1.11M Members

Setting Sessions from _POST

 
0
 

Ok, I may be missing something very easy but when I submit and query the database the session doesn't set for some reason and I'm sent back to admin.php per instruction of my index.php file. Could someone please give this a look over, maybe it's a very simple fix, but I've been stuck for a while now.

When I enter my username and password, I do not receive an error, however I am sent back to the admin_login.php file. I am aware $_SESSION['manager'] isn't being set but I can't figure out why.

Please help. Thank you.

1 admin_login.php

<?php
// If session is already set, go to index.php. No need to login.
session_start();
if (isset($_SESSION["manager"])) {
    header("location: index.php"); 
    exit();
}
?>
<?php 
// Parse the log in form if the user has filled it out and pressed "Log In"
if (isset($_POST['username']) && isset($_POST['password'])) {

    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['username']); // filter everything but numbers and letters
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['password']); // filter everything but numbers and letters
    $password = md5($password);
    // Connect to the MySQL database  
    include "../storescripts/connect_to_mysql.php"; 
    $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount = mysql_num_rows($sql); // count the row nums

    if ($existCount == 1) { // evaluate the count
         while($row = mysql_fetch_array($sql)){ 
             $id = $row['id'];
         }
         $_SESSION['id'] = $id;
         $_SESSION['manager'] = $manager;
         $_SESSION['password'] = $password;
         header("location: index.php");
         exit();
    } else {
        echo 'That information is incorrect, try again <a href="admin_login.php">Click Here</a>';
        exit();
    }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Admin Log In </title>
<link rel="stylesheet" href="../style/style.css" type="text/css" media="screen" />
</head>

<body>
<div align="center" id="mainWrapper">
  <?php include_once("../template_header.php");?>
  <div id="pageContent"><br />
    <div align="left" style="margin-left:24px;">
      <h2>Please Log In To Manage the Store</h2>


      <form id="form1" name="form1" method="post" action="admin_login.php">
        User Name:<br />
          <input name="username" type="text" id="username" size="40" />
        <br /><br />
        Password:<br />
       <input name="password" type="password" id="password" size="40" />
       <br />
       <br />
       <br />

         <input type="submit" name="button" id="button" value="Log In" />

      </form>
      <p>
        <br>

       </p>
    </div>
    <br />
  <br />
  <br />
  </div>
  <?php include_once("../template_footer.php");?>
</div>
</body>
</html>

#2 index.php

<?php 
session_start();
if (!isset($_SESSION["manager"])) {
    header("location: admin_login.php"); 
    exit();
}
// Be sure to check that this manager SESSION value is in fact in the database
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); // filter everything but numbers and letters
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]); // filter everything but numbers and letters
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); // filter everything but numbers and letters
// Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
// Connect to the MySQL database  
include "../storescripts/connect_to_mysql.php"; 
$sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person
// ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
$existCount = mysql_num_rows($sql); // count the row nums
if ($existCount == 0) { // evaluate the count
     echo "Your login session data is not on record in the database.";
     exit();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Store Admin Area</title>
<link rel="stylesheet" href="../style/style.css" type="text/css" media="screen" />
</head>

<body>
<div align="center" id="mainWrapper">
  <?php include_once("../template_header.php");?>
  <div id="pageContent"><br />
    <div align="left" style="margin-left:24px;">
      <h2>Hello store manager, what would you like to do today?</h2>
      <p><a href="inventory_list.php">Manage Inventory</a><br />
      <a href="#">Manage Blah Blah </a></p>
    </div>
    <br />
  <br />
  <br />
  </div>
  <?php include_once("../template_footer.php");?>
</div>
</body>
</html>
LastMitch
Deleted Member
 
4
 

@cheelo007

When I enter my username and password, I do not receive an error, however I am sent back to the admin_login.php file. I am aware $_SESSION['manager'] isn't being set but I can't figure out why.

Did you got this code from here:

http://www.developphp.com/list_php_video.php

The reason why I notice the similarity because I had to help another Daniweb member that has a few codes from that website.

You know you can watch this person video at his website!

 
0
 

Yes, that's where I got the code from, I followed the instructions on youtube, but I am stuck.

LastMitch
Deleted Member
 
4
 

@cheelo007

Yes, that's where I got the code from, I followed the instructions on youtube, but I am stuck.

You really have watch the video. I can tell no I didn't watch this person video. But so far you are the second person who actually went there so my suggestion is watch video.

 
0
 

$_SESSION['manager'] to $_SESSION["manager"];

use double quotes instead of single quotes ;)
-Alex.

