Session problems

raider00321

Hey i have a session problem which is meant to store the data of a username and userid. It works fine on my test server, but as soon as i upload it to the actual server. heres my script.

Login

<?
//***************************************
// This is downloaded from www.plus2net.com //
/// You can distribute this code with the link to www.plus2net.com ///
//  Please don't  remove the link to www.plus2net.com ///
// This is for your learning only not for commercial use. ///////
//The author is not responsible for any type of loss or problem or damage on using this script.//
/// You can use it at your own risk. /////
//*****************************************
?>
<!doctype html public "-//w3c//dtd html 3.2//en">

<html>

<head>
<title>(Type a title for your page here)</title>

<meta name="GENERATOR" content="Arachnophilia 4.0">
<meta name="FORMATTER" content="Arachnophilia 4.0">
</head>

<body bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#800080" alink="#ff0000">

<form action='loginck.php' method=post>
<table border='0' cellspacing='0' cellpadding='0' align=center>
  <tr id='cat'>
  <tr> <td bgcolor='#f1f1f1' ><font face='verdana, arial, helvetica' size='2' align='center'>  &nbsp;Login ID  &nbsp; &nbsp;
</font></td> <td bgcolor='#f1f1f1' align='center'><font face='verdana, arial, helvetica' size='2' >
<input type ='text' class='bginput' name='userid' ></font></td></tr>

<tr> <td bgcolor='#ffffff' ><font face='verdana, arial, helvetica' size='2' align='center'>  &nbsp;Password  

</font></td> <td bgcolor='#ffffff' align='center'><font face='verdana, arial, helvetica' size='2' >
<input type ='text' class='bginput' name='password' ></font></td></tr>

<tr> <td bgcolor='#f1f1f1' colspan='2' align='center'><font face='verdana, arial, helvetica' size='2' align='center'>  

<input type='submit' value='Submit'> <input type='reset' value='Reset'>
</font></td> </tr>


<tr> <td bgcolor='#ffffff' ><font face='verdana, arial, helvetica' size='2' align='center'> &nbsp;<a href='signup.php'>New Member Sign UP</a></font></td> <td bgcolor='#ffffff' align='center'><font face='verdana, arial, helvetica' size='2' >
Forgot Password ?</font></td></tr>

<tr> <td bgcolor='#f1f1f1' colspan='2' align='center'><font face='verdana, arial, helvetica' size='2' align='center'>  

&nbsp;</font></td> </tr>


</table></center></form>

<center>
<br><br><a href='http://www.plus2net.com'>PHP SQL HTML free tutorials and scripts</a></center> 

</body>

</html>

Login Check

<?
include "session.php";
include "Connect.php";
?>
<!doctype html public "-//w3c//dtd html 3.2//en">

<html>

<head>
<title>(Type a title for your page here)</title>
<meta name="GENERATOR" content="Arachnophilia 4.0">
<meta name="FORMATTER" content="Arachnophilia 4.0">
</head>

<body bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#800080" alink="#ff0000">
<?
$userid=mysql_real_escape_string($userid);
$password=mysql_real_escape_string($password);

if($rec=mysql_fetch_array(mysql_query("SELECT * FROM plus_signup WHERE userid='$userid' AND password = '$password'"))){
	if(($rec['userid']==$userid)&&($rec['password']==$password)){
	 $_SESSION[userid]=$userid;
	 $_SESSION[password]=$password;
            echo "<p class=data> <center>Successfully, $_SESSION[userid] Logged in<br><br><a href='logout.php'> Log OUT </a><br><br><a href=welcome.php>Click here if your browser is not redirecting automatically or you don't want to wait.</a><br></center>
			<table width=200 border=1>
  <tr>
    <th scope=col>Money</th>
    <th scope=col>&nbsp;</th>
    <th scope=col>&nbsp;</th>
    <th scope=col>&nbsp;</th>
  </tr>
  <tr>
    <th scope=row>&nbsp;</th>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
  </tr>
  <tr>
    <th scope=row>&nbsp;</th>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
  </tr>
  <tr>
    <th scope=row>&nbsp;</th>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
  </tr>
  <tr>
    <th scope=row>&nbsp;</th>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
  </tr>
</table>";


			} 
	}	
else {

	session_unset();
echo "<font face='Verdana' size='2' color=red>Wrong Login. Use your correct  Userid and Password and Try <br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";

}
?>
<center>


</body>

</html>

Main Page

<?php include "session.php";?>
<title>WOTA-Main Room</title>
<?php include "Connect.php";?>


<link href="My First CSS.css" rel="stylesheet" type="text/css" />

<style type="text/css">
<!--
body {
	background-color: #000000;
}
-->
</style></head>

<body>
<div  id="header">
  <?php include ("menu.php")?></div>
<div id="SideBar">
<?php include ("Links.php")?>

