Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    New Coder
    Join Date
    Sep 2011
    Posts
    11
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Unhappy PHP Session Error

    Hey everyone.

    I am coding a staff panel at the moment and I'm having a little issue with the PHP sessions I'm guessing.

    In one section it allows staff to post news which works 100% fine and displays 100% fine on my website.

    It's only just came to my attention that when a staff member deletes the article, for some reason it logs them out after it's deleted. It's not a huge issue but I don't want my staff having to always log back after deleting a single article.

    The page code is as follows:
    PHP Code:
    <?php
    session_start
    (); //allows session
    include "config.php";
    ?>
    <head>
    <title>Snewsbox.NET Administration Panel</title>
    <link href="style.css" rel="stylesheet" type="text/css">
    </head>
    <body>
    <?php

    if($logged['id']){
    switch(
    $_GET['p']){

    default:
    ?>

        <div id="content"><div class="header">View Articles</div>

    <table cellpadding="10" cellspacing="5" border="0">

    <tr>
    <th width="150" style="background-color:#EEE;padding:10px;">ID</th>
    <th width="150" style="background-color:#EEE;padding:10px;">Article Title</th>
    <th width="150" style="background-color:#EEE;padding:10px;">Author</th>
    <th width="150" style="background-color:#EEE;padding:10px;">Actions</th>
    </tr>

    <?php
    $gathernews 
    mysql_query("SELECT * FROM `news` ORDER BY `id` DESC");
    while(
    $listnews mysql_fetch_array($gathernews)){
    ?>
    <tr>
    <td valign="top" style="background-color:#EEE;padding:10px;"><?php echo $listnews[id]; ?></td>
    <td valign="top" style="background-color:#EEE;padding:10px;"><?php echo $listnews[title]; ?></td>
    <td valign="top" style="background-color:#EEE;padding:10px;"><?php echo $listnews[author]; ?></td>
    <td valign="top" style="background-color:#EEE;padding:10px;">
    <a href="?p=delete&id=<?php echo $listnews[id]; ?>">Delete</a>
    </td>
    </tr>
    <?php
    }
    echo 
    "</table></div>";
    break;

    case 
    "delete":
    $id $_GET['id'];
    $sql mysql_query("DELETE FROM `news` WHERE `id` = '$id'");
    echo 
    "Article Deleted";
    break;


    }
    }
    ?>
    </body>
    (Cut out the code not related)

    The log out issue only occurs when I delete items from the database. Insert, Select and Update work fine.

    Any ideas? Let me know if you need more code.

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,466
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    Show us the update script.


    .

  • #3
    New Coder
    Join Date
    Sep 2011
    Posts
    11
    Thanks
    1
    Thanked 0 Times in 0 Posts
    PHP Code:

    case 'editnews':
    $newsid = $_GET['id'];
    $sql = mysql_query("SELECT * FROM `news` WHERE `id` = '$newsid'");
    $gotnews = mysql_fetch_array($sql);
    $article = stripslashes($gotnews['article']);
    ?>
        <div id="content"><div class="header">Update Article - <?php echo "$gotnews[title]"?></div>
    <form action="?p=updatenews" method="post">
    <div class="big">Title</div><input type="text" name="title" value="<?php echo "$gotnews[title]"?>" class="text"><br><br>

    <div class="big">Article</div>
    <textarea cols="70" rows="10" name="article" class="text"><?php echo "$article"?></textarea>
    <input type="hidden" value="<?php echo "$newsid"?>" name="id">
    <input type="submit" value="Update Article" class="button">
    </form>
    </div>

    <?php
    break;


    case 
    'updatenews':
    $id $_POST['id'];
    $title $_POST['title'];
    $article addslashes($_POST['article']);

    $sql mysql_query("UPDATE `news` SET `title` = '$title', `article` = '$article' WHERE `id` = '$id'");
    ?>
        <div id="content"><div class="header">Update Article</div>
    Article updated!<br><a href="?page=viewnews">Go back?</a>
    </div>
    <?php
    break;

  • #4
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    I don't see anything destroying the session(unless config.php is doing so) with a quick glance. Are you sure they get logged out or they just don't have any links visible to return to the articles?

