = "SELECT * FROM disable WHERE user='$user'";
$result1 = $database->query($sql1);
$row1 = mysql_fetch_assoc($result1);
//-------------Connect to personal ----------------\\
$sql = "SELECT * FROM personal WHERE user='$user'";
$result = $database->query($sql);
$row = mysql_fetch_assoc($result);
//-----------------------Log in Empty---------------------------\\
if((empty($user) && empty($pass))){
	header("location: http://aerialfusion.co.uk/index.php?signin=formEmpty");
}
//-----------------------Password Error---------------------------\\
if($user == $row['user'] && $pass != $row['pass']){
	//-------------------Disable User--------------------------\\
	if($row1['disable_no'] > 0){
		$sub = $row1['disable_no'] -1;
		$sql2 = "UPDATE disable SET disable_no='$sub' WHERE user='$user'";
		$result2 = $database->query($sql2);
	}
	//---------------Sending mail---------------------------\\
	if(($row1['disable_no'] == 1) && ($row1['disabled'] == 0)){
			$hacker = $_SERVER['REMOTE_ADDR'];
			$random = md5(uniqid(rand(),true));
			$sql3 = "UPDATE disable SET disabled='$random', hacker_ip='$hacker'";
			$result3 = $database->query($sql3);
			//--------------Sending a Email---------------------\\
			$to = $row['email'];
			$subject = "Account Has Been Disabled";
			$message = "Dear ".$row['user'].",\n\n";
			$message .= "You account was disabled on ".date('d/m/Y')." at ".date('H:m:s a').".\n";
			$message .= "The persons IP address that entered you password wrong three times were ".$hacker."\n";
			$message .= "To re-activate your acount, please click on the link below.\n";
			$message .= "_______________________________________________________________\n\n";
			$message .= "http://www.aerialfusion.co.uk/index.php?reactivate_account=".$random."&id=".$row1['id']."\n\n";
			$message .= "Kind Reagrds,\n\n";
			$message .= "Johnny McCaffery,\n";
			$message .= "Founder of Aerial Fusion";
			$header = "MIME-Version: 1.0\n";
			$header .= "From: donotreplay@aerialfusion.co.uk";
			mail($to,$subject,$message,$header);
			header("Location: http://aerialfusion.co.uk/index.php?account_disabled_by=".$_SERVER['REMOTE_ADDR']);	
	}
	//--------------------Attemps left-----------------------------------\\
	if($row1['disable_no'] > 1){
			header("Location: http://aerialfusion.co.uk/index.php?signin=passwordWrong&attemps=".$sub);
		}
	//--------------------Account Disabled----------------------\\
	if(($row1['disable_no'] == 1) && ($row1['disabled'] != 0)){
		header("Location: http://aerialfusion.co.uk/index.php?already_disabled=".$row1['id']);
	}
}
//-----------------------Password Empty---------------------------\\
if((!empty($user)) && (empty($pass))){
	header("location: http://aerialfusion.co.uk/index.php?signin=passwordEmpty");
}
//-----------------------Not Activated---------------------------\\
if($row['active'] != 1){
	header("location: http://aerialfusion.co.uk/index.php?signin=notActivated");	
}
//----------------Username not used----------------\\
if($user != $row['user']){
	header("Location: http://aerialfusion.co.uk/index.php?signin=user&username=".$user);
}
//-----------------------SESSION Log In---------------------------\\
if(($pass == $row['pass']) && ($row['active'] == 1)){
	setcookie("user",$row['user'],time()+60*20,"/","aerialfusion.co.uk");
	header("location: http://members.aerialfusion.co.uk");
}
//-----------------------COOKIE Log In---------------------------\\
if(($pass == $row['pass']) && ($row['active'] == 1) && ($_POST['stayIn'] == "on")){
	setcookie("user",$row['user'],time()+31536000*10,"/","aerialfusion.co.uk");	
	header("location: http://members.aerialfusion.co.uk/index.php?user=".$row['user']);
}
}else{
header("location: http://www.aerialfusion.co.uk/index.php");	
}
?>

 

You have also said something about the headers not being valid URL.  Please could you show me a valid URL

 

Thanks,

 

tecmeister.

Link to comment
https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-914282
Share on other sites

That was just a typo on here, I did put session_start().

I have tried to start the session on every page but nothing is happening.  I have checked in the browsers cookies and all that is happening it PHPSESSID.

 

Have I disabled the session (If that is possible).  Please will some one be able to help me with this problem.

 

Thanks,

 

tecmeister.

Link to comment
https://forums.phpfreaks.com/topic/172490-_session-problem/#findComment-914533
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.