web intersect forum new_topic.php $session issue! PLZ HELP
Page 1 of 2 12 LastLast
Results 1 to 15 of 27

Thread: web intersect forum new_topic.php $session issue! PLZ HELP

  1. #1
    Member
    Join Date
    Jul 2013
    Posts
    63

    web intersect forum new_topic.php $session issue! PLZ HELP

    I am working on the "new_topic.php part of web intersect forum. However It is not showing that I am logged in (Which I am!) What am I doing wrong?

    Here is new_topic.php so far
    PHP Code:
    <?php
    session_start
    ();
    include_once 
    "../connect_to_mysql.php"// Connect to the database
    // Check to see if the user is logged in with session variables
    if (!isset($_SESSION['userpass']) || $_SESSION['userpass'] == "") {
        echo 
    "Please log in... (give them links or send them to msgToUser.php with this message)";
        exit();
    } else {
        
    // Assume they are a member because they have a password session variable set
        // Check the database to be sure that their ID, password, and email session variables all match in the database
        
    $u_id mysql_real_escape_string($_SESSION['id']);
        
    $u_name mysql_real_escape_string($_SESSION['username']);
        
    $u_email mysql_real_escape_string($_SESSION['useremail']);
        
    $u_pass mysql_real_escape_string($_SESSION['userpass']);
        
    $sql mysql_query("SELECT * FROM myMembers WHERE id='$u_id' AND username='$u_name' AND email='$u_email' AND password='$u_pass'");
        
    $numRows mysql_num_rows($sql);
        if (
    $numRows 1) {
            echo 
    "ERROR: You do not exist in the system.";
            exit();
        }
    }]
    Here is login.php
    PHP Code:
    <?php
    include_once("php_includes/check_login_status.php");
    if(
    $user_ok == true){
        
    header("location: user.php?u=".$_SESSION["username"]);
        exit();
    }
    ?><?php
    if(isset($_POST["e"])){
            include_once(
    "db_conx.php");
            
    $e mysqli_real_escape_string($db_conx$_POST['e']);
        
    $p md5($_POST['p']);
           
    $ip preg_replace('#[^0-9.]#'''getenv('REMOTE_ADDR'));
            if(
    $e == "" || $p == ""){
            echo 
    "login_failed";
            exit();
        } else {
            
    $sql "SELECT id, username, password FROM users WHERE email='$e' AND activated='1' LIMIT 1";
            
    $query mysqli_query($db_conx$sql);
            
    $row mysqli_fetch_row($query);
            
    $db_id $row[0];
            
    $db_username $row[1];
            
    $db_pass_str $row[2];
            if(
    $p != $db_pass_str){
                echo 
    "login_failed";
                exit();
            } else {
                
    $_SESSION['userid'] = $db_id;
                
    $_SESSION['username'] = $db_username;
                
    $_SESSION['password'] = $db_pass_str;
                        
    // Create session var for their email
                        
    $useremail $row["email"];
                        
    $_SESSION['useremail'] = $useremail;
                        
    // Create session var for their password
                        
    $userpass $row["password"];
                        
    $_SESSION['userpass'] = $userpass;
                
    setcookie("id"$db_idstrtotime'+30 days' ), "/"""""TRUE);
                
    setcookie("user"$db_usernamestrtotime'+30 days' ), "/"""""TRUE);
                
    setcookie("pass"$db_pass_strstrtotime'+30 days' ), "/"""""TRUE); 
                
    $sql "UPDATE users SET ip='$ip', lastlogin=now() WHERE username='$db_username' LIMIT 1";
                
    $query mysqli_query($db_conx$sql);
                echo 
    $db_username;
                exit();
            }
        }
        exit();
    }
    ?>
    Last edited by jfleck25; 02-07-2017 at 08:13 PM.

  2. #2
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    14,879
    I don't see a session_start() in the login.php file.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  3. #3
    Member
    Join Date
    Jul 2013
    Posts
    63
    yes, because I php_include it into my index.php where the session start is

  4. #4
    Senior Member
    Join Date
    Apr 2016
    Posts
    127
    Do you have php's error_reporting set to E_ALL and display_errors set to ON (preferably in the php.ini on your development system), so that php will help you by reporting and displaying all the errors it detects? You will save a ton of time.

    Next, this code is all over the place, using both mysql_ and mysqli_ statements, two different database tables, cryptic single-character variable names, all kinds of extra variables and unused variables/cookies, an error message that doesn't match what the logic is doing, and several more...

    Starting with your login code, get the code to do the following basic tasks, and verify that the code works, before adding any other features to the code -

    1) Start the session.

    2) If the current visitor is already logged in, prevent the processing of the login form data. You would also not display the login form is the visitor is already logged in.

    3) Detect that a form was submitted before referencing the form data.

    4) Validate the submitted data before using it and output descriptive validation error messages when you re-display the form. Your current code is validating the hash of the password, which will never be an empty string, so someone could have submitted an empty password and your code won't tell them and it will use the hash of an empty string to try and log the user in.

    5) If there are no validation errors, use the submitted email to query for the user's row in the database table.

    6) Detect that the user was found in the table/that there was a row to fetch, before using the data from the sql query. Your code isn't even doing this now, just comparing the passwords.

    7) Use php's password_hash() and password_verify() functions for you password hashing, rather than the md5() hash.

    8) If the password verifies, store the user id in a session variable to identify who the logged in user is. You would use this session variable to determine if the current user is logged in and to query for any user data when needed. All the other values you are storing in session variables and cookies are either not needed, are not secure, and are just cluttering up the code. KISS (Keep It Simple.)

