Sessions help please?

mak-uk

Hi all,

I tried some sessions tutorial and had a play around with my own file, thus:

<?php // index.php 
session_start();
include_once './inc/db.inc';

$uid = isset($_POST['EMail']) ? $_POST['EMail'] : $_SESSION['EMail']; 
$pwd = isset($_POST['Password']) ? $_POST['Password'] : $_SESSION['Password'];

if(!isset($_SESSION['Email'])) { 
$_SESSION['Email'] = ''; 
} 

if(!isset($_POST['SUBMITFORM'])) { 
?> 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>...

</html>
<?php
}
else { 
$_SESSION['Email'] = (string) $_POST['Email']; 
$_SESSION['Password'] = (string) $_POST['Password']; 
} 

dbConnect("pa"); 
$sql = "SELECT * FROM members WHERE 
       mEmail = '$EMail' AND mPassword = PASSWORD('$Password')"; 
$result = mysql_query($sql); 
if (!$result) { 
 error('A database error occurred while checking your '. 
       'login details.\\nIfhis error persists, please '. 
       'contact [email]you@example.com[/email].'); 
}

if (mysql_num_rows($result) == 0) { 
 unset($_SESSION['EMail']); 
 ?> 
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
 <html xmlns="http://www.w3.org/1999/xhtml"> 
 <head> 
 <title> Access Denied </title> 
 <meta http-equiv="Content-Type" 
   content="text/html; charset=iso-8859-1" /> 
 </head> 
 <body> 
 <h1> Access Denied </h1> 
 <p>Your user ID or password is incorrect, or you are not a 
    registered user on this site. To try logging in again, click 
    <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant 
    access, click <a href="join.php">here</a>.</p> 
 </body> 
 </html> 
 <?php 
 exit; 
}
?>

However, at the bottom of the page, it keeps printing the 'Access Denied' part.

Any ideas on what I am doing wrong?

Thanks.

Mak 🙂

doobster

It appears you have some typos in your code.

Sometimes you use $POST['EMail'] and other times you simply use $POST['Email'] make sure they are consistent throughout otherwise this will give you probs.

mak-uk

Thanks for pointing that silly mistake out.. have corrected that.

However, 'Access Denied' is still being displayed at the bottom. Am I missing a curly brace or something?

Thanks.

Mak 🙂

doobster

try reposting your fixed code so we can verify all variables have been fixed.

mak-uk

Here it is:

<?php // index.php 
session_start();
include_once './inc/db.inc';

$uid = isset($_POST['EMail']) ? $_POST['EMail'] : $_SESSION['EMail']; 
$pwd = isset($_POST['Password']) ? $_POST['Password'] : $_SESSION['Password'];

if(!isset($_SESSION['EMail'])) { 
$_SESSION['EMail'] = ''; 
} 

if(!isset($_POST['SUBMITFORM'])) { 
?> 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>...</title>
etc...
</html>
<?php
}
else { 
$_SESSION['EMail'] = (string) $_POST['EMail']; 
$_SESSION['Password'] = (string) $_POST['Password']; 
} 


dbConnect("pa"); 
$sql = "SELECT * FROM members WHERE 
       mEMail = '$EMail' AND mPassword = PASSWORD('$Password')"; 
$result = mysql_query($sql); 
if (!$result) { 
 error('A database error occurred while checking your '. 
       'login details.\\nIfhis error persists, please '. 
       'contact [email]you@example.com[/email].'); 
}

if (mysql_num_rows($result) == 0) { 
 unset($_SESSION['EMail']); 
 ?> 
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
 <html xmlns="http://www.w3.org/1999/xhtml"> 
 <head> 
 <title> Access Denied </title> 
 <meta http-equiv="Content-Type" 
   content="text/html; charset=iso-8859-1" /> 
 </head> 
 <body> 
 <h1> Access Denied </h1> 
 <p>Your user ID or password is incorrect, or you are not a 
    registered user on this site. To try logging in again, click 
    <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant 
    access, click <a href="join.php">here</a>.</p> 
 </body> 
 </html> 
 <?php 
 exit; 
}
?>

Look ok?

Thanks.

Mak 🙂

doobster

the only thing i can think of is that you do not have a form to allow the user to submit the login information.

based on your code it should be here:

if(!isset($_SESSION['EMail'])) {

?>
Login Name: <input type=text name=EMail>
Password: <input type=text name=Password>
<input type=submit value=Login>
<?
//........
}

RocketPack_net

Hmm..... there's a bit I don't like there (I'm extremely picky)-

Strongly recomend using all lowercase variable names (just makes like a LOT easier)
isset isn't the best function for your use - it doesn't validate NULL or EMPTY values, I'd suggest losing the isset() and leaving the !$_...[...]. More thorough.
Using variables inside quotes is kind of a no-no.
PASSWORD('$Password')"; looks like a really bad idea, something is telling me this is the problem. Single quotes are taken literally, I'm not sure how PHP is going to react to that one but I'd suggest that you print that query out (just add:
```
echo "\n<br>Query: " . $sql . "\n<br>";
```
after your query... see what MySQL is actually recieving. This is a VERY handy trick whenever you have SQL troubles, it lets you know what MySQL is seeing)
ADDITIONALLY, instead of if (!$result) just add.....
```
or die("A fatal MySQL error occured.<br />\nError: (" . mysql_errno() . ") " . mysql_error() . "<br />\nQuery: " . $query);
```

That way, instead of some stupid "bla" message you get something useful. Change $query to whatever variable you insert your query statement with. Very useful.

Once you've verified that your password is being verified properly and that your query is executing properly and all, let us know if it solves the issue!

mak-uk

doobster - I do have a FORM - it's in the the following part:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 
<html> 
<head> 
<title>...</title> 
etc... 
FORM
</html>

RocketPack.net - So what you're saying is that I should have:
```
if(!($_POST['SUBMITFORM'])) { 
?> 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>...</title>
etc... 
FORM
</html> 
```
2.1 In regards to the password part, I followed that bit directly from a tutorial somewhere. When I insert the statement you said to add in your previous post, I get:
```
Query: SELECT * FROM members WHERE mEMail = '' AND mPassword = PASSWORD('')
```
2.2 As for handling the SQL errors, I think I know what you are getting at, however, I am just not sure how to ammend my statements for it. Can you help me out with that one?

Let me know what you think.

Thanks.

Mak 🙂

mak-uk

Can anyone help? I am still stuck 🙁

Thanks.

Mak 🙂

Weedpacket

$sql = "SELECT * FROM members WHERE 
       mEMail = '$EMail' AND mPassword = PASSWORD('$Password')";

$EMail and $Password are empty! Sure you don't mean $uid and $pid?

mak-uk

You mean:

$sql = "SELECT * FROM members WHERE 
       mEMail = '$uid' AND mPassword = PASSWORD('$pwd')";

I have tried that but still, the Access Denied part prints out at the bottom.

Thanks.

Mak 🙂