Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder CurtWRC's Avatar
    Join Date
    May 2005
    Location
    UK
    Posts
    224
    Thanks
    9
    Thanked 1 Time in 1 Post

    Problem with Sessions

    Hi,

    I am having some problems with a login system. When the user enters in their username and password, if the username/password is incorrect then they are given an error message. This works fine, however when you choose the correct login details you are taken into the site but you are still asked to login. Below are some code snippets:

    PHP Code:
    <?
    session_start
    ();
    session_register("username");
    session_register("password");
    require_once(
    "db_mysql.php");
    $q = new DB_Sql;
    if(isset(
    $login))
    {
        
    $sql="select id from tbl_login where username='$username_frm' and password='$password_frm'";
        
    $q->query($sql);
        if (
    $q->next_record()) 
        { 
            
    $username=$username_frm;
            
    $password=$password_frm;
            
    header("Location:admin.php");
            exit();
        }
        else
        {
            
    header("Location:login.php?msg=Wrong+Username/Password");
            exit();
        }
    }
    ?>
    PHP Code:
    function validate($user,$pass) {
        if(!isset(
    $user)) {
            
    header("location:login.php?msg=You+Session+has+expired");
        }

    PHP Code:
    <?session_start();
    require_once(
    "db_mysql.php");
    $username $_SESSION['username'];
    $password $_SESSION['password'];
    validate($username,$password);
    include_once(
    "top_header.php");
    $q = new DB_Sql;
    ?>
    Does this make any sense to anyone?

    Cheers,
    Curt.

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Where is $login defined? It looks like you are relying on register globals which is a bad thing. Also session_start(); needs top be at the top of every page that you want to use sessions in.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    Regular Coder CurtWRC's Avatar
    Join Date
    May 2005
    Location
    UK
    Posts
    224
    Thanks
    9
    Thanked 1 Time in 1 Post
    The site has been updated to PHP5 from PHP4 and thats what has caused the problem. Previously the site used to work perfectly.

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,961
    Thanks
    2
    Thanked 305 Times in 297 Posts
    This is not a php4 vs php5 problem. It is a php setting problem. The code relies on register globals being on and they are simply not turned on in the new configuration.

    You could turn on register globals as a temporary measure to get the code to work while you rewrite it to work without register globals. Register globals have been eliminated in php6. You will need to rewrite your code to not rely on register globals sooner rather than later if you expect it to work at all under php6.

    [rant]
    Sadly, register globals are a security risk and were a huge blunder. They allow external get/post/cookie data to replace session data in program variables that are set due to the register globals action. If I know the name of a program variable in your code that you expect to be set from a session variable, I can visit your code and set that to any value, simply by visiting a page that expects a session variable to be set without first visiting the page that sets it and putting a parameter on the end of the url that sets it to the value I want. So, if your code is a login system, I could easily log in as an administrator without much effort.

    Register globals were turned off by default in php4.2 in the year 2002. That was nearly six years ago. No new code, tutorials, books... should have been written after that point in time that relied on register globals being on.

    The time for everyone to upgrade their code to not rely on register globals has gone past.
    [/rant]
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • Users who have thanked CFMaBiSmAd for this post:

    CurtWRC (03-06-2008)

  • #5
    Regular Coder CurtWRC's Avatar
    Join Date
    May 2005
    Location
    UK
    Posts
    224
    Thanks
    9
    Thanked 1 Time in 1 Post
    Thanks CFMaBiSmAd, thats a great help.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •