Sessions - God Please Help Me - PHPBuilder Forums

Sessions - God Please Help Me

binarylime

Scatter brained, but I'll try...

Okay, I'm new to PHP, but I'm getting better each day. I am having MULTIPLE problems writing a login script that validates a user against a MySQL database and THEN uses SESSIONS to keep the variables consistent across pages.

The main problem is this : after a user logs in, he IS validated and is brought to my first main page. All the variables seem to follow, but any link they follow will leave the page "variable-less" and it seems I am not passing session data properly.

STEP 1 : login.html
-- This html passess username and password to processlogin.php

<form method="post" action="processlogin.php">
Username : <input type="text" name="username" size=20>
Password : <input type="password" name="password" size="20">
<input type="submit" name="submit" value="Login">
</form>

STEP 2 : processlogin.php
-- this script checks mysql for a valid username/password entry and allows a user to login. The script then passes data to validate.php for login validation and THEN brings the user to the first page that they should see after they login.

<?php
$dbHost = "localhost";
$dbUser = "rootusername";
$dbPass = "rootpassword";
$dbDatabase = "rootdatabase";

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database."); 

mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database."); 

$result = mysql_query("select * from administrators where admin_username='$username' AND admin_password='$password'", $db); 

$row = mysql_fetch_row($result);

$admin_number = $row[0];
$admin_name = $row[1];
$admin_username = $row[2];
$admin_password = $row[3];
$admin_email = $row[4];
$admin_lastlogin = $row[5];

if($admin_username == $username) {
	if($admin_password == $password) {
		include("validate.php");
		include("admin.html");
	}
}

STEP 3 : validate.php
-- This script is meant to validate a session before any other HTML page should be displayed. I call this script from the beginning of each page within my site.

<?
session_start("$admin_username");
session_register("admin_number", "admin_name", "admin_username", "admin_password", "admin_email", "admin_lastlogin");
?>

STEP 4 : admin.html -- the first page the user should see now that they are validated.
-- After a user log's in, they are validated and sent to this page.

jnuneznyc

What version of PHP4 are you using?

brad_fears

You should not need to session_register your session variables any more than once in your validate.php script. Then, you should be able to call session_start() from the header of each script and that will provide access to each of the session variables that you need.

You might find some useful tidbits of code in this file, (which is part of an open source app):

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phpcodecabinet/phpcc/user.php?rev=1.2&content-type=text/vnd.viewcvs-markup

The methods are slightly different, but the goal is the same.

--Brad Fears

binarylime

I am using PHP version 4.3.1. I have been sifting thru the php.ini and httpd.conf configs.... i have register_globals on, but it still appears between pages that things are getting lost.

I will try some of the tips that were mentioned in the two replies after my post - thanks for the tips.

binarylime

ANOTHER interesting thing is that right from the start, after someone posts their username and password, I CANNOT use $username = $_POST['username'].

It seems that when I try to use $_POST to assign information to a variable, they all end up blank.

When I use echo "Hi, I am $username.<br>"; I simply get :

Hi, I am

So, I've been under the assumption that PHP is just remembering my variables for me. Instead of using $_POST, I just assume and sure enough, it works.

brad_fears

Let's break things down a bit more to make troubleshooting a bit easier. Why don't you rename your "processlogin.php" to "processlogin.bak" and make a brand new processlogin.php temporarily for testing.

In your new processlogin.php, just include these lines:

<?php

$username = $POST['username'];
$password = $POST['password'];

echo "Username is: $username<br>";
echo "Password is: $password<br>";

Then login with your login.html file and check the output in the browser. If it doesn't assign the variables, then something must be misconfigured in your php.ini (although I'm not sure what would be...).

jllydgnt

First(this is on a side note), look into the mysql_fetch_object() function. It will allow you to reference your results by column name instead of using an index.

Example:
$row->column_name
instead of
$row[0]

Just easier to keep track of things esp. when you are returning many fields.

OK, your real problem. You say you call the following script on every page.

<?
session_start("$admin_username");
session_register("admin_number", "admin_name", "admin_username", "admin_password", "admin_email", "admin_lastlogin");
?>

First, session_start() does not take any arguments. It just creates an new session or resumes a current one. In other words, it allows you to use session variables on that page.

Second, when you call the session_register() function, you are setting session variables. If you call session_register every page, those variables are being reset every page and unless every page has each variable present("admin_number", "admin_name", etc) you are essentially setting those variables equal to nothing.

Here is something else to think about. You might have register_globals disabled. If you are running php 4.2 or later, this is the default. Check out your php.ini file or use the phpinfo() function to verify this. If that is the case, you should change your script not your php configuration. It will make your app more portable and more secure. You cannot use session_register() to register session variables when register_globals is off.

I recommend something similiar to this to set and check session variables for authentication purposes.

if you use the beatass mysql_fetch_row() function:
$_SESSION['admin_number'] = $row[0];
set the rest of your variables the same way

or if you use the badass mysql_fetch_object() function:
$_SESSION['admin_number'] = $row->admin_number;
set the rest of your variables the same way

Check to see if the user has been validated by putting this at the top of every script you want to check:
if(!isset($_SESSION['admin_number']))
{
redirect user to unauthorized page or just print message saying unauthorized access
exit;
}
else
{
show them the real page
}

If you have register globals turned on, you should consider turning it off.

Hope this helps.
Say what up to dre and big boy if you're near ATL.

jllydgnt

In response to brad_fears post

Check to make sure you form method is "POST"
<form method="POST" action="art_monk.php">

binarylime

I can't thank you all enough for the tips.

Yes, register_globals was off. I turned it on and I am now using session_register('variablename');

So, now, my admin page... which is the first page, shows my username and lastlogin variables a-okay.

The problem now, is that when I got to anyother link within my site, the session data does not appear to follow.

I've examined the session information file and all the data IS there.

The only way I know how to describe it is this : check out http://alpha.negia.net/~jkb/clientadmin

Login using username dummy and password dummy. You will see on the Admin page that your name and last time you logged in appears. If you follow the "Add Administrator" link, you will now notice that it NO LONGER remembers your last login or name.

In fact, the first part of the html document has PHP in it has test code that doesn't execute :

<?php
session_start();
echo "TEST TEST TEST DAMNIT!!! <br>";
?>

As I mentioned, I am using session_register and I have made sure that at the top of each page I have :

<?php
session_start();
// Some type of session check here
?>

In the link to the Add Administrator page, I made sure to use the href link to pass on the session info :

Argh. Close... getting real close. Thanks, everyone.

brad_fears

Originally posted by jllydgnt
In response to brad_fears post

Check to make sure you form method is "POST"
<form method="POST" action="art_monk.php">

The actual form was already in the very first post, and the form method was set to "post"...

brad_fears

In fact, the first part of the html document has PHP in it has test code that doesn't execute :

<?php
session_start();
echo "TEST TEST TEST DAMNIT!!! <br>";
?>

As I mentioned, I am using session_register and I have made sure that at the top of each page I have :

<?php
session_start();
// Some type of session check here
?>

In the link to the Add Administrator page, I made sure to use the href link to pass on the session info :

<a href = "addadministrator.html?<? echo $PHPSESSID ?>"> Blah Blah Blah </a href>

Argh. Close... getting real close. Thanks, everyone.

Your echo isn't working because you're trying to 'echo' php from an html document. 🙂 It has to be a php file type.

brad_fears

A few more things:

1) You need to fix this line in your 'addadministrator' script:
<input type="text" nameadd_realname size=25>

2) You should really consider using the md5() function on your passwords, rather than storing them in plain text. You can just md5() the form input password with whatever is in the database for authentication. Plain text is just a bad idea.

3) Consider turning off register_globals because it's very easy to fake variables via GET in the url. One example is the fact that I could add variables to a url and send them to one of your scripts for processing without even filling out the form. If register_globals is Off, you have to check to see if those variables have come from a form POST rather than a url GET, which offers a little more protection... Anyway, that's just one reason, there are many, many more, which is why the PHP people now turn register_globals off by default.

jllydgnt

Big ups to brad_fears, I overlooked the form in the first post.

I would recommend turning off register_globals and not using the session_register function(once again, for security and portability reasons).

Work with you session variables like this.

To set a session variable if they have an account:
$_SESSION['valid_user'] = $your_value;

To use it for authentication:
if(!isset($_SESSION['valid_user']))
{
echo('Beat it, geek.');
}
else
{
//show the page
}

Logout the user:
unset($_SESSION['session_variable_name']);

read up on register_globals and why they switched the default to off in php 4.2

binarylime

Brad & All --

Thanks for the tips -- my site is now working. I did leave register_globals on for the simple fact that I was still having issues getting data from a form and placing into a variable using $blahvariable = $_POST['variablename'].

I do have PHP setup on my server to hide URL's -- and on top of that, I have been EXCESSIVLEY using "POST" in all my form actions - not GET.

About the md5() function -- can you show me an example of how one might use this in a form scenario? Can I apply the md5() function to my HTML form first and then use it OR do I simply do the following :

... some code ...
$password = md5($_POST['password');

... some more code...
$result = mysql_query("-- some sql query to geta password from the database -- ");
$row = mysql_fetch_array($result):
$mysql_password = $row['2']; // pretend the password is in row 2 of the array

... some more code ...
if(md5($mysql_password) == $password){
echo "Success, my brutha!";
}
else
echo "You failed like a pre-schooler?";
}

I guess what I am asking is can I just use the md5() function on pre-existing mysql passwords and compare them to variables encased within the md5() function?

Thanks.

brad_fears

You really only need to worry about using md5() on the password after you have received it from the form. I would just convert the passwords to md5 before storing them in the database. That way, you can just md5($incoming_password_from_form), and compare it to your password field from the database.

And remember that md5 is "one way". You cannot decrypt a password once it has been encrypted with md5, but you can compare it to the value of another md5 value.

BuzzLY

Originally posted by binarylime
Thanks for the tips -- my site is now working. I did leave register_globals on for the simple fact that I was still having issues getting data from a form and placing into a variable using $blahvariable = $_POST['variablename'].

I do have PHP setup on my server to hide URL's -- and on top of that, I have been EXCESSIVLEY using "POST" in all my form actions - not GET.

I completely understand your frustration with trying to get your code to work with register_globals = OFF. However, you need to be aware of something: "Excessively using POST" in all of your form actions is not going to protect you from a hacker.

While YOU are using POST, a hacker could use GET to pass variables to your form. Let's say your form uses the variable $valid_user once you have authenticated a user. A hacker could simply add "?valid_user=1" to the URL, and he has just hacked into a secure page, because register_globals is ON. THAT is how he uses GET to bypass your authentication.

This is just one example, and fairly simple. register_globals is not the only way to make your pages secure, of course, but it is an important step. Please do not overlook the importance of setting register_globals = OFF. You will see this recommendation from veteran PHP programmers everywhere on this board, and for good reason. It's just good programming practice.

keith73

another suggestion.

you're using mysql_fetch_array, but then using the index #. why not just use the field name, then if you change your database tables at all, it won't matter in what order the fields are in.

... some more code...
$result = mysql_query("-- some sql query to geta password from the database -- ");
$row = mysql_fetch_array($result):
$mysql_password = $row['password']; // pretend the password is any place in the array.

I concur with Buzzly and the majority. Turn reg_globals OFF. it is very bad.

keith