Member Avatar for ninja_girl

I have searched the forum and Google but there was nothing that would give me a clue what's wrong with my code. I'm just starting PHP and I'm trying a few things. :)

I have a page with login. Logging in works wonderfully, storing sessions with username does too. However, each user also has a user group assigned (stored in database), so I can control what the users can access.

I'm getting the group value from the DB and into the session name. When I (admin) log in, the session is set correctly to 'admin' right after. However, on the next page and upon refresh, the session changed to 'user'. Any ideas what is causing this?

index.php

<?php include("includes/header.php"); ?>
<form name="login" method="post" action="login.php">  <table width=35% border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td width="300" align="right">Username:</td>
<td width="200"><input name="username" type="text" id="username" size="20"></td>
</tr>
<tr><td align="right">Password:</td>
<td width="294"><input name="password" type="password" id="password" size="20"></td>
</tr>
</table>
<br />
<input type="submit" name="Submit" value="Login"> <input type="reset" name="reset" value="REset">
</form>
<?php include("includes/footer.php"); ?>

login.php

<?php 
include ("includes/config.php") ; //file with database info, password, etc.

$tbl_name = 'user';

/* data from login form */
$myusername = $_POST['username'];
$mypassword = $_POST['password'];

/* pass is encrypted */
$encrypted_mypassword = md5($mypassword);

/* for mysql injection */
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

/* mysql query */
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

$row = mysql_fetch_array($result);
$mygroup = $row['group'];

/* If ok, set sessions */
if ($count == 1){
session_start();
$_SESSION['username'] = $myusername;
$_SESSION['group'] = $mygroup;
//echo $_SESSION['group'];  -> gives me the right group
header("Location: start.php");
}

else {
echo "Wrong Username or Password";
}?>

start.php

<?php 
session_start(); // start session

if(isset($_SESSION['username']) && isset($_SESSION['group'])) {
  $loggedin = "Already logged in as <b>".$_SESSION['username'] . "</b> (" . $_SESSION['group'] . "). <a href='logout.php'>Logout.</a>";
}

else {
  header( "Location: index.php" );
}

/* if user belongs to 'user group', has restricted access */
if ($_SESSION['group'] = "user") {
  $menu = "<ul><li><a href='start.php'>Start</a></li><li><a href='menu1.php'>Menu 1</a></li><li><a href='menu2.php'>Menu 2</a></li></ul>";
}

/* if they are admin, they have all access */
else {
  $menu = "<ul><li><a href='start.php'>Start</a></li><li><a href='menu1.php'>Menu 1</a></li><li><a href='menu2.php'>Menu 2</a></li><li><a href='restricted1.php'>Restricted 1</a></li><li><a href='restricted2.php'>Restricted 2</a></li></ul>";
}

include("includes/header.php"); // header, HTML + $loggedin annoucement
?>

<h2>Startpage</h2>

<?php echo $_SESSION['group']; ?> //if logging as admin, it gives me 'user'

<?php include("includes/footer.php"); ?>

Any help greatly appreciated!

  • 2 Contributors
  • 3 Replies
  • 296 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by ninja_girl

Recommended Answers

All 3 Replies

Member Avatar for Baradaran

Hi,
did you check the group you have defined in your database?

Member Avatar for ninja_girl

Yeah, the groups are all as they should be.

Member Avatar for ninja_girl

Yeah, so I got to the problem. :D Shoot me now. It was this line:

if ($_SESSION['group'] = "user")

correct one is:

if ($_SESSION['group'] == "user")
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.