Login Problem

pug

I did this all by hand from scratch. It seems to work fine. I even put a link to the login.php (the script that checks username and password) on the login.php page so I could test to make sure it was setting the session variable. Please tell me what I am doing wrong. When I click the login.php link it always says "session variable not set"

<?
	session_start();
	require_once("../includes/db_fns.php");
	db_connect();
?>
<HTML>
<HEAD>
<TITLE> Process Login </TITLE>
<link rel="stylesheet" href="../includes/stylesheet.css" type="text/css">
</HEAD>
<BODY bgcolor="#000000" text="#ffffff">
<?
	if(!isset($_SESSION['valid_user']))	
	{		
		$username = $_POST["username"];
		$password = $_POST["password"];

	if($username && $password)
	{
		$query = "SELECT * FROM users WHERE username = '$username' and password = password('$password')";
		$result = mysql_query($query);
		if(!$result)
			echo "Error running query";
		$num_rows = mysql_num_rows($result);
		if($num_rows > 0)
		{
			$_SESSION['valid_user'] = $username;
			echo "Logged in as: <i><b>";
			echo $_SESSION['valid_user'];
			echo "</b></i>";								
			echo "<br><a href='login.php'>login</a>";
		}
		else 
			echo "not found";
	}
	else
		echo "session variable not set";
}
else	
{
	echo "you are already logged in";
}
?>
</BODY>
</HTML>

notionlogic

I could be wrong on this point (in which case please correct me) but I'm not sure that setting a $_SESSION variable is actually the same as "registering" the variable...

Then again I've getting very confused with the more recent changes to this sort of thing.
😕

Weedpacket

Certainly the manual advises against mixing the two (and states explicitly that prior to 4.3 mixing them won't work); certainly I see no justification for the practice. That and the fact that session_register() won't work on any site with register_globals turned off makes me very wary about using it at all.

pug

Yea register globals are off on my server

Any clues what is wrong with the code?

Weedpacket

if(!isset($_SESSION['valid_user']))
{	$username = $_POST["username"];
	$password = $_POST["password"];

if($username && $password)
{	$query = "SELECT * FROM users WHERE username = '$username' and password = password('$password')";
	$result = mysql_query($query);
	if(!$result)
		echo "Error running query";
	$num_rows = mysql_num_rows($result);
	if($num_rows > 0)
	{	$_SESSION['valid_user'] = $username;
		echo "Logged in as: <i><b>";
		echo $_SESSION['valid_user'];
		echo "</b></i>";
		echo "<br><a href='login.php'>login</a>";
	}
	else
		echo "not found";
}
else
	echo "session variable not set";
}
else
{
	echo "you are already logged in";
}

(<<<NOTE
if there was an error running the query, it will still continue on and try to use the $result.

if(!$result)
{	echo "Error running query";
	$num_rows = 0;
}
else
	$num_rows = mysql_num_rows($result);

NOTE;
)

"session variable not set"
Cutting out all the code that doesn't get run when that message comes up, and making empty() checks explicit:

if(!isset($_SESSION['valid_user']))
{	$username = $_POST["username"];
	$password = $_POST["password"];
	if(!empty($username) && !empty($password))
	{
	}
	else
		echo "session variable not set";
}

Swapping the if statement about to get rid of the no-op branch, and temporarily dealiasing the $_POST[] variables:

if(!isset($_SESSION['valid_user']))
	if(!(!empty($_POST["username"]) && !empty($_POST["password"])))
		echo "session variable not set";

Combining the if statements and doing a spot of boolean algebra to tidy up:

if(!isset($_SESSION['valid_user']) && (empty($_POST["username"]) || empty($_POST["password"])))
	echo "session variable not set";

And there are the conditions required for the error message that comes up to come up. In la lengua inglesa, it reads:

The session variable must not be set AND one or both of the post variables must be empty.

Which sounds like the situation in which you want the message to appear.

We've narrowed the problem down. The fault is in one of those three variables. My money is on the session variable, but shall we be ceratin?

var_dump($_SESSION['valid_user'], $_POST['username'], $_POST['password']);
if(!isset($_SESSION['valid_user']))
...

Weedpacket

Let's go with the guess that $_SESSION['valid_user'] is empty.
Where should it be getting set? Let's focus on that bit of the code:

if(!isset($_SESSION['valid_user']))
{	$username = $_POST["username"];
	$password = $_POST["password"];
	if(!empty($username) && !empty($password))
	{	$result = mysql_query("SELECT * FROM users WHERE username = '$username' and password = password('$password')");
		if(!$result)
		{	echo "Error running query";
			$num_rows = 0;
		}
		else
			$num_rows = mysql_num_rows($result);
		if($num_rows > 0)
		{	$_SESSION['valid_user'] = $username;
		}
	}
}

$_SESSION['valid_user'] must not be set (fine; that's what we're assuming)
$username and $password must both be nonempty
$num_rows must be greater than 0
=> Therefore, $result must have contained more than 0 rows.
=> Therefore "SELECT * FROM users WHERE username = '$username' and password = password('$password')" must have returned records.

So if the session variable is failing to be set either:
1: $SESSION['valid_user'] is set (bogus: we're assuming it's not)
2: $POST['username'] or $_POST['password'] are empty
3: The query isn't returning results.

Checking (1) and (2) is the same as before.

Checking (3):
Try giving $username and $password various values (known good, known bad), send the queries to the database by hand, and examine the results.
Use "SELECT COUNT(*) FROM users...." instead. This guarantees (unless the database chokes) that a row is returned, with one field, which contains the number of rows. This is also much more efficient than sending an entire recordset to PHP just to see if there are records to send. Use it like:

$result = mysql_query("SELECT COUNT(*) FROM users WHERE username = '$username' and password = password('$password')");
if(!$result)
{	echo "Error running query";
	$num_rows = 0;
}
else
{	$num_rows = mysql_fetch_row($result);
	$num_rows = $num_rows[0];
if($num_rows > 0)
{	$_SESSION['valid_user'] = $username;
}

pug

I put

	var_dump($_SESSION['valid_user'], $_POST['username'], $_POST['password']);

That at the top of my orignal code to see if the session variable is even being set after I log in and it isn't. This is what I got

NULL string(4) "test" string(7) "test123"