$_Sessions only work 50%

[wmguk]

Hey,

 

I have a login code on an admin panel, and this is the code:

 

<?
ob_start();
session_start();

include('includes/dbconn.php');  

$user=$_REQUEST['user'];
$pass=$_REQUEST['pass'];

$sql="select * from admin where username='$user' and password='$pass'";
$result = mysql_query($sql) or die("Query failed : " . mysql_error());
$row=mysql_fetch_assoc($result);

$no=mysql_num_rows($result);

if($no!=0){
$HTTP_SESSION_VARS["user"]=$row['user'];
$HTTP_SESSION_VARS["password"]=$row['password'];
$level=$row['level'];
header('Location:crtl.php');
}
else
{
header('Location:login.php?mode=no');
}
?>

 

 

On my left bar (which is an include) I have simply asked

 

<?php echo $level; ?>

For some reason when I access the page it does not show the variable, but if i pass it via the url it works... any ideas why this wont work? The top code is included on every page...

[cags]

Security issues and deprecated code in your script aside, using sessions doesn't make all variables global. Since imediately after setting $level you redirect to a new page that value will never be in scope. You will need to use $_SESSION['level'] = $row['level'] and then access it using echo $_SESSION['level'].

[wmguk]

ah ha, i checked out $_SESSIONS and get this message - This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

 

what do I use instead? - and what are the security issues?

[cags]

Where did you check that out?

 

$HTTP_SESSION_VARS  is deprecated the $_SESSION array is the correct way to work with sessions.

 

Ideally speaking I would avoid using $_REQUEST as it contains the values of the GET, POST, and COOKIE superglobal arrays. You should really use the one that's specific to your need. So if you are using method="post" on your form use $_POST. Aside from that you should never put a value input by the user directly into an SQL query string, this will allow them the ability to perform SQL injection attacks, XSS attacks etc. At the very least you should be using mysql_real_escape_string giving you something like...

 

$user = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['pass']);

Also beware if you leave or die("Query failed : " . mysql_error()); in your production code any query failure can potentially give hackers information about the structure of your database that you don't want them to have.

[PFMaBiSmAd]

$_SESSION variables are not depreciated and don't produce depreciated error messages, so you will need to be way more specific about what function you used that resulted in the error message.

 

There is a list of everything the posted code should not be doing (I don't know where you found that but it is way way out of date) -

 

1) Don't use short open php tags <? Always use full opening php tags <?php

2) Don't use ob_start() unless you intentionally want to buffer output. If you were getting a header() error message, find and fix what is causing that error.

3) Don't use $_REQUEST variables. You don't know where the actual values comes from and they allow a hacker to easily feed your script a dictionary lookup attack of usernames and passwords by simply putting GET parameters on the end of the URL. Use the correct $_POST variables from your form.

4) You are not escaping the external user supplied values being put into the query, so a hacker can easily inject sql and dump all the usernames and passwords you have stored in your admin table.

5) You are storing the passwords in the database table as plain text, so when a hacker does get a copy of them (see item #4) he does not need to do any work to find the actual passwords.

6) $HTTP_SESSION_VARS were depreciated in php4.1, over 7 years ago, turned off by default in php5, and completely removed in upcoming php6. Use the $_SESSION superglobal array instead.

7) You would need to assign $row['level'] to a $_SESSION variable like cags showed you in his post, in order to make that value available as a session variable.