logon check on each page

corruption

i've looked throughout this website and a few others and haven't figured out what my problem is....
I am setting up a members only area to my fraternity website.
i can get the login to work and redirection, signup and all of that, but you can still type any url beyond the members area and get in. I've got this at the top of a test page and it still doesn't work properly.

<html>
<?php
require 'db.php';
require 'logincheck.php';
?>
<head>
<title>
That's the top one file i want protected

then logincheck.php is:

<?php
//include the connection script
session_start();
require 'db.php';
$username = $SESSION['username']
$sql = mysql_query('SELECT username from users where username = '$username'');
$numrows = mysql_num_rows($sql);
if ($numrows == 0)
{
header(location: 'login_form.html');
exit();
}
echo "Welcome ". $SESSION['username'] ." ";
?>

LordShryku

I'm suprised this code even works. First, you require db.php twice. It should dump on that, unless you use require_once.
Next, this line:
$username = $_SESSION['username']
isn't terminated with a ;
You should gt a parse error from that.

Anyway, you may just want to do a check that username exists first....

session_start();
require_once 'db.php';
if(isset($_SESSION['username'])) {
   $sql = mysql_query("SELECT username 
                         FROM users 
                        WHERE username = '".$_SESSION['username']."'");
   $numrows = mysql_num_rows($sql);
   if($numrows == 0) {
      header("Location: login_form.html");
      exit();
   }
   echo "Welcome ". $_SESSION['username'] ." ";
}
else {
   header("Location: login_form.html");
}

keith73

perhaps error reporting is turned off.

you also can't call session_start() after outputting to the browser, it has to be done before any output.

keith

corruption

Thanks guys, i had to rename the page to .php, and do some of the things you talked about.
Much appreciated.