    Note: you should use prepared queries to supply data values to the sql query statement. This will actually simplify the code (there's no need to have escape_string() function calls everywhere) and it makes the code more secure (if the character encoding that php is using for the escape_string() function calls is not the same as your database table's character encoding, sql injection is possible, while if you use true prepared queries, sql injection is not possible.) The php PDO extension is more straight forward and more constant to use than the mysqli extension, especially when using prepared queries. If you can, you should switch to the PDO extension.

    Edit: you should also have error handling for all database statements. The easiest way of doing this, without adding logic at each statement, is to use exceptions and let php catch the exception and use the php error_reporting/display_errors/log_errors settings to control what happens with the actual error information.
    Last edited by pbismad; 02-08-2017 at 12:28 AM.
    Programming should not be a painful activity. If you are experiencing pain while programming, you are probably doing something wrong.

  5. #5
    Member
    Join Date
    Jul 2013
    Posts
    63
    I appreciate your feedback, this all seems so over my head... Im not sure what to do. I do have the login.php script hidden when user is logged in. it redirects to their profile.

  6. #6
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    14,879
    Quote Originally Posted by jfleck25 View Post
    I appreciate your feedback, this all seems so over my head... Im not sure what to do. I do have the login.php script hidden when user is logged in. it redirects to their profile.
    Not sure if this could be the issue, but I have found in the past that if you do a header() redirect, you may need to ensure that session data is stored first:
    PHP Code:
    session_write_close();
    header('Location: /whatever/you/want.php'); 
    As far as error reporting, just add this to the top of each script for now:
    PHP Code:
    <?php
    ini_set
    ('display_errors'true); // set to false in produciton
    error_reporting(E_ALL);
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  7. #7
    Member
    Join Date
    Jul 2013
    Posts
    63
    THANK YOU!!!! HUGE HELP
    Quote Originally Posted by NogDog View Post
    Not sure if this could be the issue, but I have found in the past that if you do a header() redirect, you may need to ensure that session data is stored first:
    PHP Code:
    session_write_close();
    header('Location: /whatever/you/want.php'); 
    As far as error reporting, just add this to the top of each script for now:
    PHP Code:
    <?php
    ini_set
    ('display_errors'true); // set to false in produciton
    error_reporting(E_ALL);

  8. #8
    Member
    Join Date
    Jul 2013
    Posts
    63
    What does the error reporting do? where would it post any issues?

  9. #9
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    14,879
    Quote Originally Posted by jfleck25 View Post
    What does the error reporting do? where would it post any issues?
    It would cause any warnings/errors to be output to the browser (instead of to a log file) via the ini_set() command, and the error_reporting() function is saying to pretty much show every sort of warning. You normally don't want the display_errors turned on in production, since you don't want to spew out application/DB details to the world if something fails.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  10. #10
    Member
    Join Date
    Jul 2013
    Posts
    63
    Thanks, So i added it to the top of login, and once I try to log in all it throws at me in regards to the error reporting is this, "Forbidden

    You don't have permission to access /user.php on this server.

    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."

    PHP Code:
     <?php
    ini_set
    ('display_errors'true); // set to false in produciton
    error_reporting(E_ALL); 
    include_once(
    "php_includes/check_login_status.php");
    if(
    $user_ok == true){
        
    header("location: user.php?u=".$_SESSION["username"]);
        exit();
    }
    ?>

  11. #11
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    14,879
    Hmm...I'd try using a full URI, not a relative one. Also, probably doesn't matter, but technically I believe "Location" should be capitalized. Therefore...
    PHP Code:
    if($user_ok == true) {
        
    sesstion_write_close();
        
    header("Location: http://yoursite.com/user.php?u=".urlencode($_SESSION["username"]));
        exit();

    Naturally, adjust the domain/path to the correct one, and use https instead of http if applicable.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  12. #12
    Member
    Join Date
    Jul 2013
    Posts
    63
    Okay cool thanks, I replace the code. I still want to get this form working. when I log in, and try to post a thread to the forum its coming back as ERROR: You do not exist in thestem.

  13. #13
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    14,879
    You probably need to hash the password. Exactly how will depend on how it was hashed when inserted into the DB. ("I'm not hashing passwords," is not an acceptable answer. )

    Code:
     <?php
    session_start();
    include_once "../connect_to_mysql.php"; // Connect to the database
    // Check to see if the user is logged in with session variables
    if (!isset($_SESSION['userpass']) || $_SESSION['userpass'] == "") {
        echo "Please log in... (give them links or send them to msgToUser.php with this message)";
        exit();
    } else {
        // Assume they are a member because they have a password session variable set
        // Check the database to be sure that their ID, password, and email session variables all match in the database
        $u_id = mysql_real_escape_string($_SESSION['id']);
        $u_name = mysql_real_escape_string($_SESSION['username']);
        $u_email = mysql_real_escape_string($_SESSION['useremail']);
        $u_pass = mysql_real_escape_string($_SESSION['userpass']);
        $sql = mysql_query("SELECT * FROM myMembers WHERE id='$u_id' AND username='$u_name' AND email='$u_email' AND password='$u_pass'");
        $numRows = mysql_num_rows($sql);
        if ($numRows < 1) {
            echo "ERROR: You do not exist in the system.";
            exit();
        }
    }
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  14. #14
    Member
    Join Date
    Jul 2013
    Posts
    63
    haha It is hashed, how do I find out how?

  15. #15
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    14,879
    Probably have to look for the code that creates (inserts) a new user (or changes the password on a user account edit?). A directory search on "hash" is likely a good start.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •