Page Not Loading After Checking Value.

[Nightasy]

I have a login page and at the top of my members page I have another script that checks first if the user is logged in and then checks if the user is premium. Both need to be true for the user to see the members page but instead it keeps going to the activate page when logged in as a premium member.

 

login page

<? ob_start();session_start();include_once"config.php";
if(isset($_SESSION['username']) || isset($_SESSION['password'])){
header("Location: videos_main.php");
}else{
if(isset($_POST['login'])){
$username= trim($_POST['username']);
$password = trim($_POST['password']);
if($username == NULL OR $password == NULL){
$final_report.="Please complete all the fields below..";
}else{
$check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());
if(mysql_num_rows($check_user_data) == 0){
$final_report.="This username does not exist..";
}else{
$get_user_data = mysql_fetch_array($check_user_data);
if($get_user_data['password'] != $password){
$final_report.="Your password is incorrect!";
}else{
$start_idsess = $_SESSION['username'] = "".$get_user_data['username']."";
$start_passsess = $_SESSION['password'] = "".$get_user_data['password']."";
$final_report.="You are about to be logged in, please wait a few moments.. <meta http-equiv='Refresh' content='2; URL=videos_main.php'/>";
}}}}}
?>

 

Page with videos on it (Premium) page.

 

<? ob_start(); session_start();include_once"config.php";
if(!isset($_SESSION['username']) || !isset($_SESSION['password'])){
header("Location: login.php");
}else{
$premium_query = mysql_query("SELECT 'premium' FROM 'members' WHERE 'username'='".$_SESSION['username']."'");
$premium = mysql_result($premium_query, 0, 'premium');
if($premium == 0){
header("Location: activate.php");
}else{
$user_data = "".$_SESSION['username']."";
$fetch_users_data = mysql_fetch_object(mysql_query("SELECT * FROM `members` WHERE `username`='".$user_data."'"));
}
?>

...//Premium content

 

It's supposed to just show the page content if the $premium returns a value of 1. But it just keeps shooting me to the activate page.

 

Premium is an INT in the database and it defaults to 0 when the user registers, then is changed to 1 when the user activates the account for premium membership.

 

Any ideas?

Edited October 20, 2012 by Nightasy

[Nightasy]

Before anyone brings this up. There is an extra } on the end of the premium page. I don't know why it didn't paste in the code. But it's there.

 

Sad thing here is I had this same exact script working yesterday and now it doesn't want to play nice. No clue why, I didn't make any changes.

Edited October 20, 2012 by Nightasy

[Nightasy]

Fixed my own problem. Syntax error on my part.

 

$premium_query = mysql_query("SELECT 'premium' FROM 'members' WHERE 'username'='".$_SESSION['username']."'");

 

needed to be

 

$premium_query = mysql_query("SELECT premium FROM members WHERE username='".$_SESSION['username']."'") or die(mysql_error());

 

Thanks anywho.

[Barand]

A couple of tips for you.

 

You should be escaping strings from the POST data using mysql_real_escape_string() before using the values in the queries, otherwise you leave yourself open to sql injection attacks.

 

You are compounding that felony by storing passwords as plain text therefore open to view - hash them.

 

Move on to mysqli or PDO as mysql is obsolete.

[Christian F.]

I strongly recommend that you read this article about secure login systems, to complement the tips Barand gave above.

 

Also, whenever you use header ("Location: ..."); you must follow it by die (). Otherwise the script will continue to parse, and may cause security issues and/or other problems.

This makes the following else quite redundant, as the code will never parse beyond the IF-test if it evaluates to true. Shaves down on the nesting, and helps keep the code easier to read (and thus easier to maintain).

 

You should also always be using the full PHP tags (<?php), instead of the short PHP tags (<?). The latter ones are deprecated, and will be removed in the next version. They're already turned off by default, and as such a lot of hosts does not support them.

Likewise you'll find that ob_start () is quite unnecessary, at least if your code is well formed. You'll want to write your code in such a manner that it works perfectly fine without it, as it'll allow your code to be a lot more flexible.

[Pikachu2000]

Short tags are not deprecated and there is no indication they'll be removed in any future version. Still not a good idea to use them IMO, but still.

[Christian F.]

They were deprecated, at least for a while, no?

I know that <?= will always be available from 5.4 and onwards, but I thought that regular short tags were still deprecated.

[salathe]

They were deprecated, at least for a while, no?

 

No. The short_open_tag directive is not deprecated; its use will not raise an E_DEPRECATED message.

 

However, use of the short_open_tag has been discouraged for a very long time due to the XML conflict and many hosts having the directive turned off, but it is not deprecated.

 

They're already turned off by default

 

Not strictly true either. The default value, if none is provided in php.ini, is short_open_tag=On. That said, the "production" and "development" INI files that we distribute, and many third parties too, explicitly turn short_open_tag off.

[Christian F.]

OK, thanks for clearing that up for me.

Must have confused it with something else.

[salathe]

Must have confused it with something else.

 

Likely not. Many people think that the short_open_tag is deprecated even though it never has been so. Its use is rather, discouraged.