Jump to content

PHP session help


anthonydamasco

Recommended Posts

The problem I am having is a little complex, well to me at least.

I developed a very simple - register - login script using what little php knowlage I have and The more i test it, the more holes I find. My session variables dont work, and it lets anyone who acesses Login_success.php without checking for login name and a valid password, Now I read alot about sessions so I think I'm having trouble setting session variables, but I'm not sure what to do, and on top of that, my md5 hash is messing up!

This is my login script "log.php"
[code=php:0]
<?php
/* Check User Script */
session_start();  // Start Session

error_reporting(E_ALL);
ini_set('display_errors','on'); 

// connect to database
$conn = mysql_connect("localhost","www2","accuoffice");

//select the database
$db = mysql_select_db("accu") or die( "Unable to select database");

$username="";
$password="";

$username = $_POST['username'];

=>

if (isset($_POST['username']))
{
  $username = $_POST['username'];
}
else
{
  die ('You did not provided a username !!');

// Conver to simple variables

$password = $_POST['password'];



// Convert password to md5 hash
$password = md5($password);

$sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";
mysql_query($sql);
$login_check = mysql_num_rows($sql);
mysql_close();

if($login_check == 0){
    while($row = mysql_fetch_array($sql)){
    foreach( $row AS $key => $val )
{
      $row[$key] = stripslashes( $val );

    }
        // Register some session variables!
        session_register('firstname');
        $_SESSION['firstname'] = $firstname;
        session_register('lastname');
        $_SESSION['lastname'] = $lastname;
        session_register('email');
        $_SESSION['email'] = $email;
        session_register('special_user');
        $_SESSION['user_level'] = $user_level;
       
        mysql_query("UPDATE staff SET last_login=now() WHERE userid='$userid'");
       
        header("Location: login_success.php");
    }
} else {
    echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
    Please try again!<br />";
}

?>
[/code]
Link to comment
Share on other sites

Have a try of this:
[code=php:0]<?php

error_reporting(E_ALL);
ini_set('display_errors','on');

// before we do anythink we first check that we have the username and passsword vars:
if(isset($_POST['username']) && isset($_POST['password']))
{
    // now we attempt to log the user in

    // connect to MySQL
    $conn = mysql_connect("localhost" ,"www2", "accuoffice");

    //select the database
    $db = mysql_select_db("accu") or die("Unable to select database");

    // prepare our username and password vars
    $username = mysql_real_escape_string($_POST['username']);
    $password = md5($_POST['password']);

    $sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";
    $result = mysql_query($sql);

    // check that only 1 result was returned
    if(mysql_num_rows($result) == 1)
    {
        // now that we know the user has succesfully logged in we'll start the session
        session_start();

        // mysql_fetch_assoc returs an associative array.
        // Check out php.net/mysql-fetch-assoc for more info on this function
        $user = mysql_fetch_assoc($result);

        // we'll use a foreach loop to create our session variables automatically!
        foreach($user as $key => $value)
        {
            // $key is the key used in the $user array
            // $value is the valye of the key.
            // for example $user holds an array. The first item in that array will be $user['firstname']
            // this holds the firstname of the user
            // notice in the square brakets there is the word firstname in quotes. This is called the array key ($key)
            // This key holds the users firstname ($value).
            // This is basically what this section of code is doing.
            $_SESSION[$key] = $value;
        }

        mysql_query("UPDATE staff SET last_login=now() WHERE userid='$user[userid]'");

        header("Location: login_success.php");
    }
    else
    {
        echo "Logging was unsuccessful. Please try again";
    }

    mysql_close();
}
else
{
    echo "PLease ensure you have filled in the username and password fields";
}

?>[/code]
This should be what you are looking for. Have a read of the comments (orange text) if you are unsure whats happening.
Link to comment
Share on other sites

It depeneds on a dynamic SQL query right?  which means sometimes result is gonna be empty... Or i could be wrong and it just needs to be
if(mysql_num_rows($result) == "1")
lol....... If that doesnt work i would just use
if(@mysql_num_rows($result) == 1)
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.