We're a community of 1077K IT Pros here for help, advice, solutions, professional growth and fun. Join us!
1,076,248 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Start New Discussion Reply to this Discussion
Ad: Growth Stock Pick (CTLE)
5 Months Ago
0

Setting Sessions from _POST

Ok, I may be missing something very easy but when I submit and query the database the session doesn't set for some reason and I'm sent back to admin.php per instruction of my index.php file. Could someone please give this a look over, maybe it's a very simple fix, but I've been stuck for a while now.

When I enter my username and password, I do not receive an error, however I am sent back to the admin_login.php file. I am aware $_SESSION['manager'] isn't being set but I can't figure out why.

Please help. Thank you.

1 admin_login.php

<?php
// If session is already set, go to index.php. No need to login.
session_start();
if (isset($_SESSION["manager"])) {
    header("location: index.php"); 
    exit();
}
?>
<?php 
// Parse the log in form if the user has filled it out and pressed "Log In"
if (isset($_POST['username']) && isset($_POST['password'])) {

    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['username']); // filter everything but numbers and letters
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['password']); // filter everything but numbers and letters
    $password = md5($password);
    // Connect to the MySQL database  
    include "../storescripts/connect_to_mysql.php"; 
    $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount = mysql_num_rows($sql); // count the row nums

    if ($existCount == 1) { // evaluate the count
         while($row = mysql_fetch_array($sql)){ 
             $id = $row['id'];
         }
         $_SESSION['id'] = $id;
         $_SESSION['manager'] = $manager;
         $_SESSION['password'] = $password;
         header("location: index.php");
         exit();
    } else {
        echo 'That information is incorrect, try again <a href="admin_login.php">Click Here</a>';
        exit();
    }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Admin Log In </title>
<link rel="stylesheet" href="../style/style.css" type="text/css" media="screen" />
</head>

<body>
<div align="center" id="mainWrapper">
  <?php include_once("../template_header.php");?>
  <div id="pageContent"><br />
    <div align="left" style="margin-left:24px;">
      <h2>Please Log In To Manage the Store</h2>


      <form id="form1" name="form1" method="post" action="admin_login.php">
        User Name:<br />
          <input name="username" type="text" id="username" size="40" />
        <br /><br />
        Password:<br />
       <input name="password" type="password" id="password" size="40" />
       <br />
       <br />
       <br />

         <input type="submit" name="button" id="button" value="Log In" />

      </form>
      <p>
        <br>

       </p>
    </div>
    <br />
  <br />
  <br />
  </div>
  <?php include_once("../template_footer.php");?>
</div>
</body>
</html>

#2 index.php

<?php 
session_start();
if (!isset($_SESSION["manager"])) {
    header("location: admin_login.php"); 
    exit();
}
// Be sure to check that this manager SESSION value is in fact in the database
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); // filter everything but numbers and letters
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]); // filter everything but numbers and letters
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); // filter everything but numbers and letters
// Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
// Connect to the MySQL database  
include "../storescripts/connect_to_mysql.php"; 
$sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person
// ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
$existCount = mysql_num_rows($sql); // count the row nums
if ($existCount == 0) { // evaluate the count
     echo "Your login session data is not on record in the database.";
     exit();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Store Admin Area</title>
<link rel="stylesheet" href="../style/style.css" type="text/css" media="screen" />
</head>

<body>
<div align="center" id="mainWrapper">
  <?php include_once("../template_header.php");?>
  <div id="pageContent"><br />
    <div align="left" style="margin-left:24px;">
      <h2>Hello store manager, what would you like to do today?</h2>
      <p><a href="inventory_list.php">Manage Inventory</a><br />
      <a href="#">Manage Blah Blah </a></p>
    </div>
    <br />
  <br />
  <br />
  </div>
  <?php include_once("../template_footer.php");?>
</div>
</body>
</html>
7
Contributors
19
Replies
1 Day
Discussion Span
5 Months Ago
Last Updated
20
Views
Question
Answered
cheelo007
Light Poster
31 posts since Feb 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
5 Months Ago
4

@cheelo007

When I enter my username and password, I do not receive an error, however I am sent back to the admin_login.php file. I am aware $_SESSION['manager'] isn't being set but I can't figure out why.