    You really need to be sanitizing your inputs by casting them to an int(for IDs) or using mysql_real_escape_string(). You are open to SQL injection with the code you have now.

  • #5
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,466
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    Because you're including config.php, if that already has a session_start(),
    I don't think you need another one. At least removing it from your delete
    script would be something to try.


    .

  • #6
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,301
    Thanks
    57
    Thanked 525 Times in 512 Posts
    Blog Entries
    5
    Quote Originally Posted by Chrustopher View Post
    (Cut out the code not related)
    And thats probably the very issue.

    Show all the code please because the code you've shown us does not interact with your session at all. There must be something causing this and if its not in the code you've shown it must be somewhere else.

    Also show the config file code too
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #7
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,466
    Thanks
    8
    Thanked 1,085 Times in 1,076 Posts
    If config.php contains any usernames or passwords ... XXXXX them out before posting.


    .

  • #8
    New Coder
    Join Date
    Sep 2011
    Posts
    11
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Config.php
    (Connects to database and collects session information)

    PHP Code:
    <? 
    session_start
    ();

    $conn mysql_connect("localhost","XXXX","XXXX"); 
    mysql_select_db(staffpanel) or die(mysql_error());  

    $logged MYSQL_QUERY("SELECT * FROM `members` WHERE `id` = '$_SESSION[id]' AND `password` = '$_SESSION[password]'"); 
    $logged mysql_fetch_array($logged); 

    $host $_SERVER['HTTP_HOST'];
    $self $_SERVER['PHP_SELF'];
    ?>
    index.php
    (Controls basically everything using a switch function to change pages)
    PHP Code:
    <?php
    include "config.php"
    ?>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
    <html>
    <head>
    <title>XXXXXXX.NET Administration Panel</title>
    </head>
    <body>

        <center>

    <?php

    if($logged[id]) {

    if(
    $logged[warnings] != "0"){
    ?>

        <div id="content">
        Hello <?php echo $logged[username]; ?>! You currently have a total of <?php echo $logged[warnings]; ?> out of 3 warnings.
        </div><br>

    <?php
    }
    switch(
    $_GET[page])
    {
    default:
    ?>


        <div id="content"><div class="header">Welcome to the Staff Panel</div>

    Hello <b><?php echo $logged[username]; ?></b> and welcome to the XXXXXXX.NET Staff Panel!<br><br>

        </div>



    <?php
    break;

    case 
    'viewnews':
    $sqln="SELECT * FROM news";
    $resultn=mysql_query($sqln);

    $countn=mysql_num_rows($resultn);
    if(
    $logged[rank] == 11 || $logged[rank] == 15){
    ?>

        <div id="content"><div class="header">View XXXXXXX Articles</div>
    <form name="form1" method="post" action="?page=deletenews">
    <input name="delete" id="delete" type="submit" class="button" value="Delete Selected">
    <table cellpadding="10" cellspacing="5" border="0">

    <tr>
    <th width="20" style="background-color:#EEE;padding:10px;">#</th>
    <th width="50" style="background-color:#EEE;padding:10px;">ID</th>
    <th width="430" style="background-color:#EEE;padding:10px;">Article Title</th>
    <th width="100" style="background-color:#EEE;padding:10px;">Author</th>
    <th width="50" style="background-color:#EEE;padding:10px;">Actions</th>
    </tr>
    <?php
    $gathernews 
    mysql_query("SELECT * FROM `news` WHERE `active` = '1' ORDER BY `id` DESC");
    while(
    $listnews mysql_fetch_array($gathernews)){
    ?>
    <tr>
    <td valign="top" style="background-color:#EEE;padding:10px;"><input name="checkbox[]" type="checkbox" id="checkbox[]" value="<?php echo $listnews[id]; ?>"></td>
    <td valign="top" style="background-color:#EEE;padding:10px;"><?php echo $listnews[id]; ?></td>
    <td valign="top" style="background-color:#EEE;padding:10px;"><?php echo $listnews[title]; ?></td>
    <td valign="top" style="background-color:#EEE;padding:10px;"><?php echo $listnews[author]; ?></td>
    <td valign="top" style="background-color:#EEE;padding:10px;">
    <a href="?page=editnews&id=<?php echo $listnews[id]; ?>">Edit</a>
    </td>
    </tr>
    <?php
    }
    ?>
    </table>
    <input name="delete" id="delete" type="submit" class="button" value="Delete Selected">
    </form>
        </div>

