Book Code Problem

jkatcher

hi everyone -- this is kinda weird. I copied code from the book "PHP and MySQL Web Development" by www.lukelaura.com (ch 24) -- and it does not work. straight from the CD that came with the book. i checked for updates on the site, but there are none.

anyway, the code is for a user authentification. here is where it is:

www.bandvans.com/login.php

you CAN:

1) register
2) login
3) data that is registered is stored in the table in the db, so there are no connection problems

you CANNOT:

do any of the options on the page, because it says 'Problem, You are Not Logged In'.

Each of the options calls a function called 'check_valid_user()', so I thought the problem might be there. but i rechecked the code and it looks fine.

does anyone have any thoughts as to what possibly this could be? should i include the code, if anyone wanted to check it out? let me know, thank you so much !!!!

Weedpacket

Originally posted by jkatcher
should i include the code, if anyone wanted to check it out?

That could help. You reckon it looks fine, but you have to admit - if your debugging worked you wouldn't need to post, would you?🙂

jkatcher

this is the pre-defined functions page: check_valid_user() is there as wel...


<?php

require_once('db_fns.php');

function register($username, $email, $password)
// register new person with db
// return true or error message
{
 // connect to db
  $conn = db_connect();
  if (!$conn)
    return 'Could not connect to database server - please try later.';

  // check if username is unique 
  $result = mysql_query("select * from user where username='$username'"); 
  if (!$result)
     return 'Could not execute query';
  if (mysql_num_rows($result)>0) 
     return 'That username is taken - go back and choose another one.';

  // if ok, put in db
  $result = mysql_query("insert into user values 
                         ('$username', password('$password'), '$email')");
  if (!$result)
    return 'Could not register you  in database - please try again later.';

  return true;
}

function login($username, $password)
// check username and password with db
// if yes, return true
// else return false
{
  // connect to db
  $conn = db_connect();
  if (!$conn)
    return false;

  // check if username is unique
  $result = mysql_query("select * from user 
                         where username='$username'
                         and passwd = password('$password')");
  if (!$result)
     return false;

  if (mysql_num_rows($result)>0)
     return true;
  else 
     return false;
}

function check_valid_user()
// see if somebody is logged in and notify them if not
{
  global $HTTP_SESSION_VARS;
  if (isset($HTTP_SESSION_VARS['valid_user']))
  {
      echo 'Logged in as '.$HTTP_SESSION_VARS['valid_user'].'.';
      echo '<br />';
  }
  else
  {
     // they are not logged in 
     do_html_heading('Problem:');
     echo 'You are not logged in.<br />';
     do_html_url('login.php', 'Login');
     do_html_footer();
     exit;
  }  

}

function change_password($username, $old_password, $new_password)
// change password for username/old_password to new_password
// return true or false
{
  // if the old password is right 
  // change their password to new_password and return true
  // else return false
  if (login($username, $old_password))
  {
    if (!($conn = db_connect()))
      return false;
    $result = mysql_query( "update user
                            set passwd = password('$new_password')
                            where username = '$username'");
    if (!$result)
      return false;  // not changed
    else
      return true;  // changed successfully
  }
  else
    return false; // old password was wrong
}

function get_random_word($min_length, $max_length)
// grab a random word from dictionary between the two lengths
// and return it
{
   // generate a random word
  $word = '';
  //remember to change this path to suit your system
  $dictionary = '/usr/dict/words';  // the ispell dictionary
  $fp = fopen($dictionary, 'r');
  if(!$fp)
    return false; 
  $size = filesize($dictionary);

  // go to a random location in dictionary
  srand ((double) microtime() * 1000000);
  $rand_location = rand(0, $size);
  fseek($fp, $rand_location);

  // get the next whole word of the right length in the file
  while (strlen($word)< $min_length || strlen($word)>$max_length || strstr($word, "'"))
  {  

     if (feof($fp))   

        fseek($fp, 0);        // if at end, go to start
     $word = fgets($fp, 80);  // skip first word as it could be partial
     $word = fgets($fp, 80);  // the potential password
  };
  $word=trim($word); // trim the trailing \n from fgets
  return $word;  

}

function reset_password($username)
// set password for username to a random value
// return the new password or false on failure
{ 
  // get a random dictionary word b/w 6 and 13 chars in length
  $new_password = get_random_word(6, 13);

  if($new_password==false)
    return false;
  // add a number  between 0 and 999 to it
  // to make it a slightly better password
  srand ((double) microtime() * 1000000);
  $rand_number = rand(0, 999); 
  $new_password .= $rand_number;

  // set user's password to this in database or return false
  if (!($conn = db_connect()))
      return false;
  $result = mysql_query( "update user
                          set passwd = password('$new_password')
                          where username = '$username'");
  if (!$result)
    return false;  // not changed
  else
    return $new_password;  // changed successfully  

}

function notify_password($username, $password)
// notify the user that their password has been changed
{
    if (!($conn = db_connect()))
      return false;
    $result = mysql_query("select email from user
                            where username='$username'");
    if (!$result)
    {
      return false;  // not changed
    }
    else if (mysql_num_rows($result)==0)
    {
      return false; // username not in db
    }
    else
    {
      $email = mysql_result($result, 0, 'email');
      $from = "From: support@phpbookmark \r\n";
      $mesg = "Your PHPBookmark password has been changed to $password \r\n"
              ."Please change it next time you log in. \r\n";


  if (mail($email, 'PHPBookmark login information', $mesg, $from))
    return true;      
  else
    return false;     
}
} 

?>

Weedpacket

check_valid_user() is looking at a session variable. Presumably, that variable is not there, or it would say so. So the question becomes: where is that session variable (supposed to be) getting set, and is that bit of code being used? (there are a bunch of things to look at here: how is the session ID being passed to the client, is the client passing it back, does the session variable ever get set (look at the session data file itself and see), etc.)? The manual chapter on sessions will give more detail (whether you're passing the ID by cookie or URL, for example, and whether or not the client is accepting cookies.)

jkatcher

the session is called on virtually each page that calls the check_valid_user() function... but here's the 'members' page on which the options are displayed --

<?php

// include function files for this application
require_once('bookmark_fns.php'); 
session_start();

//create short variable names
$username = $HTTP_POST_VARS['username'];
$passwd = $HTTP_POST_VARS['passwd'];

if ($username && $passwd)
// they have just tried logging in
{
    if (login($username, $passwd))
    {
      // if they are in the database register the user id
      $HTTP_SESSION_VARS['valid_user'] = $username;
    }  

    else
    {
      // unsuccessful login
      do_html_header('Problem:');
      echo 'You could not be logged in. 
            You must be logged in to view this page.';
      do_html_url('login.php', 'Login');
      do_html_footer();
      exit;
    }      

}

/* this is where the function is called, and session has already started */

do_html_header('Home');
check_valid_user();
// get the bookmarks this user has saved
if ($url_array = get_user_urls($HTTP_SESSION_VARS['valid_user']));
  display_user_urls($url_array);

// give menu of options
display_user_menu();

do_html_footer();
?>