[RESOLVED] Session variables & If statement

huplescat

Hi all,

I'm very new to PHP and am trying to create a login page that sets a session variable to be used at the beginning of each subsequent page to check if the login was valid.

This is what I've got:

$process = $_POST['process'];
$validated = 0;

if ($process == 1) {
$username = $_POST['username']; 
$password = $_POST['password'];

$sql = "select * from user where username='$username' and password='$password'";
$result = mysql_query($sql) or die(mysql_error());
$num = mysql_num_rows($result);
/*echo $num;*/
if($num <= 0 )
{
$validated = 0;
$login_result = '<br /><font color=#ff0000>Username or password incorrect, please try again.</font><br />';
}
else
$validated = 1;
session_start(); 
$user_id = $result[unique_id];
session_register ("id");
session_register ("validated");
$HTTP_SESSION_VARS ["id"] = $user_id;
$HTTP_SESSION_VARS ["validated"] = $validated; 
session_write_close(); 

header("Location: console.php");
}

Without the session variable stuff in the If statement, the username and password validate beautifully and it redirects to console.php as expected.

When I add in the session variable code though, the validation stops working and it redirects to console.php regardless of what's typed into the login box.

Can anyone explain why this happens? Or is there a different way I should be going about this?

Thanks 🙂

NogDog

I think you're missing an opening curly brace after the "else". Also, you need to "fetch" query result row data from your result ID which is returned by mysql_query() (see below).

Also, if you are using a tutorial or book that is instructing you to use session_register and $HTTP_SESSION_VARS, the first thing I'd suggest is to stop using that resource and move on to one that is more up to date. All you need to store and read session values is to start each page with session_start(), and to save/read your session values from the $_SESSION super-global array.

Therefore, once you've validated the info from the login form, all you need is:

else
{
   session_start(); 
   $row = mysql_fetch_assoc($result);  // you must fetch data from query result
   $_SESSION['id'] = $row['unique_id'];
   $_SESSION['validated'] = 1;

   header("Location: console.php");
}

Then on any page that you only want accessed by logged in users:

<?php
session_start();
if(!isset($_SESSION['validated'] or $_SESSION['validated'] != 1)
{
   // redirect to login page
}

// ...rest of page...

huplescat

Thanks NogDog 🙂 That makes a lot of sense (and I can't believe I missed that bracket!).

I'll update the code tomorrow and see how it goes.

bradgrafelman

Also, it appears as though you're vulnerable to SQL injection attacks. User-supplied data should never be placed directly into a SQL query! Instead, sanitize it with a function such as [man]mysql_real_escape_string/man.

huplescat

The solution NogDog gave, plus discovering another missing curly bracket sorted this out 🙂

bradgrafelman - thankyou for the heads up. I'll fix that asap.