    <?php
    }
    break;

    case 
    'deletenews':
    $sqln="SELECT * FROM news";
    $resultn=mysql_query($sqln);

    $countn=mysql_num_rows($resultn);
    // Check if delete button active, start this
    for($i=0;$i<$countn;$i++){
    $del_id $checkbox[$i];
    $sql "DELETE FROM news WHERE id='$del_id'";
    $result mysql_query($sql);}

    // if successful redirect to delete_multiple.php
    if($result){
    echo 
    "<meta http-equiv=\"refresh\" content=\"0;URL=index.php?page=viewnews\">";
    }
    break;

    case 
    'writenews':
    if(
    $logged[newsaccess] == || $logged[rank] == 15){
    ?>

        <div id="content"><div class="header">Write new Article</div>
    <form action="process.php?p=addnews" method="post">
    <div class="big">Title:</div><input type="text" name="title" class="text"><br><br>
    <div class="big">Category:</div>
    <select name="category" class="style">
    <option value="Site">Site News</option>
    <option value="Real Life">Real Life</option>
    </select><br><br>

    <div class="big">Article:</div>
    <textarea cols="70" rows="10" name="article" style="text-align: left;" class="text"></textarea><br>
    <input type="submit" value="Post Article" class="button">
    </form>

        </div>

    <?php
    }
    break;


    case 
    'editnews':
    if(
    $logged[rank] == 11 || $logged[rank] == 15){
    $newsid $_GET['id'];
    $sql mysql_query("SELECT * FROM `news` WHERE `id` = '$newsid'");
    $gotnews mysql_fetch_array($sql);
    $article stripslashes($gotnews['article']);
    ?>
        <div id="content"><div class="header">Update Article - <?php echo "$gotnews[title]"?></div>
    <form action="process.php?p=updatenews" method="post">
    <div class="big">Title</div><input type="text" name="title" value="<?php echo "$gotnews[title]"?>" class="text"><br><br>
    <div class="big">Category</div><select name="category" class="style">
    <option value="Site" <?php if($gotnews['category'] == "Site"){ echo "selected"; } ?>>Site News</option>
    <option value="Real Life" <?php if($gotnews['category'] == "Real Life"){ echo "selected"; } ?>>Real Life</option>
    </select><br><br>

    <div class="big">Article</div>
    <textarea cols="70" rows="10" name="article" class="text"><?php echo "$article"?></textarea>
    <input type="hidden" value="<?php echo "$newsid"?>" name="id">
    <input type="submit" value="Update Article" class="button">
    </form>
    </div>

    <?php
    }
    break;

    }
    }else
    if(isset(
    $_GET['login'])) {
    $usernamehtmlspecialchars(addslashes($_POST[username])); 
    $password sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST[password]))))))));
    $uinfo mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error()); 
    $checkuser mysql_num_rows($uinfo);
    if(
    $checkuser == '0')
    {
    echo 
    "Username not found";
    }else{
    $udata mysql_fetch_array($uinfo);
    if(
    $udata[userlevel] == 1) { 
    echo 
    "This account had not been verified.";
    }
    else
    if(
    $udata[password] == $password) {
    $query mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error()); 
    $user mysql_fetch_array($query);
    $_SESSION['id'] = "$user[id]";
    $_SESSION['password'] = "$user[password]";

    echo 
    "<meta http-equiv='Refresh' content='2; URL=index.php'/>";
    }
    else{
    echo 
    "Incorrect username or password!"
    }
    }
    }else{ 
    ?>

    <form action="index.php?login" method="post">
    <input type="text" id="username" name="username" size="30" maxlength="25" value=""><br>
    <input type="password" id="password" name="password" size="30" maxlength="25" value=""><br>
    <input type="submit" value="Click here to log in">

