Jump to content

Recommended Posts

Hi there guys, how is everyone today?

 

I am having a minor issue with a session. I have a database I am working on that, of course, carries across multiple pages. The problem I am having is with the display of the logged in user's username, i.e. 'Welcome (username)!, Logout' This works fine upon the initial log in, but once I execute a different page (where the username is not displayed) and am re-directed back to the original page where the username is displayed, it seems to not show up, i.e. 'Welcome (blank space)!, Logout' I have tried a few things but I can't seem to resolve this minor issue. I do appreciate your help ahead of time, thanks!

 

I have posted my session code below, this is the exact session code that starts each of the pages that I need to carry the data across.

 

<?php
session_start();
$username = $_POST['username']; //Username
if (!isset($_SESSION['username'])) {
exit();
}
?>

 

 

Thank you for your help guys!!! :)

Link to comment
https://forums.phpfreaks.com/topic/269942-help-with-minor-session-issue/
Share on other sites

Thanks for your quick reply Beeeeney!

 

I went ahead and applied your suggestion, now when loading the page, it loads just a blank white page, with text at the top that says: string(10) "trg86"

 

Seems like the variable is still holding the username data so it's an issue with how it's being displayed.

Edited by Beeeeney

... this is the exact session code that starts each of the pages that I need to carry the data across.

 

<?php
session_start();
$username = $_POST['username']; //Username
if (!isset($_SESSION['username'])) {
exit();
}
?>

 

Unless every page is POSTing the username from a form field, you are not getting the username on subsequent pages.

 

You need to turn on error reporting, that line should throw a warning about an undefined index.

 

Basically, in the script handling the login form, you need to collect the username (from POST) and store it in the session. On all other pages, you should collect the username from the session not from a POST field.

Simple explanation that will set session variables:

 

<?php
$sql = "SELECT * FROM `users` WHERE username = 'variable' and password = 'variable'";

$result = mysql_query($sql, $connection) or die(mysql_error());


//get the number of rows in the result set
$num = mysql_num_rows($result);

//set session variables if there is a match
if ($num != 0)
{
while ($sql = mysql_fetch_object($result))
{

$_SESSION[username] = $sql -> username;

}
}else{
//if no match
header("Location: errorloginpage");
die;
}
?>

Edited by ExtremeGaming

Hi David, thanks for your reply. I do have error reporting turned on, but I do not receive an error, on any page.

 

I am pretty new with the sessions thing, what would be the best way for me to apply your suggestion? Thanks!

 

If you have that code snippet that you showed on top of every file, that will generate an error if you have error reporting on unless you are expliciting creating $_POST['username'] somewhere else in the code.

Basically, the different pages (scripts) will each have to start a little differently.

 

First, this needs to be at the top of every page-script (at least during development):

error_reporting(E_ALL);
ini_set('display_errors', 1);

 

Second, on the script that is validating the login page; you check to see if the credentials are valid, then

$_SESSION['username'] = <<The username of your logged in user>>

 

Third, on pages that should only be accessed by a logged-in user:

if (!isset($_SESSION['username'])) # kick them out

 

Of course, the session_start() call needs to appear before you reference any of the $_SESSION variables.

Hey guys, sorry for my belated response, I was AFK for a while.

 

For reference, here is the code that processes the login form from the login page, feel free to point out any errors you may see here that may be causing the issue. Thanks!!! :)

 

<?php

//Database Information
$dbhost = "DELETED INFO FOR THIS POST"; //Host Name
$dbname = "DELETED INFO FOR THIS POST"; //Database Name
$dbuser = "DELETED INFO FOR THIS POST"; //Database Username
$dbpass = "DELETED INFO FOR THIS POST"; //Database Password

//Connect To Database
mysql_connect($dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

//User Session
session_start();

$username = $_POST['username']; //Username
$password = md5($_POST['password']); //Password

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
$error = "Bad Login";
include "login.html";
} else {
$_SESSION['username'] = $username;
include "main_interface.php";
}
?>

The only thing in that script that jumps out at me, is that you are not escaping the username before you put it in the query string. This leaves you open to SQL injections, and query failures if someone uses a single-quote in their username. Build the query as:

 

$query = "SELECT * FROM users WHERE username='" . 
 mysql_real_escape_string($username) . 
 "' AND password='$password'";

 

Note: I did not escape the password because it has been run through MD5 and cannot possibly contain any special characters.

 

 

Otherwise, this script looks OK to me. The problem, I think, is at the beginning of your OTHER scripts. You said they all start with:

 

<?php
session_start();
$username = $_POST['username']; //Username
if (!isset($_SESSION['username'])) {
exit();
}
?>

 

Here you are retrieving the $username from $_POST which (probably) does not exist. You need to retrieve it from $_SESSION where you stored it in the login script.

Thanks again for your reply David. I definitely ran the password variable through an MD5 encryption, but it did not occur to me to run an escape on the username, thank you very much for that tip!! Let me go ahead and make some changes to my code and I will let you know where I stand from there. Thanks!! :)

 

This definitely seems like a very helpful community.

Alrighty, it looks like I have it working now, a pretty simple change actually at the hands of your suggestions! :)

 

This is my updated code for handling the session variables across all of the pages.

 

<?php
session_start();
$username = $_SESSION['username']; //Username
if (!isset($_SESSION['username']) ||
(trim($_SESSION['username'])=='')) {
exit();
}
?>

I see that you're still not using error reporting, or at least not echoing it out to screen. Otherwise you'd get a warning about an undefined index, whenever a user is not logged in.

The proper way of doing that code, is to check for the index in the session variable first, then use it. You don't even need to use the $username variable, as you can reference the $_SESSION['username'] directly in your code.

 

<?php
session_start ();
if (!isset ($_SESSION['username'])) {
   exit ();
}

echo "Welcome ".$_SESSION['username'];

 

Some times less is more. ;)

 

Also, I strongly recommend that you read this article about secure login systems. As your current password security is extremely weak.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.