PHP session help

[anthonydamasco]

The problem I am having is a little complex, well to me at least.

I developed a very simple - register - login script using what little php knowlage I have and The more i test it, the more holes I find. My session variables dont work, and it lets anyone who acesses Login_success.php without checking for login name and a valid password, Now I read alot about sessions so I think I'm having trouble setting session variables, but I'm not sure what to do, and on top of that, my md5 hash is messing up!

This is my login script "log.php"
[code=php:0]
<?php
/* Check User Script */
session_start();  // Start Session

error_reporting(E_ALL);
ini_set('display_errors','on'); 

// connect to database
$conn = mysql_connect("localhost","www2","accuoffice");

//select the database
$db = mysql_select_db("accu") or die( "Unable to select database");

$username="";
$password="";

$username = $_POST['username'];

=>

if (isset($_POST['username']))
{
  $username = $_POST['username'];
}
else
{
  die ('You did not provided a username !!');

// Conver to simple variables

$password = $_POST['password'];



// Convert password to md5 hash
$password = md5($password);

$sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";
mysql_query($sql);
$login_check = mysql_num_rows($sql);
mysql_close();

if($login_check == 0){
    while($row = mysql_fetch_array($sql)){
    foreach( $row AS $key => $val )
{
      $row[$key] = stripslashes( $val );
} 
    }
        // Register some session variables!
        session_register('firstname');
        $_SESSION['firstname'] = $firstname;
        session_register('lastname');
        $_SESSION['lastname'] = $lastname;
        session_register('email');
        $_SESSION['email'] = $email;
        session_register('special_user');
        $_SESSION['user_level'] = $user_level;
       
        mysql_query("UPDATE staff SET last_login=now() WHERE userid='$userid'");
       
        header("Location: login_success.php");
    }
} else {
    echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
    Please try again!<br />";
}

?>
[/code]

[wildteen88]

Have a try of this:
[code=php:0]<?php

error_reporting(E_ALL);
ini_set('display_errors','on');

// before we do anythink we first check that we have the username and passsword vars:
if(isset($_POST['username']) && isset($_POST['password']))
{
    // now we attempt to log the user in

    // connect to MySQL
    $conn = mysql_connect("localhost" ,"www2", "accuoffice");

    //select the database
    $db = mysql_select_db("accu") or die("Unable to select database");

    // prepare our username and password vars
    $username = mysql_real_escape_string($_POST['username']);
    $password = md5($_POST['password']);

    $sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";
    $result = mysql_query($sql);

    // check that only 1 result was returned
    if(mysql_num_rows($result) == 1)
    {
        // now that we know the user has succesfully logged in we'll start the session
        session_start();

        // mysql_fetch_assoc returs an associative array.
        // Check out php.net/mysql-fetch-assoc for more info on this function
        $user = mysql_fetch_assoc($result);

        // we'll use a foreach loop to create our session variables automatically!
        foreach($user as $key => $value)
        {
            // $key is the key used in the $user array
            // $value is the valye of the key.
            // for example $user holds an array. The first item in that array will be $user['firstname']
            // this holds the firstname of the user
            // notice in the square brakets there is the word firstname in quotes. This is called the array key ($key)
            // This key holds the users firstname ($value).
            // This is basically what this section of code is doing.
            $_SESSION[$key] = $value;
        }

        mysql_query("UPDATE staff SET last_login=now() WHERE userid='$user[userid]'");

        header("Location: login_success.php");
    }
    else
    {
        echo "Logging was unsuccessful. Please try again";
    }

    mysql_close();
}
else
{
    echo "PLease ensure you have filled in the username and password fields";
}

?>[/code]
This should be what you are looking for. Have a read of the comments (orange text) if you are unsure whats happening.

[anthonydamasco]

everything seems to work, but this is the error that i get when using your script

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /usr/home/www2/web/log.php on line 25

LINE 25
[code=php:0]  if(mysql_num_rows($result) == 1) [/code]

[corbin]

It depeneds on a dynamic SQL query right?  which means sometimes result is gonna be empty... Or i could be wrong and it just needs to be
if(mysql_num_rows($result) == "1")
lol....... If that doesnt work i would just use
if(@mysql_num_rows($result) == 1)

[wildteen88]

oops, I didnt fix your sql query. Use this as the query
[code=php:0]$sql = "SELECT * FROM staff WHERE `username`='$username' AND `password`='$password' AND activated='1'";[/code]

[anthonydamasco]

worx gr8!!!!!!!!!!!!!!!!!!!!1 thank you, you cleared alot up for me!