Cannot work out PHP Sessions and trying to call session values!

[colleyboy]

Ok, so sessions... it is a grey area for me but unfortunately on the system I am working on is kind of a must so I can get the website to work.

 

I am trying to create a simple log in area on a website and I have got a log in form which goes to "checklogin.php".

 

The "checklogin.php" script will check the users username and password against the db and if it matches it will forward them to their user control panel (using username and password in the URL).

 

In the database the user_id which is an integer is the foreign key allowing me to reference a user for images/blog posts etc.

 

The usercp.php page has a couple of inline querys which just set the page up.  On the page I have set it to "register" the session called user_id.

 

The problem is once a user logs in it registers and spits out the correct user_id.  I need to keep this user_id in a session so it can be used on every page.

 

Basically... what I intend to do is have a login box.  This log in box should only show if the user is not logged in (i.e: something along the lines of "if (isset(['user_id_key'])) then show user panel button ELSE show login box.

 

Really annoying me as currently when you log in it shows the user_id fine... but doesnt carry over to another page.

 

HERE IS SOURCE CODE BELOW:

 

checklogin.php (registers session and validates login details):

 

$tbl_name="boom_users"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['artistusername']; 
$mypassword=$_POST['artistpassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$myusername = mysql_real_escape_string($myusername);

// Encrypt password to MD5
$encrypted_mypassword=md5($mypassword);

$sql="SELECT * FROM boom_users WHERE Username='$myusername' and Password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "index.php"
session_register("artistusername");
session_register("artistpassword");
$_SESSION['artistusername']=$myusername;
$_SESSION['artistpassword']=$encrypted_mypassword;


header("location:usercp.php?username=".$myusername."&sessionid=".$encrypted_mypassword."");
}
else {
include "wronglogin.php";
}
?>

 

userpanel.php?username=".$myusername"&sessionid=".$encrypted_mypassword"  (This is the users control panel WHERE the username and Password match a row and then spits out the name.  In this example it spits out the "user_id".  I store it as a session but doesnt stay saved when loading another page.

 

<?php

if (isset($_GET['username'])) {
$username = $_GET['username'];
}

if (isset($_GET['sessionid'])) {
$password = $_GET['sessionid'];

}

?>

<?php

$usersession = mysql_query("SELECT * FROM boom_users WHERE Username='$username' && Password='$password'") or die(mysql_error());
while($row = mysql_fetch_array($usersession))

{

$user_id_key = $row['user_id'];

$_SESSION['useridkey']=$user_id_key;

echo "the user id is ".$_SESSION['useridkey'];

}

?>

 

 

Basically... how do I store this session so it is available to call the "useridkey" value on any page?

 

Kind Regards,

Ian

[trq]

I'm not sure where your looking at tutorials, but they are out of date. session_register has been deprecated for a long time.

 

As for your issue. I see no call to session_start.

[colleyboy]

Because I am "including" the content pages I see I have no session start command.  If I include that it works.

 

What do we now use instead of session_register? Hmm?

[trq]

Just use the $_SESSION array, there is no need to register anything.

[colleyboy]

Ok brilliant thanks

[colleyboy]

Saying that...

 

normally to check if the user is logged in I run this command at the top of each page.  If a user is not having to register any more what do I change command to?

 

<? 
session_start();
if(!session_is_registered(artistusername)){
header("location:login.php");
}
?>

[trq]

That would generate an error in the first place because session_is_registered expects a string.

 

Anyway, the $_SESSION array is no different to any other. Just check the index exists.

 

<?php 
session_start();
if (!isset($_SESSION['artistusername'])) {
    header("location:login.php");
}

[colleyboy]

Ok brill thanks

[Pikachu2000]

And you may as well never go back to phpeasystep.com again. Their tutorials are outdated and as you see, will cause you problems.

[PFMaBiSmAd]

I run this command at the top of each page

 

You also need an exit; statement after the header redirect in that code to prevent the remainder of the code on your 'protected' page from running. All a hacker needs to do is ignore the header() redirect and he can access your 'protected' page the same as if that code wasn't even there.