Did you got this code from here:

http://www.developphp.com/list_php_video.php

The reason why I notice the similarity because I had to help another Daniweb member that has a few codes from that website.

You know you can watch this person video at his website!

LastMitch
Industrious Poster
4,181 posts since Mar 2012
Reputation Points: 132
Solved Threads: 335
Skill Endorsements: 45
5 Months Ago
0

Yes, that's where I got the code from, I followed the instructions on youtube, but I am stuck.

cheelo007
Light Poster
31 posts since Feb 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
5 Months Ago
4

@cheelo007

Yes, that's where I got the code from, I followed the instructions on youtube, but I am stuck.

You really have watch the video. I can tell no I didn't watch this person video. But so far you are the second person who actually went there so my suggestion is watch video.

LastMitch
Industrious Poster
4,181 posts since Mar 2012
Reputation Points: 132
Solved Threads: 335
Skill Endorsements: 45
5 Months Ago
0

$_SESSION['manager'] to $_SESSION["manager"];

use double quotes instead of single quotes ;)
-Alex.

cigoL..:)
Light Poster
44 posts since Jul 2011
Reputation Points: 9
Solved Threads: 9
Skill Endorsements: 2
5 Months Ago
0

Im going to say on your first index file, its your db connection. I tested your code and everything worked fine.

// Parse the log in form if the user has filled it out and pressed "Log In"
if (isset($_POST['username']) && isset($_POST['password'])) {

    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['username']); // filter everything but numbers and letters
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['password']); // filter everything but numbers and letters
    $password = md5($password);

    define('DBHOST','localhost');
    define('DBUSER','root');
    define('DBPASS','');
    define('DBNAME', 'test_db');

    $con = mysql_connect(DBHOST,DBUSER, DBPASS);
    if(!$con){die(mysql_error());}
    $sel = mysql_select_db(DBNAME, $con);
    if(!$sel){die(mysql_error());}

    $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount = mysql_num_rows($sql); // count the row nums


    if ($existCount == 1) { // evaluate the count
         while($row = mysql_fetch_array($sql)){ 
             $id = $row['id'];
         }
         $_SESSION['id'] = $id;
         $_SESSION['manager'] = $manager;
         $_SESSION['password'] = $password;
         header("location: index.php");
         exit();
    } else {
        echo 'That information is incorrect, try again <a href="index.php">Click Here</a>';
        exit();
    }
}

As you can see its the same code except for the db connection. When I var_dump($_SESSION); I get id, manager, and password set. Note: I wouldn't set password in session. That is a security issue.

gabrielcastillo
Junior Poster in Training
54 posts since Apr 2012
Reputation Points: 0
Solved Threads: 5
Skill Endorsements: 0
5 Months Ago
0

Tested the second index file and it's all working. The only change I made was the db connection. Try the method I used in my first post and see if that works for you.

gabrielcastillo
Junior Poster in Training
54 posts since Apr 2012
Reputation Points: 0
Solved Threads: 5
Skill Endorsements: 0
5 Months Ago
0

Just thinking outside the box here, could always be a misconfigured session setting in php.ini or cookies disabled.

GliderPilot
Posting Whiz in Training
239 posts since Sep 2006
Reputation Points: 34
Solved Threads: 42
Skill Endorsements: 12
5 Months Ago
0

Correct on the security issue. Rather get password from your recordset...

$sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='".md5($password)."' LIMIT 1"); // query the person
AndreRet
Industrious Poster
4,706 posts since Jan 2008
Reputation Points: 391
Solved Threads: 481
Skill Endorsements: 20
5 Months Ago
0

@cigoL
changed double quotes to single quotes in the SESSION variable on both index.php and admin_login.php = No luck, thank you for the catch though.

@gabrielcastillo
I tried bypassing the connect_to_mysql.php file by connecting to the database directly from my admin_login.php file like you told me to. That gave me the same situation, no errors but I'm rerouted back to the admin_login.php as the $_SESSION['manager'] variable is not set.

