0

Hello,

I have a question in my mind whene ever we create a login page why we store the variables in $_SESSION why is this done so my senior developer told me when recently i was creating cms in which I created 1 admin and 1 user page he sent me a script to place i added the script but didn't understood about the the concept what did he actually did so and why he placed the ulogin and user tyoe in session variable well it cannot be done without setting up in superglobal variable ??

Here is the script

<?php 
session_start();
include_once("include/config.php");
$login = $_POST["textfield1"];
$pwd   = $_POST["textfield2"];

$recordset = mysql_query("select * from users");

    while($record = mysql_fetch_array($recordset)){

        if($login == $record["ulogin"] && $pwd == $record["upassword"]) {

            $_SESSION["ulogin"] = $record["ulogin"];
            $_SESSION["uid"]    = $record["uid"];  

                if($record["utype"] == 1){
                    $_SESSION["utype"] = $record["utype"];
                    header("Location:admin.php?uid=".$record["uid"]);
                    exit;
                } else {
                    header("Location:home.php");
                    exit;
                }
        }
    } 

       header("Location:login.php?invalid=1");  
?>

Please let me know if any one would be able to help me out or make me understand about this concept it would be really appreciated

Thank You

2
Contributors
4
Replies
19
Views
2 Years
Discussion Span
Last Post by UK-1991
0

I sincerely hope the code above is not from a SENIOR developer. It has more holes than Swiss cheese.

Issues

1) Using deprecated code - mysql_* function have been deprecated for a looong time now - use PDO or mysqli.
2) You are using raw input in your SQL - you are wide open to SQL injection - you MUST clean the input by using prepared statements - or if you isist on using deprecated code, and I really hope you don't - use mysql_real_escape_string()
3) You are retrieving every record in the table. Mad. You are looking for a particular one that you know the username for. So use a WHERE clause and LIMIT the returned dataset to ONE record. This means that you search for a specific username and when it's found, the search stops - saving valuable time.
4) Do not use * as a column list - you are not interested in every data item - only the password, uid and utype - again this will save you valuable time. There is no need to return the username - as you already have that in a variable.
5) Your password field appears to be plaintext - that is, unhashed - this is very, very bad. ANybody who breaks into your system - which is highly likely, through your vulnerability to SQL injection, can now read everybody's passwords. You have now ruined the online lives of all your users as they will have probably used their "usual" passwords - doubly bad if an email is stored with them.

A prepared statement may look like this:

SELECT uid,upassword,utype FROM users WHERE ulogin = ? LIMIT 1

If using PDO, you can bind and execute like this:

$stmt->execute(array($login));

If you get a result, test for the password. So code snippet:

$stmt = $db->prepare("SELECT uid,upassword,utype FROM users WHERE ulogin = ? LIMIT 1");
$stmt->execute(array($login));

if($result = $stmt->fetch(PDO::FETCH_ASSOC))
{
    //test for password
}

I will not write the password test as you need to decide on a hashing method. This may depend on which version of PHP you're running. Whatever you do, do not use md5.

OK, that's out of the way. The whole point of the session variables are to ensure that the important data, e.g. uid and utype are passed between 'pages'. For this, you need to place session_start() at the beginning of each page - it's much safer to place it as the first thing after the opening php tag.

So armed with this info, you can ensure that each section of a page or even each whole page will only be viewable by those users with a certain utype.

If sections are public, then fine display them, but if theey're only for admins, then use a conditional statement, such as...

if($_SESSION['utype'] == 1)
{
    require 'content/admin/somesection.php';
}else{
    require 'content/user/someothersection.php';
}

Alternatively for a whole admin page (url):

if($_SESSION['utype'] != 1)
{
    header('Location: index.php'); //redirect if not admin
}

I hope that answers some issues you may have. If not, come back.

Edited by diafol

0

Hello,

Okay I understood about why the uid login etc are stored in session because we want to ensure that users are logged in and there values are stored like the if any one opens the page directly it redirect to invalid page or login page understood abuot that but yes there are 2 user types let suppose user type 1 is for admin and user type 0 is for user pages will do the same thin is this query okay ??

if($login == $record["ulogin"] && $pwd == $record["upassword"]) {

            $_SESSION["ulogin"] = $record["ulogin"];
            $_SESSION["uid"]    = $record["uid"];  

                if($record["utype"] == 1){
                    $_SESSION["utype"] = $record["utype"];
                    header("Location:admin.php?uid=".$record["uid"]);
                    exit;
                } else {
                    header("Location:home.php");
                    exit;
                }
        }

Wel about the quesry I showed yes this is an old query and I dont know why he everytimes copy and paste these codes any ways about the information you told me is very helpful and understandable for me. Well about the PDO you told me I am totally not familiar about that my hands are not completely configured on PHp I am on learning stage but please be advise me how can I become a good developer and can know about new logics or can gain complete hands on php.

Regarding the points you informed me I am completely satisfied about it I will create this by my self according to what you guided me well if I faced any problem will ask you again on teh same thread.

Thank You

0

Ok. Read the documentation in the php manual - that's how you know how to use functions. research, research, test, fail, retest, fail again, retest, succeed!

0

Thank You for your guidline and making me understand about it I really appreciate your help

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.