[RESOLVED] PHP Session Problems.

daveyc

Hey there guys and girls.

I'm currently experiencing problems with a system i'm coding. Basically, it's a talent bank system. This allows radio presenters to register their details and upload their demo mp3's so that potential employers can find them.

Everything is working okay apart from the upload mp3 section.

When the user first logs in, a session is created and their username is checked against the database. After this they're directed to their profile page (secure.php).

This all works fine, and the sessions stay intact. BUT, there comes a problem when the user uploads the mp3. The session is lost.

Here are snippets of my code:

// auth.php 

// start session 
session_start();

// convert username and password from _POST or _SESSION 
if($_POST){ 
  $user = $_SESSION['user']=$_POST["user"]; 
  $pass = $_SESSION['pass']=$_POST["pass"];   

  $mdpass = md5($pass);
}else{

if($_SESSION){
$user = $_POST['user']=$_SESSION['user'];
$pass = $_POST['pass']=$_SESSION['pass'];
$mdpass = md5($pass);
}
}

// query for a user/pass match 
$sql = "SELECT * FROM `MY_DB_NAME`.`users` WHERE `users`.`user` = '$user' AND `users`.`pass` = '$mdpass' LIMIT 1;";
$result=mysql_query($sql) or die(mysql_error());
while ($row = mysql_fetch_array($result)){
$active = $row['active'];
$firstlogin = $row['firstlogin'];
$id = $row['id'];
}
// retrieve number of rows resulted 
$num=mysql_num_rows($result);  

// print login form and exit if failed. 
if($num < 1){ 
header("location:default.php?msg=1");   // wrong user/password error
 exit; 
}
echo "38";
if ($active == "1"){
}else{

if($active == "0"){
header("location:default.php?msg=2"); // user not activated
}
}

if ($firstlogin == "0"){
$sql = "SELECT * FROM `MY_DB_NAME`.`users` WHERE `users`.`id` = '$id' LIMIT 1;";
$result = mysql_query($sql) or die(mysql_error());

while ($row = mysql_fetch_array($result)){
$id = $row['id'];
$email = $row['email'];
} // end of while block


// Define Variables
$about = "Write a little about yourself here. Do not include any HTML";
$demo = "users/demos/nodemo.mp3";
$paypal = $email;
$picture = "users/pictures/nopicture.jpg";
$testimonial = "No Testimonials Received";
$availability = "Write your availability here";
$ip = "No IP recorded. This is your first login";

// Build Query
$sql = "INSERT INTO `MY_DB_NAME`.`profileinfo` (`id`, `userid`, `email`, `aboutme`, `demourl`, `paypal`, `picture`, `testimonial`, `avail`, `lastip`) VALUES (NULL, '$id', '$email', '$about', '$demo', '$paypal', '$picture', '$testimonial', '$availability', '$ip');"; 
$result = mysql_query($sql) or die(mysql_error());

$sql = "UPDATE `MY_DB_NAME`.`users` SET `firstlogin` = '1' WHERE `users`.`id` = '$id' LIMIT 1;";
mysql_query($sql) or die (mysql_error());
echo '<div align="center"><b>Alert:</b>First Login.. New Profile Created!</div>';
}else{ // User has logged in before.

$ip = $_SERVER['REMOTE_ADDR'];

$sql = "UPDATE `MY_DB_NAME`.`profileinfo` SET `lastip` = '$ip' WHERE `profileinfo`.`userid` = '$id' LIMIT 1;";
mysql_query($sql);
}


<?