I included a var_dump in both my index.php file (which I never was directed to) and also my admin_login.php file (which shows null on all criteria) which makes total sense because if nothing was ever set, that's clearly the reason why I'm back on admin_login.php.

However, when I input an incorrect password and var_dump($id, $manager, $password) on my error page, I notice that ID does not show but Manager and Password do. I'm not sure if this is where my issue is (I feel it may be), but I am curious as to why this variable doesn't show.

@GliderPilot
Do you have any suggestions for my php.ini file? I should say, I am not working locally. I upload all files to my server and am making dynamic changes to the test site. I believe I only have that file because I installed XAMPP to do local php developing, but again, as a noob, I don't really know if that is true. Thanks.

@AndreRet
When I change from

    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['username']); // filter everything but numbers and letters
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['password']); // filter everything but numbers and letters
    $password = md5($password);

    $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1");

to this...

        $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['username']); // filter everything but numbers and letters
        $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['password']); // filter everything but numbers and letters

        $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='".md5($password)"' LIMIT 1");

How does that minimize the security risk? It seems that I have a variable that is stored as md5 in my database but is being passed in its unconverted form. I say this because I var_dump($password) on my error page and as expected I see the original password when I puposefully input the wrong password.

Thank you all for your help, I went to sleep and woke up to so much help, it's not working for me just yet but I do appreciate your expertise.

cheelo007
Light Poster
31 posts since Feb 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
5 Months Ago
0

@AndreRet

*clarifying my sentence
How does that minimize the security risk? It seems that I have a variable that is stored as md5 in my database but is being passed in its unconverted form. I say this because I var_dump($password) on my error page and as expected I see the incorrect password not in md5 format when I puposefully input the wrong password.

cheelo007
Light Poster
31 posts since Feb 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
5 Months Ago
0

cigL..:)
I meant I change from single to double.

cheelo007
Light Poster
31 posts since Feb 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
5 Months Ago
0

Current code

admin_login.php

<?php 
session_start();
if (isset($_SESSION["manager"])) {
    header("location: index.php"); 
    exit();
}
?>
<?php 
// Parse the log in form if the user has filled it out and pressed "Log In"
if (isset($_POST['username']) && isset($_POST['password'])) {

    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['username']); // filter everything but numbers and letters
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['password']); // filter everything but numbers and letters

    define('DBHOST','');
    define('DBUSER','');
    define('DBPASS','');
    define('DBNAME', '');
    $con = mysql_connect(DBHOST,DBUSER, DBPASS);
    if(!$con){die(mysql_error());}
    $sel = mysql_select_db(DBNAME, $con);
    if(!$sel){die(mysql_error());}

    $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='".md5($password)."' LIMIT 1"); // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount = mysql_num_rows($sql); // count the row nums

    if ($existCount == 1) { // evaluate the count
         while($row = mysql_fetch_array($sql)){ 
             $id = $row['id'];
         }
         $_SESSION['id'] = $id;
         $_SESSION['manager'] = $manager;
         $_SESSION['password'] = $password;
         header("location: index.php");
         exit();
    } else {
        echo 'That information is incorrect, try again <a href="admin_login.php">Click Here</a>';
        exit();
    }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Admin Log In </title>
<link rel="stylesheet" href="../style/style.css" type="text/css" media="screen" />
</head>

<body>
<div align="center" id="mainWrapper">
  <?php include_once("../template_header.php");?>
  <div id="pageContent"><br />
    <div align="left" style="margin-left:24px;">
      <h2>Please Log In To Manage the Store</h2>


      <form id="form1" name="form1" method="post" action="admin_login.php">
        User Name:<br />
          <input name="username" type="text" id="username" size="40" />
        <br /><br />
        Password:<br />
       <input name="password" type="password" id="password" size="40" />
       <br />
       <br />
       <br />

         <input type="submit" name="button" id="button" value="Log In" />

      </form>
      <p>
        <br>

       </p>
    </div>
    <br />
  <br />
  <br />
  </div>
  <?php include_once("../template_footer.php");?>
</div>
</body>
</html>

index.php

<?php 
session_start();
if (!isset($_SESSION["manager"])) {
    header("location: admin_login.php"); 
    exit();
}
// Be sure to check that this manager SESSION value is in fact in the database
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); // filter everything but numbers and letters
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]); // filter everything but numbers and letters
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); // filter everything but numbers and letters


// Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
// Connect to the MySQL database  
include "../storescripts/connect_to_mysql.php"; 
$sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='".md5($password)."' LIMIT 1"); // query the person
// ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
$existCount = mysql_num_rows($sql); // count the row nums
if ($existCount == 0) { // evaluate the count
     echo "Your login session data is not on record in the database.";
     exit();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Store Admin Area</title>
<link rel="stylesheet" href="../style/style.css" type="text/css" media="screen" />
</head>

<body>
<div align="center" id="mainWrapper">
  <?php include_once("../template_header.php");?>
  <div id="pageContent"><br />
    <div align="left" style="margin-left:24px;">
      <h2>Hello store manager, what would you like to do today?</h2>
      <p><a href="inventory_list.php">Manage Inventory</a><br />
      <a href="#">Manage Blah Blah </a></p>
    </div>
    <br />
  <br />
  <?var_dump($SESSION);?>
  <br />
  </div>
  <?php include_once("../template_footer.php");?>
</div>
</body>
</html>
cheelo007
Light Poster
31 posts since Feb 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
5 Months Ago
0

Ok,

The script works when I run it locally via XAMPP. But when I upload to my server I get the problem listed above (everything authenticates fine without errors but the session doesn't set and I'm sent back to admin_login.php)

Anyone have any idea why this script would work locally and not remotely?

cheelo007
Light Poster
31 posts since Feb 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
5 Months Ago
0

Problem solved, the session path had to be updated by the people who host my site. FINALLY!!!! NO MORE HEADACHE. I just contacted customer service.

Thank you very much for all of your help! I hope to return the favor one day. Maybe this post will help someone.

cheelo007
Light Poster
31 posts since Feb 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
Question Answered as of 5 Months Ago by LastMitch, gabrielcastillo, GliderPilot and 2 others
5 Months Ago
4

@cheelo007

Anyone have any idea why this script would work locally and not remotely?

It should work on locally and on Host. The script is not much difference than other scripts. It's how you setup your connection correctly.

define('DBHOST','');
define('DBUSER','');
define('DBPASS','');
define('DBNAME', '');

Your connection show be like this:

$db_host = "localhost.daniweb.net"; 

$db_username = "db_username_here";  

$db_pass = "db_password_here";  

$db_name = "name_of_database_here";
LastMitch
Industrious Poster
4,181 posts since Mar 2012
Reputation Points: 132
Solved Threads: 335
Skill Endorsements: 45
5 Months Ago
0

In other words bad setting in php.ini not too often I think outside the box and I'm correct lol, glad it's working now

GliderPilot
Posting Whiz in Training
239 posts since Sep 2006
Reputation Points: 34
Solved Threads: 42
Skill Endorsements: 12
5 Months Ago
0

Could someone clarify how the security is compromised by my current setup please?

cheelo007
Light Poster
31 posts since Feb 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
5 Months Ago
1

The security is not good when you store the password in your session. Session Hijacking can obtain your username and password.

You dont need to send admin_login.php post data to admin_login.php, you need to pass form post data to admin/index.php, then set you session data for session_id and session_manager

Basicly you are setting session data before you get to admin area, when it is not needed.

gabrielcastillo
Junior Poster in Training
54 posts since Apr 2012
Reputation Points: 0
Solved Threads: 5
Skill Endorsements: 0
5 Months Ago
0

Thank you very much. I learning little tips here and there.

cheelo007
Light Poster
31 posts since Feb 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0

This question has already been solved: Start a new discussion instead

Post: Markdown Syntax: Formatting Help
 
You
Web Development > PHP
View similar articles that have also been tagged:
 
© 2013 DaniWeb® LLC
Page rendered in 0.3698 seconds using 2.84MB