[RESOLVED] Confused $_SESSION

SoulAssassin

I had this Thread under the Newbie section for about 4 days, but it's obviously the wrong place.
Maybe you guys can see my problem.

When the Admin signs in, a Session gets created to hold it's user info, and echo it on every page.
login.php

   

<?
$_SESSION['user_name'] = $row['user_name'];
$_SESSION['level'] = $row["user_level"];
$_SESSION['com_usercode'] = $row['com_usercode'];
$_SESSION['user_email'] = $row['user_email'];
$_SESSION['user_tel'] = $row['user_tel'];
$_SESSION['user_date'] = $row['date'];
?>

It works fine on every other page until the Admin needs to change another user's detail.
These Users have got the same fields as the Admin User, so when the edit form gets submitted, the $POST somehow replaces the $SESSION. Which means that all fields that's been changed, now echo the $_POST value of the user who's detail has been changed, instead of the original Admin user's SESSION information. It only happens once Admin chooses another user to edit. And if I go to another Page, the "New SESSION" goes through.
I need to know why this happen, or if it's something I'm doing wrong.

Here's a shortened version of my page.
users.php

   <?
session_start();
include "config.php";

$adminuser = $_SESSION['user_name']; 
$adminlevel = $_SESSION['level'];
$admincom_usercode = $_SESSION['com_usercode'];
$adminuser_date = $_SESSION['user_date'];
$adminuser_email = $_SESSION['user_email'];
$adminuser_tel = $_SESSION['user_tel'];

if(isset($_POST['Amend'])) 
{
//The only 2 field who gets edited, and who's values replace the $_SESSION
$userid = $_POST['userid'];
$user_email = $_POST['user_email'];
$user_tel = $_POST['user_tel'];

$result = mysql_query("Update login_table set user_email='$user_email', user_tel='$user_tel' where userid=".$_POST['userid']);
if ($result)
{
echo "User updated<br>";
$edit = "";
}
}
if ($order == "") {$order = "userid";}
$list = mysql_query("Select * from login_table WHERE com_usercode='$admincom_usercode' ORDER BY '$order'",$con);
$num = mysql_num_rows($list);
$n = 0;
?>
Admin Detail:
<? echo "Username - $adminuser"; ?>
<br>
<? echo "Login Level - $adminlevel"; ?>
<br>
<? echo "Company Code - $admincom_usercode"; ?>
<br>
<? echo "E-Mail Address - $adminuser_email"; // After form has been submited, $_POST replace this field ?>
<br>
<? echo "Telephone Number - $adminuser_tel"; // After form has been submited, $_POST replace this field ?>
<br>
<? echo "Registered Date - $adminuser_date"; ?>
<br>        

User Information:
<table width="100%" border="0">
    <tr> 
      <td width="5%"><a href="users.php?order=userid">ID</a></td>
      <td width="16%"><a href="users.php?order=user_name">User Name</a></td>
      <td width="8%"><a href="users.php?order=user_level">Level</a></td>
      <td width="18%"><a href="users.php?order=user_email">E-Mail</a></td>
      <td width="17%"><a href="users.php?order=user_tel">Tel</a></td>
      <td width="14%"><a href="users.php?order=user_ip">User IP</a></td>
      <td width="22%"><a href="users.php?order=date">Date Registered</a></td>
    </tr>
<?
while($row = mysql_fetch_array($list, MYSQL_ASSOC))
{
$n++;
?>
    <tr> 
      <td width="5%"><? echo $row['userid']; ?></td>
      <td width="16%">
<?
if($row['userid'] > "1") 
{ 
?>
<a href="users.php?edit=<? echo $row['userid']; ?>"><? echo $row['user_name']; ?></a>
<? 
} 
else
{
echo $row['user_name'];
}
?>
      </td>
      <td width="8%"><? echo $row['user_level']; ?></td>
      <td width="18%"><? echo $row['user_email']; ?></td>
      <td width="17%"><? echo $row['user_tel']; ?></td>
      <td width="14%"><? echo $row['user_ip']; ?></td>
      <td width="22%"><? echo $row['date']; ?></td>
    </tr>
<?
}
?>
</table>
<?
if ($edit) 
{
$result = mysql_query("Select * from login_table WHERE userid = '$edit'",$con);
$row = mysql_fetch_array($result);
?>
<br/>
<form name="form" method="post" action="">
Edit User:
        <table width="43%">
          <tr> 
            <td width="21%">User Name</td>
            <td width="43%">E-Mail</td>
            <td width="36%">Tel</td>
          </tr>
          <tr> 
            <td><? echo $row['user_name'];?></td>
            <td><input type="user_email" name="user_email" value="<? echo $row['user_email']; ?>"></td>
            <td><input type="user_tel" name="user_tel" value="<? echo $row['user_tel']; ?>"></td>
          </tr>
        </table>
  <input type="hidden" name="userid" value="<? echo $row['userid'];?>">
  <input type="Submit" name="Amend" value="Update">
</form>
<?
}
?>

Thought it might be something in my php.ini file, but I can't see anything wrong:
session.save_handler = files
session.save_path = c:/apache/tmp
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_maxlifetime = 1440
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 1

I also tried it with Register Globals on, and off.

Please guys, any suggestions?
Thanks

devinemke

i would suggest that you nest your arrays to keep the admin's data separate from the user data. something like:

$_SESSION['admin']['userid'] = '123';
$_SESSION['admin']['name'] = 'Joe Admin';

$_SESSION['user']['userid'] = '456';
$_SESSION['user']['name'] = 'John User';

then refer to them explicitly this way, not using global variables.

SoulAssassin

Thanks for your reply and suggestion, but I won't be able to do it in that manner.
I have 4 different levels of security, and about 50 administrators that can change user info. New ones will be created all the time, so this method won't work.
I also thought about using .htaccess , but I'll have the same problem.

If I do this:

          $adminid = $_SESSION['userid'];
        $adminuser = $_SESSION['user_name']; 
       $adminlevel = $_SESSION['level'];
	$adminpassword = $_SESSION['user_pass'];
$admincom_usercode = $_SESSION['com_usercode'];
   $adminuser_date = $_SESSION['user_date'];
  $adminuser_email = $_SESSION['user_email'];
    $adminuser_tel = $_SESSION['user_tel'];


if(isset($_POST['Amend'])) 
{

     $user_pass = md5($_POST[user_pass]);
	    $userid = $_POST['userid'];
	 $user_name = $_POST['user_name'];
    $user_email = $_POST['user_email'];
	  $user_tel = $_POST['user_tel'];
	 $user_pass = $_POST['user_pass'];

echo "User '$user_name' Information Updated updated!";
echo "<br>";
echo "User ".$_SESSION['user_name']." Information Updated updated!";
echo "<br>";
echo "User '$adminuser' Information Updated updated!";
}

$user_name "echo's the $_POST['user_name']"
$SESSION['user_name'] "echo's the $POST['user_name']"
$adminuser "echo's the $_SESSION['user_name']"

until I change another user's info and submit,
$user_name "echo's the $POST['user_name']"
$SESSION['user_name'] "echo's the $_POST['user_name']"
$adminuser "echo's the previous user who got edited"

I can't believe this challenge has kept me busy for a week now.
I can't use a different solution, I need someone to tell me why this one doesn't work. Does no one know any reason why the $POST replace the $SESSION after a form is submitted?

Thanks to all of you contributing.

Piranha

This is only a guess since I don't have the correct file. I think that in config.php you have some code that looks if $POST['userid'] is set and then set $SESSION['userid'] to that value. It could be some of the other variables as well, or more than one. If it is this way you need to use another name when it is not the logged in user but another user. Changing to $_POST['otheruserid'] would probably solve the problem.

SoulAssassin

Awesome
You set me on the right track.
I went to my login page and changed my SESSION names to something completely different than the table's field names. I should have thought about this long ago.

This issue is resolved.
Thanks Piranha