Hi there,
I have been trying to fix the problem in the below code for a long time, it did work for me at some point. Then, it suddenly stopped storing user's details in a session.

        $user  = $_POST['username'];
        $pass  = $_POST['password'];
        $query = "SELECT username, password FROM
                  USERS WHERE username = '$user' 
                  AND password='$pass' ";


        $result = mysql_query($query) or mysql_error();

        $row = mysql_fetch_assoc($result);



        if(  $row['username'] == $user ){

            $_SESSION['username'] = $row['username'];
            $_SESSION['password'] = $row['password'];
            header('Location:settings.php');
        }




        and this is the form where the above mentioned script gets the values from




            echo "<form action='log_in.php' method='post' >";
                        echo "<input type='text'     name='username' placeholder='username' "; 
                        echo "<input type='password' name='password' placeholder='password' ";
                        echo "<input type='submit' value='Log in' > ";   
            echo "</form>";

Are you calling session_start anywhere?

I had a similar problem but it was due to something like not adding: ifisset

 $user = if(isset($_POST['username']))
 $pass = if(isset($_POST['password']))

have you tried turning on all errors to see what may be causing the problem.

error_reporting(E_ALL);

yes.I'm calling session_start() in other pages.

session_start() must be called at the start of every page or you will lose the session variables when that page loads.

it is all fixed now. cheers guys!

Please mark as solved, it still shows as open thread in forum, thanx.

Although the thread is closed, I should add that you are vulnerable to what is called SQL Injection.
This is where people enter malicious code into your form and because SQL executes it as part of the query then it can do a lot of damage.

The best way as of the present is to use the new MySQL(improved) extension or to just simply add mysql_real_escape_string before you POST.

Instead of $user = $_POST['username']; you should use $user = mysql_real_escape_string($_POST['username']); at a minimum to escape any dangerous characters.

Member Avatar

SQL injection is indeed a problem, however, as opposed to using mysql_* functions, you should give serious thought to moving across to mysqli_* or PDO. mysql_* has an uncertain future. The benefits of PDO for example is that you can apply parameterized queries:

$st = $db->prepare("SELECT field3, field4 FROM table WHERE field1 = :f1 AND field2 = :f2");
$st->execute(array(':f1'=>$var1, ':f2'=>var2));

That does away with all the escaping routines.

To expand upon what diafol said, PDO also provides a layer of abstraction to the database so that you can change DBMSs in the future without having to rewrite all of your querying code.

Thanks guys for the help and suggestions. I will be looking into PDO.

please any one help me i want now php code for barcode reader,i want whole complate code....

Member Avatar

@tesha29

Please start a new thread - do not hijack this solved thread.
Better still, search this site as I remember this coming up many times in the past.