</div>
<div id="Body">
<?
$userid=mysql_real_escape_string($userid);
$password=mysql_real_escape_string($password);
	 $_SESSION[userid]=$userid;
	 $_SESSION[password]=$password;
if($rec=mysql_fetch_array(mysql_query("SELECT * FROM wota WHERE userid='$userid' AND password = '$password'"))){
	if(($rec['userid']==$userid)&&($rec['password']==$password)){
	 $_SESSION[userid]=$userid;
	 $_SESSION[password]=$password;

$updatetotalpop="UPDATE wota SET totalpop=lowerclasspop+middleclasspop+upperclasspop  WHERE userid='$_SESSION[userid]'";
           mysql_query($updatetotalpop) or die("error displaying total population. Please report to Admin");
$updatetotalemployment="UPDATE wota SET totalunemployment=lowerclassunemployment+middleclassunemployent+upperclassunemployment WHERE userid='$_SESSION[userid]'";
 mysql_query($updatetotalemployment) or die("error displaying total unemployment. Please report to Admin");

 mysql_connect($servername,$dbusername,$dbpassword);
@mysql_select_db("$dbname");
$userstats="SELECT * FROM $table WHERE userid='$_SESSION[userid]'";
$userstats2=mysql_query($userstats);
$userstats3=mysql_fetch_array($userstats2);



        echo "<p class=data> <center>Welcome Commander $_SESSION[userid]!
		<br>Resources";
print "<table width='700' border='0'>
<th width=120 bgcolor=#999999><FONT SIZE=1>Gold</FONT></th>
<th width=120 bgcolor=#999999> 
<FONT SIZE=1 >$userstats3[gold]</FONT>
<th width=300 bgcolor=#999999></th>
<th width=120 bgcolor=#999999><FONT SIZE=1>Wood</FONT></th>
<th width=120 bgcolor=#999999><FONT SIZE=1>$userstats3[wood]</FONT></th>
  </tr>
  <tr>
  <th width=120 bgcolor=#333333><FONT SIZE=1>Food</FONT></th>
  <th width=120 bgcolor=#333333><FONT SIZE=1>$userstats3[food]</FONT></th>
  <th width=260 bgcolor=#333333></th>
  <th width=120 bgcolor=#333333><FONT SIZE=1>Stone</FONT></th>
  <th width=120 bgcolor=#333333><FONT SIZE=1>$userstats3[stone]</th>
  </tr>
  </table>
<table width=700>
<th width=700 bgcolor=#999999> Population </th>
</tr>
</table>
<table width=700>
<th width=100 bgcolor=#3333333><FONT SIZE=1>Total Population</FONT></th>
    <th width=120 bgcolor=#333333> 
	<FONT SIZE=1 bgcolor=#333333>$userstats3[totalpop]</FONT>
	<th width=260 bgcolor=#333333></th></th>
    <th width=120 bgcolor=#333333><FONT SIZE=1>Lowerclass Population</FONT></th>
    <th width=120 bgcolor=#33333><FONT SIZE=1>$userstats3[lowerclasspop]</FONT></th>
  </tr>
  <tr>
  <th width=120 bgcolor=#999999><FONT SIZE=1>Middleclass Population</FONT></th>
  <th width=120 bgcolor=#999999><FONT SIZE=1>$userstats3[middleclasspop]</FONT></th>
  <th width=260 bgcolor=#999999></th>
  <th width=120 bgcolor=#999999><FONT SIZE=1>Upperclass Population</FONT></th>
  <th width=120 bgcolor=#999999><FONT SIZE=1>$userstats3[upperclasspop]</th>
  </tr>
  </table>
  <table width=700>
  <tr>
  <th width=700 bgcolor=#999999> Employment </th>
  </tr>
  </table>
  <table width=700>
  <tr>
  <th width=100 bgcolor=#3333333><FONT SIZE=1> Total Unemployment</FONT></th>
    <th width=120 bgcolor=#333333> 
	<FONT SIZE=1 bgcolor=#333333>$userstats3[totalunemployment]</FONT>
	<th width=260 bgcolor=#333333></th></th>
    <th width=120 bgcolor=#333333><FONT SIZE=1>Lowerclass Unemployment</FONT></th>
    <th width=120 bgcolor=#33333><FONT SIZE=1>$userstats3[lowerclassunemployment]</FONT></th>
  </tr>
  <tr>
  <th width=120 bgcolor=#999999><FONT SIZE=1>Middleclass Unemployment</FONT></th>
  <th width=120 bgcolor=#999999><FONT SIZE=1>$userstats3[middleclassunemployent]</FONT></th>
  <th width=260 bgcolor=#999999></th>
  <th width=120 bgcolor=#999999><FONT SIZE=1>Upperclass Unemployment</FONT></th>
  <th width=120 bgcolor=#999999><FONT SIZE=1>$userstats3[upperclassunemployment]</th>
  </tr>
";

			} 
	}	
else {

	session_unset();
echo "<font face='Verdana' size='2' color=red>Wrong Login. Use your correct  Userid and Password and Try <br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";

}
?>

</div>
</body>





</html>

deshg

This isn't definite as you haven't included all of your files so this may be a silly suggestion, but you don't have session_start(); at the top of your pages, which is needed on any pages you wish to use/carry the sessions variables. Without this you won't be able to make use of them and it has to be the first thing on the page.

