0

I have searched the forum and Google but there was nothing that would give me a clue what's wrong with my code. I'm just starting PHP and I'm trying a few things. :)

I have a page with login. Logging in works wonderfully, storing sessions with username does too. However, each user also has a user group assigned (stored in database), so I can control what the users can access.

I'm getting the group value from the DB and into the session name. When I (admin) log in, the session is set correctly to 'admin' right after. However, on the next page and upon refresh, the session changed to 'user'. Any ideas what is causing this?

index.php

<?php include("includes/header.php"); ?>
<form name="login" method="post" action="login.php">  <table width=35% border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td width="300" align="right">Username:</td>
<td width="200"><input name="username" type="text" id="username" size="20"></td>
</tr>
<tr><td align="right">Password:</td>
<td width="294"><input name="password" type="password" id="password" size="20"></td>
</tr>
</table>
<br />
<input type="submit" name="Submit" value="Login"> <input type="reset" name="reset" value="REset">
</form>
<?php include("includes/footer.php"); ?>

login.php

<?php 
include ("includes/config.php") ; //file with database info, password, etc.

$tbl_name = 'user';

/* data from login form */
$myusername = $_POST['username'];
$mypassword = $_POST['password'];

/* pass is encrypted */
$encrypted_mypassword = md5($mypassword);

/* for mysql injection */
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

/* mysql query */
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

$row = mysql_fetch_array($result);
$mygroup = $row['group'];

/* If ok, set sessions */
if ($count == 1){
session_start();
$_SESSION['username'] = $myusername;
$_SESSION['group'] = $mygroup;
//echo $_SESSION['group'];  -> gives me the right group
header("Location: start.php");
}

else {
echo "Wrong Username or Password";
}?>

start.php

<?php 
session_start(); // start session

if(isset($_SESSION['username']) && isset($_SESSION['group'])) {
  $loggedin = "Already logged in as <b>".$_SESSION['username'] . "</b> (" . $_SESSION['group'] . "). <a href='logout.php'>Logout.</a>";
}

else {
  header( "Location: index.php" );
}

/* if user belongs to 'user group', has restricted access */
if ($_SESSION['group'] = "user") {
  $menu = "<ul><li><a href='start.php'>Start</a></li><li><a href='menu1.php'>Menu 1</a></li><li><a href='menu2.php'>Menu 2</a></li></ul>";
}

/* if they are admin, they have all access */
else {
  $menu = "<ul><li><a href='start.php'>Start</a></li><li><a href='menu1.php'>Menu 1</a></li><li><a href='menu2.php'>Menu 2</a></li><li><a href='restricted1.php'>Restricted 1</a></li><li><a href='restricted2.php'>Restricted 2</a></li></ul>";
}

include("includes/header.php"); // header, HTML + $loggedin annoucement
?>

<h2>Startpage</h2>

<?php echo $_SESSION['group']; ?> //if logging as admin, it gives me 'user'

<?php include("includes/footer.php"); ?>

Any help greatly appreciated!

2
Contributors
3
Replies
4
Views
6 Years
Discussion Span
Last Post by ninja_girl
0

Yeah, so I got to the problem. :D Shoot me now. It was this line:

if ($_SESSION['group'] = "user")

correct one is:

if ($_SESSION['group'] == "user")
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.