 
0
 

Im going to say on your first index file, its your db connection. I tested your code and everything worked fine.

// Parse the log in form if the user has filled it out and pressed "Log In"
if (isset($_POST['username']) && isset($_POST['password'])) {

    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['username']); // filter everything but numbers and letters
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['password']); // filter everything but numbers and letters
    $password = md5($password);

    define('DBHOST','localhost');
    define('DBUSER','root');
    define('DBPASS','');
    define('DBNAME', 'test_db');

    $con = mysql_connect(DBHOST,DBUSER, DBPASS);
    if(!$con){die(mysql_error());}
    $sel = mysql_select_db(DBNAME, $con);
    if(!$sel){die(mysql_error());}

    $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount = mysql_num_rows($sql); // count the row nums


    if ($existCount == 1) { // evaluate the count
         while($row = mysql_fetch_array($sql)){ 
             $id = $row['id'];
         }
         $_SESSION['id'] = $id;
         $_SESSION['manager'] = $manager;
         $_SESSION['password'] = $password;
         header("location: index.php");
         exit();
    } else {
        echo 'That information is incorrect, try again <a href="index.php">Click Here</a>';
        exit();
    }
}

As you can see its the same code except for the db connection. When I var_dump($_SESSION); I get id, manager, and password set. Note: I wouldn't set password in session. That is a security issue.

 
0
 

Tested the second index file and it's all working. The only change I made was the db connection. Try the method I used in my first post and see if that works for you.

 
0
 

Just thinking outside the box here, could always be a misconfigured session setting in php.ini or cookies disabled.

 
0
 

Correct on the security issue. Rather get password from your recordset...

$sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='".md5($password)."' LIMIT 1"); // query the person
 
0
 

@cigoL
changed double quotes to single quotes in the SESSION variable on both index.php and admin_login.php = No luck, thank you for the catch though.

@gabrielcastillo
I tried bypassing the connect_to_mysql.php file by connecting to the database directly from my admin_login.php file like you told me to. That gave me the same situation, no errors but I'm rerouted back to the admin_login.php as the $_SESSION['manager'] variable is not set.

I included a var_dump in both my index.php file (which I never was directed to) and also my admin_login.php file (which shows null on all criteria) which makes total sense because if nothing was ever set, that's clearly the reason why I'm back on admin_login.php.

However, when I input an incorrect password and var_dump($id, $manager, $password) on my error page, I notice that ID does not show but Manager and Password do. I'm not sure if this is where my issue is (I feel it may be), but I am curious as to why this variable doesn't show.

@GliderPilot
Do you have any suggestions for my php.ini file? I should say, I am not working locally. I upload all files to my server and am making dynamic changes to the test site. I believe I only have that file because I installed XAMPP to do local php developing, but again, as a noob, I don't really know if that is true. Thanks.

@AndreRet
When I change from

    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['username']); // filter everything but numbers and letters
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['password']); // filter everything but numbers and letters
    $password = md5($password);

    $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1");

to this...

        $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['username']); // filter everything but numbers and letters
        $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['password']); // filter everything but numbers and letters

        $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='".md5($password)"' LIMIT 1");

How does that minimize the security risk? It seems that I have a variable that is stored as md5 in my database but is being passed in its unconverted form. I say this because I var_dump($password) on my error page and as expected I see the original password when I puposefully input the wrong password.

Thank you all for your help, I went to sleep and woke up to so much help, it's not working for me just yet but I do appreciate your expertise.

 
0
 

@AndreRet

*clarifying my sentence
How does that minimize the security risk? It seems that I have a variable that is stored as md5 in my database but is being passed in its unconverted form. I say this because I var_dump($password) on my error page and as expected I see the incorrect password not in md5 format when I puposefully input the wrong password.

 
0
 

cigL..:)
I meant I change from single to double.

 
0
 

Current code

admin_login.php

<?php 
session_start();
if (isset($_SESSION["manager"])) {
    header("location: index.php"); 
    exit();
}
?>
<?php 
// Parse the log in form if the user has filled it out and pressed "Log In"
if (isset($_POST['username']) && isset($_POST['password'])) {

    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['username']); // filter everything but numbers and letters
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST['password']); // filter everything but numbers and letters

    define('DBHOST','');
    define('DBUSER','');
    define('DBPASS','');
    define('DBNAME', '');
    $con = mysql_connect(DBHOST,DBUSER, DBPASS);
    if(!$con){die(mysql_error());}
    $sel = mysql_select_db(DBNAME, $con);
    if(!$sel){die(mysql_error());}

    $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='".md5($password)."' LIMIT 1"); // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount = mysql_num_rows($sql); // count the row nums

    if ($existCount == 1) { // evaluate the count
         while($row = mysql_fetch_array($sql)){ 
             $id = $row['id'];
         }
         $_SESSION['id'] = $id;
         $_SESSION['manager'] = $manager;
         $_SESSION['password'] = $password;
         header("location: index.php");
         exit();
    } else {
        echo 'That information is incorrect, try again <a href="admin_login.php">Click Here</a>';
        exit();
    }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Admin Log In </title>
<link rel="stylesheet" href="../style/style.css" type="text/css" media="screen" />
</head>

<body>
<div align="center" id="mainWrapper">
  <?php include_once("../template_header.php");?>
  <div id="pageContent"><br />
    <div align="left" style="margin-left:24px;">
      <h2>Please Log In To Manage the Store</h2>


      <form id="form1" name="form1" method="post" action="admin_login.php">
        User Name:<br />
          <input name="username" type="text" id="username" size="40" />
        <br /><br />
        Password:<br />
       <input name="password" type="password" id="password" size="40" />
       <br />
       <br />
       <br />

         <input type="submit" name="button" id="button" value="Log In" />

      </form>
      <p>
        <br>

       </p>
    </div>
    <br />
  <br />
  <br />
  </div>
  <?php include_once("../template_footer.php");?>
</div>
</body>
</html>

index.php

<?php 
session_start();
if (!isset($_SESSION["manager"])) {
    header("location: admin_login.php"); 
    exit();
}
// Be sure to check that this manager SESSION value is in fact in the database
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); // filter everything but numbers and letters
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]); // filter everything but numbers and letters
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); // filter everything but numbers and letters


// Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
// Connect to the MySQL database  
include "../storescripts/connect_to_mysql.php"; 
$sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='".md5($password)."' LIMIT 1"); // query the person
// ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
$existCount = mysql_num_rows($sql); // count the row nums
if ($existCount == 0) { // evaluate the count
     echo "Your login session data is not on record in the database.";
     exit();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Store Admin Area</title>
<link rel="stylesheet" href="../style/style.css" type="text/css" media="screen" />
</head>

<body>
<div align="center" id="mainWrapper">
  <?php include_once("../template_header.php");?>
  <div id="pageContent"><br />
    <div align="left" style="margin-left:24px;">
      <h2>Hello store manager, what would you like to do today?</h2>
      <p><a href="inventory_list.php">Manage Inventory</a><br />
      <a href="#">Manage Blah Blah </a></p>
    </div>
    <br />
  <br />
  <?var_dump($SESSION);?>
  <br />
  </div>
  <?php include_once("../template_footer.php");?>
</div>
</body>
</html>
 
0
 

Ok,

The script works when I run it locally via XAMPP. But when I upload to my server I get the problem listed above (everything authenticates fine without errors but the session doesn't set and I'm sent back to admin_login.php)

Anyone have any idea why this script would work locally and not remotely?

 
0
 

Problem solved, the session path had to be updated by the people who host my site. FINALLY!!!! NO MORE HEADACHE. I just contacted customer service.

Thank you very much for all of your help! I hope to return the favor one day. Maybe this post will help someone.

Question Answered as of 1 Year Ago by LastMitch, gabrielcastillo, GliderPilot and 2 others
LastMitch
Deleted Member
 
4
 

@cheelo007

Anyone have any idea why this script would work locally and not remotely?

It should work on locally and on Host. The script is not much difference than other scripts. It's how you setup your connection correctly.

define('DBHOST','');
define('DBUSER','');
define('DBPASS','');
define('DBNAME', '');

Your connection show be like this:

$db_host = "localhost.daniweb.net"; 

$db_username = "db_username_here";  

$db_pass = "db_password_here";  

$db_name = "name_of_database_here"; 
 
0
 

In other words bad setting in php.ini not too often I think outside the box and I'm correct lol, glad it's working now

 
0
 

Could someone clarify how the security is compromised by my current setup please?

 
1
 

The security is not good when you store the password in your session. Session Hijacking can obtain your username and password.

You dont need to send admin_login.php post data to admin_login.php, you need to pass form post data to admin/index.php, then set you session data for session_id and session_manager

Basicly you are setting session data before you get to admin area, when it is not needed.

 
0
 

Thank you very much. I learning little tips here and there.

You
This question has already been solved: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: