trg86 Posted October 26, 2012 Share Posted October 26, 2012 Hi there guys, how is everyone today? I am having a minor issue with a session. I have a database I am working on that, of course, carries across multiple pages. The problem I am having is with the display of the logged in user's username, i.e. 'Welcome (username)!, Logout' This works fine upon the initial log in, but once I execute a different page (where the username is not displayed) and am re-directed back to the original page where the username is displayed, it seems to not show up, i.e. 'Welcome (blank space)!, Logout' I have tried a few things but I can't seem to resolve this minor issue. I do appreciate your help ahead of time, thanks! I have posted my session code below, this is the exact session code that starts each of the pages that I need to carry the data across. <?php session_start(); $username = $_POST['username']; //Username if (!isset($_SESSION['username'])) { exit(); } ?> Thank you for your help guys!!! Quote Link to comment Share on other sites More sharing options...
Beeeeney Posted October 26, 2012 Share Posted October 26, 2012 Do a var_dump() on the username and see what you get when it shows up as blank. Quote Link to comment Share on other sites More sharing options...
trg86 Posted October 26, 2012 Author Share Posted October 26, 2012 Thanks for your quick reply Beeeeney! I went ahead and applied your suggestion, now when loading the page, it loads just a blank white page, with text at the top that says: string(10) "trg86" Quote Link to comment Share on other sites More sharing options...
Beeeeney Posted October 26, 2012 Share Posted October 26, 2012 (edited) Thanks for your quick reply Beeeeney! I went ahead and applied your suggestion, now when loading the page, it loads just a blank white page, with text at the top that says: string(10) "trg86" Seems like the variable is still holding the username data so it's an issue with how it's being displayed. Edited October 26, 2012 by Beeeeney Quote Link to comment Share on other sites More sharing options...
trg86 Posted October 26, 2012 Author Share Posted October 26, 2012 Hmm. Mind-boggling for me at the moment. Here is the code snippet for how I am displaying the username. <b>Welcome</b> <?php echo('<font color="#0092c8">'.$username.'</font>');?>! Quote Link to comment Share on other sites More sharing options...
Beeeeney Posted October 26, 2012 Share Posted October 26, 2012 I don't see why it would display once and then fail. I'm quite new to PHP too so probably best to wait for one of the experts to help. Sorry I couldn't be of further help. Quote Link to comment Share on other sites More sharing options...
DavidAM Posted October 26, 2012 Share Posted October 26, 2012 ... this is the exact session code that starts each of the pages that I need to carry the data across. <?php session_start(); $username = $_POST['username']; //Username if (!isset($_SESSION['username'])) { exit(); } ?> Unless every page is POSTing the username from a form field, you are not getting the username on subsequent pages. You need to turn on error reporting, that line should throw a warning about an undefined index. Basically, in the script handling the login form, you need to collect the username (from POST) and store it in the session. On all other pages, you should collect the username from the session not from a POST field. Quote Link to comment Share on other sites More sharing options...
trg86 Posted October 26, 2012 Author Share Posted October 26, 2012 Hi David, thanks for your reply. I do have error reporting turned on, but I do not receive an error, on any page. I am pretty new with the sessions thing, what would be the best way for me to apply your suggestion? Thanks! Quote Link to comment Share on other sites More sharing options...
MDCode Posted October 26, 2012 Share Posted October 26, 2012 (edited) Simple explanation that will set session variables: <?php $sql = "SELECT * FROM `users` WHERE username = 'variable' and password = 'variable'"; $result = mysql_query($sql, $connection) or die(mysql_error()); //get the number of rows in the result set $num = mysql_num_rows($result); //set session variables if there is a match if ($num != 0) { while ($sql = mysql_fetch_object($result)) { $_SESSION[username] = $sql -> username; } }else{ //if no match header("Location: errorloginpage"); die; } ?> Edited October 26, 2012 by ExtremeGaming Quote Link to comment Share on other sites More sharing options...
akphidelt2007 Posted October 26, 2012 Share Posted October 26, 2012 Hi David, thanks for your reply. I do have error reporting turned on, but I do not receive an error, on any page. I am pretty new with the sessions thing, what would be the best way for me to apply your suggestion? Thanks! If you have that code snippet that you showed on top of every file, that will generate an error if you have error reporting on unless you are expliciting creating $_POST['username'] somewhere else in the code. Quote Link to comment Share on other sites More sharing options...
DavidAM Posted October 26, 2012 Share Posted October 26, 2012 Basically, the different pages (scripts) will each have to start a little differently. First, this needs to be at the top of every page-script (at least during development): error_reporting(E_ALL); ini_set('display_errors', 1); Second, on the script that is validating the login page; you check to see if the credentials are valid, then $_SESSION['username'] = <<The username of your logged in user>> Third, on pages that should only be accessed by a logged-in user: if (!isset($_SESSION['username'])) # kick them out Of course, the session_start() call needs to appear before you reference any of the $_SESSION variables. Quote Link to comment Share on other sites More sharing options...
trg86 Posted October 26, 2012 Author Share Posted October 26, 2012 Hey guys, sorry for my belated response, I was AFK for a while. For reference, here is the code that processes the login form from the login page, feel free to point out any errors you may see here that may be causing the issue. Thanks!!! <?php //Database Information $dbhost = "DELETED INFO FOR THIS POST"; //Host Name $dbname = "DELETED INFO FOR THIS POST"; //Database Name $dbuser = "DELETED INFO FOR THIS POST"; //Database Username $dbpass = "DELETED INFO FOR THIS POST"; //Database Password //Connect To Database mysql_connect($dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error()); mysql_select_db($dbname) or die(mysql_error()); //User Session session_start(); $username = $_POST['username']; //Username $password = md5($_POST['password']); //Password $query = "SELECT * FROM users WHERE username='$username' AND password='$password'"; $result = mysql_query($query); if (mysql_num_rows($result) != 1) { $error = "Bad Login"; include "login.html"; } else { $_SESSION['username'] = $username; include "main_interface.php"; } ?> Quote Link to comment Share on other sites More sharing options...
DavidAM Posted October 26, 2012 Share Posted October 26, 2012 The only thing in that script that jumps out at me, is that you are not escaping the username before you put it in the query string. This leaves you open to SQL injections, and query failures if someone uses a single-quote in their username. Build the query as: $query = "SELECT * FROM users WHERE username='" . mysql_real_escape_string($username) . "' AND password='$password'"; Note: I did not escape the password because it has been run through MD5 and cannot possibly contain any special characters. Otherwise, this script looks OK to me. The problem, I think, is at the beginning of your OTHER scripts. You said they all start with: <?php session_start(); $username = $_POST['username']; //Username if (!isset($_SESSION['username'])) { exit(); } ?> Here you are retrieving the $username from $_POST which (probably) does not exist. You need to retrieve it from $_SESSION where you stored it in the login script. Quote Link to comment Share on other sites More sharing options...
trg86 Posted October 26, 2012 Author Share Posted October 26, 2012 Thanks again for your reply David. I definitely ran the password variable through an MD5 encryption, but it did not occur to me to run an escape on the username, thank you very much for that tip!! Let me go ahead and make some changes to my code and I will let you know where I stand from there. Thanks!! This definitely seems like a very helpful community. Quote Link to comment Share on other sites More sharing options...
trg86 Posted October 26, 2012 Author Share Posted October 26, 2012 Alrighty, it looks like I have it working now, a pretty simple change actually at the hands of your suggestions! This is my updated code for handling the session variables across all of the pages. <?php session_start(); $username = $_SESSION['username']; //Username if (!isset($_SESSION['username']) || (trim($_SESSION['username'])=='')) { exit(); } ?> Quote Link to comment Share on other sites More sharing options...
MDCode Posted October 26, 2012 Share Posted October 26, 2012 (edited) Using that other check on if the username is blank is useless as it won't be set at all unless they successfully login Edited October 26, 2012 by ExtremeGaming Quote Link to comment Share on other sites More sharing options...
Christian F. Posted October 26, 2012 Share Posted October 26, 2012 I see that you're still not using error reporting, or at least not echoing it out to screen. Otherwise you'd get a warning about an undefined index, whenever a user is not logged in. The proper way of doing that code, is to check for the index in the session variable first, then use it. You don't even need to use the $username variable, as you can reference the $_SESSION['username'] directly in your code. <?php session_start (); if (!isset ($_SESSION['username'])) { exit (); } echo "Welcome ".$_SESSION['username']; Some times less is more. Also, I strongly recommend that you read this article about secure login systems. As your current password security is extremely weak. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.