sessions and mysql

jimothy

Hi there, I've run into a problem with sessions and mysql that I'm trying to use to authenticate users. I'm running XP with PHP 4.2.3, MySQL 3.23, and Apache 2.0.36. PHP code seems to run fine on my server, and I can store some cookies and sessions - but they don't always seem to work. My site authenticates a user by looking up the username and password in the database, and then sending them to their respective folders (like admin\member folders). That part works. With the incorrect login it gives the user failure.php, and with the correct one it sends the user to the correct folder. The problem is that all of the files in the admin folder have code to see if the person is authenticated. So after I successfully login, it sends me to the Admin folder, but then it rejects me and says I don't have authorization.

I've tried just making a simple .php file that is the re-direct after a correct username\password is entered, like this:

print "Your username is: ".$_SESSION["USERNAME"];

and it prints it out correctly, so that tells me that the session is being stored. Here is the code that is at the top of my files to see if the user is authorized:

<?php

// DB SETTINGS
$dbhost = "localhost";	// DB Host name
$dbusername = "root"; 	// DB User
$dbpass = "****";	// DB User password
$dbname = "test-auth"; 	// DB Name


	$query = "SELECT * FROM authuser WHERE uname='$username' AND passwd='$password' AND status <> 'inactive'";
	$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

	$SelectedDB = mysql_select_db($this->DBNAME);
	$result = mysql_query($query); 

	$numrows = mysql_num_rows($result);
	$row = mysql_fetch_array($result);

	// CHECK IF THERE ARE RESULTS
	// Logic: If the number of rows of the resulting recordset is 0, that means that no
	// match was found. Meaning, wrong username-password combination.
	if ($numrows == 0) {
		print "NO";
	}
	elseif ($row["level"]==1) {  // ADMIN LOGIN
		print "WINNAR";
	}
	else {
		print "ORDINARY MEMBER";
	}
?>

I've simplified this a bit to see where the problem is, but it consistently returns "NO" when I login. Is that because it can't find it in the database, or is that because it doesn't like the username\password combination?

The session code to the initial login.php file is as follows:

<?php 
     session_start();
     $_SESSION["USERNAME"] = $username;
     $_SESSION["PASSWORD"] = $password;

I cannot tell where the problem is, but I would appreciate any help that could be offered. I've tried cookies vs. sessions, and different ways of connecting through mysql - but still nothing works. Thanks.

Jim

philhale

Right off I can't see a problem, although you might insert a couple of snooper commands to see the state of your session.

For example, try this:

Replace:

if ($numrows == 0) {
print "NO";
}

With:

if ($numrows == 0) {
phpinfo();
exit();
};

This routine is used just for debugging purposes. When the failed user login occurs, the program will dump the status of the session variables, etc. This might shed some light to what is going on.

Cheers.

jimothy

I tried inserting your code, and it immediately came up with phpinfo() - and under PHP Variables it had:

_COOKIE["PHPSESSID"] f60e0c8e43cb88aa5ec27febfbeaff77

and

_SERVER["HTTP_COOKIE"] PHPSESSID=f60e0c8e43cb88aa5ec27febfbeaff77

so does that mean that my sessions are fine? and if so, do you have any idea what I should look into next?

thx again 🙂

jimothy

I just tried making another modification. I think this should print the username and password in the session if the mysql query returns false.

if ($numrows == 0) {
			print "Your username is: ".$_SESSION["USERNAME"];?><BR><?
			print "Your password is: ".$_SESSION["PASSWORD"];
		}

	elseif ($row["level"]==1) {  // ADMIN LOGIN
		print "winnar";
	}
	else {
		print "just ordinary";
	}

and, when I try to log in, I get:

Your username is:
Your password is:

so did it lose the information contained in the session somewhere??

Because now the proccess goes: login.php -> authenticate.php -> admin/index.php

if I make admin/index.php purely

<?php 
print "Your username is: ".$_SESSION["USERNAME"]; 
print "Your password is: ".$_SESSION["PASSWORD"];
?>

they both come up blank. But if i make authenticate.php (the 2nd step) as follows:

<?php

session_start();
  $_SESSION["USERNAME"] = $username;
$_SESSION["PASSWORD"] = $password;

print "Your username is: ".$_SESSION["USERNAME"];

print "Your password is: ".$_SESSION["PASSWORD"];
?>

then it displays the information entered (login\pass) correctly - so somehow it loses that information between the 2nd and 3rd steps.

philhale

Do you use a similar method of declaring your session variables? Remember, session variables work when cookies are disabled by the browser.

session_start();
session_register("userofname");
$userofname = "phil";

The phpinfo() didn't give me the results I was looking for. Sorry to lead you astray.

Phil.

philhale

Incidently, the phpinfo() routine IS helpful when evaluating variables being passed into another .PHP file. Similarly, this is also good for evaluating values being passed using a Form Submit.

Phil.

jimothy

no dice 🙁

philhale

How about trying this:

In login.php:

<?PHP
session_start();
session_register('username');
session_register('password');

...
?>

In all later .php files, use the following:

<?PHP
session_start();

$usr = $username;
$psd = $password;

/ or /

$usr = $HTTP_SESSION_VARS['username'];
$psd = $HTTP_SESSION_VARS['password'];

print ("username = $usr");
print ("password = $psd");

If the user logs out, do this:

<?PHP
session_destroy();
?>

Best of luck!

Phil.

Weedpacket

There's no point resorting to $HTTP_SESSION_VARS on PHP4.2.3; and even less point in session_register()ing variables - they all refer back to $_SESSION[] anyway.

I notce in

SELECT * FROM authuser WHERE uname='$username' AND passwd='$password' AND status <> 'inactive'

you're using $username and $password. If those are supposed to be the sessioned values, oughtn't the query be

SELECT * FROM authuser WHERE uname='$SESSION[username]' AND passwd='$SESSION[password]' AND status <> 'inactive'