As i say you may already have this on your session.php include or one of the others, but just in case you don't.

Dave

raider00321

Sorr, this is what i have in my session.php file
<?php
session_start();
session_register("session");
?>
.ps thanks for the fast reply, i put this here only 5 mins ago

deshg

Again may be a crazy suggestion, but your code looks about right, have you tried specifying session_start in each file individually because i know there can be problems if it's not exactly the first thing on a page and headers or other stuff preceed it, i'm just wondering if maybe by doing an include it's causing you problems as it's causing something to exist before the session_start command? Worth a try at least. Also incidentally i never actually use session_register to define the session on my checklogin page, i just set them and they are registered automtically. This may be a bad thing (if so i don't know why) but it works for me.

Or you may want to wait for someone more experienced to tell you what's going on!

Dave

raider00321

hmmm. i just tried taking it out of the other page, but it still didnt work. Could the problem have t do somthint with my webhosts securuty??

NogDog

Looks like you use short tags in some places ("<?" instead of "<?php"). You might want to check if short_open_tags is enabled on the problematic host, or just go ahead and change them all to "<?php" in order to maximize the portability of your script.

raider00321

hmm, i just fixed that and still nothing..........

raider00321

erm, perhaps if i actually show you the link....
www.lazyproductionsonline.com/wota

NogDog

Try putting this at the top of each script to help gather any debug info:

<?php
ini_set('display_errors', 1);
error_reporting(E_ALL);

raider00321

That got me somthing.I got this error message now

Notice: Use of undefined constant userid - assumed 'userid' in /home/lazyprod/public_html/WOTA/main.php on line 30

Notice: Use of undefined constant password - assumed 'password' in /home/lazyprod/public_html/WOTA/main.php on line 31

Notice: Use of undefined constant userid - assumed 'userid' in /home/lazyprod/public_html/WOTA/main.php on line 34

Notice: Use of undefined constant password - assumed 'password' in /home/lazyprod/public_html/WOTA/main.php on line 35

raider00321

Ok, i fixed those problem on the screen, but it still isnt storing the sessions

NogDog

Looks like maybe the code depends on register_globals (which is always a bad idea now). Try this where you set these variables:

$userid=mysql_real_escape_string($_POST['userid']);
$password=mysql_real_escape_string($_POST['password']);

raider00321

Hmmm. I just tinkered with it and it seems to have fixed it now

What i forgot to do was to was this

$userid=$SESSION[userid];
$userid=$SESSION[password];
$userid=mysql_real_escape_string($userid);
$password=mysql_real_escape_string($password);

From me doing this, it now seems to be working just fine 🙂 Thankyou for all your help, without you it would of taken me ages to figure that out 🙂. Thankyou once again. But before i stop posting why is it a bad idea on making the script depend on global variables??

Horizon88

They're less secure, global variables.

Say you have a script that acts on a POST variable, $_POST['page'];

Using register_globals and calling it as just $page; an attacker can bypass your form, access the processor script directly, and pass it in a get variable:

script.php?page='/etc/passwd'

or something similar. 🙂

It's just good code practice not to rely on register_globals, especially since lots of hosts don't allow them.

NogDog

register_globals is really only potentially dangerous if you use uninitialized variables in certain ways. For instance, suppose you do the following in your code:

$array['name'] = 'NogDog';
$array['age'] = 'old';
foreach($array as $key => $val)
{
   echo "<p>$key: $val</p>\n";
}

Now suppose a malicious user submitted his own form that called your page as the action, including the following input field:

<input type='text' name='array[]' value='<script type="text/javascript">malicious code here</script>'>

If register_globals is on, then the above script's foreach loop will now output the malicious script as well as the intended text. However, if you had initialized the $array before assigning values, this would not be an issue:

$array = array();
$array['name'] = 'NogDog';
$array['age'] = 'old';
foreach($array as $key => $val)
{
   echo "<p>$key: $val</p>\n";
}

Similar things could happen with uninitialized scalar variables, but again only if used in certain ways, such as using the ".=" operator to append values to a string variable without first setting it to a value (or empty string) via the "=" operator.

So, if you are careful not to use uninitialized variables and always get your external inputs from the applicable array ($POST, $GET, etc.), your script should run fine regardless of whether or not register_globals is on.