    </form>

    <?php
    }
    ?>
        </center>
    </body>
    </html>
    process.php
    (Most forms are submitted to this page)
    PHP Code:
    <?php
    session_start
    (); //allows session
    include "config.php";
    ?>
    <head>
    <title>XXXXXXX.NET Administration Panel</title>
    <link href="style.css" rel="stylesheet" type="text/css">
    </head>
    <body><center>


    <?php
    if($logged[id]){
    switch(
    $_GET['p']){

    case 
    'addnews':
    if(
    $logged[newsaccess] == || $logged[rank] == 15){
    $title $_POST['title'];
    $author $logged['habbo'];
    $category $_POST['category'];
    $article addslashes($_POST['article']);
    $d date('jS');
    $M date('M');

    $addingnewssql mysql_query("INSERT INTO `news` (title, author, category, article, d, M) VALUES ('$title', '$author', '$category', 
    '$article', '$d', '$M')"
    );
    ?>
        <div id="content"><div class="header">Article Posted</div>
    <?php
    echo "Article Posted!<br><a href='index.php'>Go Back?</a>";
    ?>
    </div>
    <?php
    }
    break;

    case 
    'updatenews':
    if(
    $logged[rank] == 11 || $logged[rank] == 15){ 
    $id $_POST['id'];
    $title $_POST['title'];
    $category $_POST['category'];
    $article addslashes($_POST['article']);

    $sql mysql_query("UPDATE `news` SET `title` = '$title', `category` = '$category', `article` = '$article' WHERE `id` = '$id'");
    ?>
        <div id="content"><div class="header">Update Article</div>
    Article updated!<br><a href="index.php?page=viewnews">Go back?</a>
    </div>
    <?php
    }
    break;

    }
    }
    ?>
    </center>
    </body>
    </html>
    For privacy reasons I've removed the website's name, staff members' names and the SQL details.

    That's the full script and yes I'm aware it's probably not very secure at all yet, but as only a few of us know where it is at the moment, security will be a last thing I focus on once everything is up and working.

    And Update to original thread:
    All updates and deletes are now causing logging out issues and sends them back to the login page after running the sql.

    The only working delete script is one I got off another website which is a checkbox multiple delete script:
    PHP Code:
    $sqln="SELECT * FROM news";
    $resultn=mysql_query($sqln);

    $countn=mysql_num_rows($resultn);
    // Check if delete button active, start this
    for($i=0;$i<$countn;$i++){
    $del_id $checkbox[$i];
    $sql "DELETE FROM news WHERE id='$del_id'";
    $result mysql_query($sql);}

    // if successful redirect to delete_multiple.php
    if($result){
    echo 
    "<meta http-equiv=\"refresh\" content=\"0;URL=index.php?page=viewnews\">";


  • #9
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,301
    Thanks
    57
    Thanked 525 Times in 512 Posts
    Blog Entries
    5
    Quote Originally Posted by Chrustopher View Post
    Config.php
    (Connects to database and collects session information)

    PHP Code:
    <? 
    session_start
    ();

    $conn mysql_connect("localhost","XXXX","XXXX"); 
    mysql_select_db(staffpanel) or die(mysql_error());  

    $logged MYSQL_QUERY("SELECT * FROM `members` WHERE `id` = '$_SESSION[id]' AND `password` = '$_SESSION[password]'"); 
    $logged mysql_fetch_array($logged); 

    $host $_SERVER['HTTP_HOST'];
    $self $_SERVER['PHP_SELF'];
    ?>
    You see.. this is why I said you should include all this extra stuff. Your logged variable is being pulled froim the DB and its that variable you're checking against to determine if the user is logged in or not.

    Clearly something is amiss with the $logged variable when deleting or updating. You need to start debugging - printing variable values in pieces of code that are suspect so that you can see whats going on. Start by printing the SQL in config.php to the screen so that you can see if the $_SESSION[id] is valid in it.
    Last edited by tangoforce; 09-10-2011 at 01:14 PM.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •