User Management And Sessions Problem

poisedforflight

I AM A NEWBIE. I AM SHAMEFUL.

Ok, now that I got that off of my chest, I am hoping someone could lend me a little time.

I am using the following scripts to implement a User Management System based on PHP sessionsand MySQL. This is based off of a tutorial I found. The user registration works fine, linking to the DB and emailing registrants passwords and such. The problem is when I try to controll access to my site. The index.php page has login forms, and once filled out should display the remainder of the inde.php page. It doesn't and repeatedly requests login.

Here are the scripts:

<? //index.php
include 'accessControl.php';
?>

<html>
<head>
<title>Site Index</title>
</head>
<body>
<center>Thank you for your patience, please check back soon for updates.</center>
</body>
</html>

<? //accessControl.php
include_once 'common.php';
include_once 'db.php';

$uid = isset($POST['uid']) ? $POST['uid'] : $SESSION['uid'];
$pws = isset($POST['pwd']) ? $POST['pwd'] : $SESSION['pwd'];

//if this is first visit to site, require login
if(!isset($uid)){
?>
<html>
<head>
<title>Please Login for Access</title>
</head>
<body>
<h1>Login Required</h1>
<p>You must log in to access this area of the site. If you are
not a registered user, <a href = "signup.php">click here</a>
to signup for instant access.</p>
<p><form method ="post" action="<?=$_SERVER['PHP_SELF']?>">
User ID: <input type="text" name="uid" size="8" /><br />
Password: <input type="password" name="pwd" size="8" /><br />
<input type="submit" value="Log In" />
</form></p>

</body>
</html>

<?
exit;
}

$SESSION['uid'] = $uid;
$SESSION['pwd'] = $pwd;

//match uid and pwd to stored username and password
dbConnect("jmcclure_sessions");
$query = "SELECT * FROM user WHERE
userID = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($query);
if (!$result){
error('A database error occured while checking your '.
'login details.\nIf this error persists, please '.
'contact poisedforflight@gmail.com');
} //end dbError if

//if uid or pwd not found, reset uid and pwd and try again
if (mysql_num_rows($result) == 0){
unset($SESSION['uid']);
unset($SESSION['pwd']);
?>

<html>
<head>
<title>Access Denied</title>
</head>

<body>
<h1>Access Denied</h1>
<p>Your user ID or password is incorrect, or you are not a
registered user on this site. To try logging in again, click
<a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
access, click <a href="signup.php">here</a>.<p>

</body>
</html>
<?
exit;
} //end uid pwd not found if

$userName = mysql_result($result,0,'fullname');

<?php //db.php

function dbConnect($db=""){
//global $dbHost, $dbUser, $dbPass;

define('DB_NAME', $db); // The name of the database
define('DB_USER', 'jmcclure'); // Your MySQL username
define('DB_PASSWORD', 'password'); // ...and password
define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value

$connection = mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Could not connect to mysql.");
$db_handle = mysql_select_db(DB_NAME,$connection) or die("Could not select database.");

return $connection;

} //end dbConnect()

<? //common.php

function error($msg){
?>
<html>
<head>
<script language = "JavaScript">

</script>
</head>
<body>
</body>
</html?
<?
exit;

} //end function error()

<? //signup.php
include 'common.php';
include 'db.php';

if (!isset($_POST['submitOK'])){
//display the user signup form
?>
<html>
<head>
<title>User Registration</title>
</head>

<body>

<h3>User Registration Form</h3>
<p><font color ="orangered" size ="+1"><tt><b>*</b></tt></font>indicates required field</p>

<tr>
<td align="right">
<p>E-mail Address</p>
</td>
<td>
<input name="newEmail" type="text" maxlength="50" size="25" />
<font color="orangered" size="+1"><tt><b>*</b></tt></font>
</td>
</tr>

<tr valign="top">
<td align="right">
<p>Other Notes</p>
</td>
<td>
<textarea wrap="soft" name="newNotes" rows="5" cols="30"></textarea>
</td>
</tr>

</body>
</html>

<?
} else {
//process signup submission
dbConnect('jmcclure_sessions');

//check required fields !NULL
if ($POST['newID']=="" or $POST['newName']=="" or $_POST['newEmail']==""){
error('One or more required field(s) were left blank.\n'.
'Please fill them in and try again.');
} //end if

//check for existing user with the new id
$queryA = "SELECT COUNT(*) FROM user WHERE userID = '$_POST[newID]'";
$result = mysql_query($queryA);
if (!$result){
error('A database error occurred in processing your '.
'submission.\nIf this error persists, please '.
'contact poisedforflight@gmail.com');
} //end dbError if

if (mysql_result($result,0,0)>0) {
error('A user already exists with your chosen userID.\n'.
'Please try another.');
} //end check for userID if

//generate initial password
$newPass = substr(md5(time()),0,6);

//insert password into database
$queryB = "INSERT INTO user SET
userID = '$POST[newID]',
password = PASSWORD('$newPass'),
fullname = '$POST[newName]',
email = '$POST[newEmail]',
notes = '$POST[newNotes]'";
$result = mysql_query($query😎;
if ($result == FALSE){
error('A database error occurred in processing your '.
'submission.\nIf this error persists, please '.
'contact poisedforflight@gmail.com');
} //end dbError if

//Email the new password to the person
$message = <<<HERE
Hello.

Your personal account for the Project Web Site
has been created. To log in, proceed to the
following address:

http://jmcclure.itc471.info

Your personal login ID and password are as
follows:

userID: $_POST[newID]
password: $newPass

You can change your password at any time
after you have logged in.

If you have any problems, feel free to contact me at:
<poisedforflight@gmail.com>.

-Jason McClure
Webmaster

HERE;

mail($POST['newEmail'], "Your Password for The Site", $message, "From: Jason McClure <poisedforflight@gmail.com>");
?>
<html>
<head>
<title>Registration Complete</title>
</head>
<body>
<p><strong>User registration successful!</strong></p>
<p>Your userID and password have been emailed to <strong><?=$POST[newEmail]?></strong>, the email address<br>
you just provided in your registration form. To log in, click <a href="index.php">here</a> to return to the login page,<br>
and enter your new userID and password.</p>
</body>
</html>
<?

}

Thanks in advance for any help or advice.

-Jason

siefkencp

From what I can tell there is no session_start(); call which needs to to be done every time you want to continue a session, use a session variable or start a session. You will also have to make that call before any thing has been outputted to the browser. The second thing I saw was :

$uid = isset($POST['uid']) ? $POST['uid'] : $SESSION['uid'];
$pws = isset($POST['pwd']) ? $POST['pwd'] : $SESSION['pwd'];

Although admittedly that could be some formating I don't use and therefor dont know much about.

Hope I helped...
Chris