Login php with session not redirecting to index.php

[emen24]

I am using PHP 5.3  iis7 and SLQ Server 2005. I know the script gets to the session part and creates a temp file in C:/windows/temp folder (see info below), but when I try to login and redirect to the index.php  it give a 500 error on the login.php page.

 

login.php

index.php

conifg.php

temp file - C:\windows\temp

<?php
//set ini
ini_set('session.gc_maxlifetime', 900);
if(!ini_get('session.auto_start')){
	session_start();
}
// include file
include ('config.php');
include (LIB_PATH.'functions.php');
include(LIB_PATH.'sqlsrv_connect.php');
if($_SESSION['user_id']){
		
			Header("Location: index.php"); 
}



if($_POST['submit']){
	$user1 = trim($_POST['user']);
	$pass1 = trim($_POST['pass']);
$user= "'$user1'";
$pass= "'$pass1'";


	if($user == '' or $pass == ''){
		$error = 'You forgot to enter your user_name and your password!';
	}else{
		$query = "SELECT * FROM users WHERE user_name = $user and pass = $pass";
		$params = array();
		$options =  array( "Scrollable" => SQLSRV_CURSOR_KEYSET );
		$r = sqlsrv_query ($database, $query, $params, $options);

		



$num = sqlsrv_num_rows($r);
		
		if ($num >0) {
		
while ($user_data = sqlsrv_fetch_array($r, SQLSRV_FETCH_ASSOC)) {
		
		
						
		$_SESSION['user_id'] 	= $user_data['user_id'];
		$_SESSION['user_name'] = $user_data['user_name'];
		$_SESSION['user_level'] = $user_data['user_level'];
		$_SESSION['user_rep'] 	= $user_data['rep'];}
 
			Header("Location: index.php"); 

		}else{
			$error = 'Wrong username or password!';

			
		}
	}
}




//template
include(TEMP_PATH.'login_tpl.php');


?>

<?php
//set ini
ini_set('session.gc_maxlifetime', 900);
if(!ini_get('session.auto_start')){
	session_start();
}
// include file
include ('config.php');

//include (LIB_PATH.'functions.php');

include(LIB_PATH.'sqlsrv_connect.php');

if(!$_SESSION['user_id']){
	Header("Location: login.php");
}

$database		

//template
include(TEMP_PATH.'index_tpl.php');
?>

<?php

date_default_timezone_set('America/Los_Angeles');

//config directory
define( 'DS', DIRECTORY_SEPARATOR );
define( 'DS', D );
define('SITE_PATH', dirname(__FILE__) . DS);
define('LIB_PATH', SITE_PATH . 'lib' . DS);
define('TEMP_PATH', SITE_PATH . 'templates' . DS);

define('SO_PER_PAGE',20);

?>

user_id|s:1:"6";user_name|s:2:"EM";user_level|s:1:"1";user_rep|s:0:"";

[Jacques1]

Unfortunately, there are much worse problems than the 500 error. Instead of trying to debug this, I'd rather throw away the code, learn PHP and start from scratch.

 

Sorry for being so harsh, but you appearently had a very, very bad teacher. Where do I start?

• If you happily drop any user input into your query strings, then you invite the whole world to change the queries and see what they can find in your database. They'll start with the plaintext passwords of your users.
• Plaintext passwords? Seriously?
• Removing spaces from the password is not a good idea. They are actually significant.
• How could $user or $password ever be empty when you've defined them as "'$user1'" and "'$pass1'"? A string with single quotes isn't empty. Why you would add quotes at this point is beyond me.
• Why do you have a loop for fetching all users with the provided username? Shouldn't there be at most one user per name?
• If you don't stop the script after doing a redirect, then it happily keeps running. That's probably not what you want and can lead to major security issues.
• There's absolutely no session security. However, I do admit that PHP sessions are difficult to handle for beginners.
• ...

[requinix]

500 error means there was an error. Check your logs for an indication why.

 

You can also set

error_reporting = -1
display_errors = on

in your php.ini. Restart IIS after you do.