// ADDMP3.PHP
include('talent_connect.php'); // The DB Connect File
include('auth.php'); // The Above Auth File
include('gather_profile.php'); // An SQL query
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
<style type="text/css">
<!--
body,td,th {
	font-family: Arial, Helvetica, sans-serif;
	font-size: 10px;
	color: #666666;
}
.style1 {
	font-size: 12;
	font-weight: bold;
}
.style4 {
	color: #000000;
	font-style: italic;
	font-weight: bold;
}
.style5 {color: #000000}
.style11 {color: #000000; font-weight: bold; }
-->

.dynamic{padding-left:3px;padding-right:3px;}
</style></head>

<body>
<div align="center">
  <p><em><strong>You are logged in from: <? echo $lastip; ?></strong></em><br />
    <br />
  <? include('nav.php'); ?></p>
  <p>Upload your MP3 Demo:</p>
  <table width="278" border="0" cellspacing="0" cellpadding="0">
    <tr>
      <td colspan="2" valign="top" bgcolor="#CCCCCC"><div align="center"><form action="uploadmp3.php" method="post" enctype="multipart/form-data">
         File:
         <input type="file" name="file" />
      <br />
          <input type="submit" name="Submit" value="Upload" /></form>
      </div></td>
    </tr>
  </table>
  <p> <br />
  </p>
</div>
</body>
</html>


<?
// UPLOADMP3.PHP

include('talent_connect.php');
include('auth.php');
include('gather_profile.php');

$wd = getcwd();
$nname = "$username-$userid.mp3";

echo "<br><br>";
if (move_uploaded_file($_FILES['file']['tmp_name'], ''.$wd.'/users/demos/'.$nname.'')) {

//move_uploaded_file ($_FILES['file'] ['tmp_name'], 
       //"".$wd."/users/demos/{$_FILES['file'] ['".$nname."']}") ){ 
	   echo "uploaded!";
	   }else{

   switch ($_FILES['file'] ['error'])
     {  case 1:
               print '<p> The file is bigger than this PHP installation allows</p>';
               break;
        case 2:
               print '<p> The file is bigger than this form allows</p>';
               break;
        case 3:
               print '<p> Only part of the file was uploaded</p>';
               break;
        case 4:
               print '<p> No file was uploaded</p>';
               break;

   }}


?>

So as you can see. The user gets to the addmp3.php page.. Then there, there's a form. They choose a file on their hard disc, and then "uploadmp3.php" uploads the mp3 file to the server... Only it doesn't. It re-directs me to the login form saying i have a wrong username and password ($msg=1).

Any sort of help or direction would be very much appreciated 🙂

Thanks,

Davey C

halojoy

when they register
username $user and md5($pass) is insert into 'users' table
At least I think so ... even if I have not seen 'register.php'

When they login, 'login.php' sets $SESSION['user'] and $SESSION['mdpass']

These values are tested by 'auth.php' at other pages.
So this would find a match:

// query for a user/pass match
$sql = "SELECT * FROM `MY_DB_NAME`.`users` WHERE `users`.`user` = '$user' AND `users`.`pass` = '$mdpass' LIMIT 1;";

daveyc

No,

What happens is "default.php" contains the login form. When the submit button is clicked it sends it to "secure.php" which will only show if "auth.php" has found mysql results.

Would making a seperate login.php script to process the form input solve the problem?

Dave

halojoy

Just because $_POST array exists
does not always mean username + password were submitted

You could try
a more specific test of $_POST

<?php

session_start();
error_reporting( E_ALL ); //  debug while develop

if( isset($_POST['user']) && isset($_POST['pass']) ){

}
else{

}

another way, often used, is to add a hidden field 'action' to forms

login.php

<input type="hidden" name="action" value="login">

and test it with
auth.php

<?php

session_start();
error_reporting( E_ALL ); //  debug while develop

if( isset($_POST['action']) && $_POST['action']=='login' ){
    // get user/pass from post

}
elseif( isset($_SESSION['user']) ){
    // get user/pass from session

)
else{
    // login/register
    exit( '<a href="login.php">Login</a> or <a href="register.php">Register</a>' );

}

// test user/pass

?>

daveyc

I've added the "error_reporting" statement.

uploadmp3.php is kicking out the following errors:

Notice: Undefined index: user in /home/carterr/public_html/talent/auth.php on line 9

Notice: Undefined index: pass in /home/carterr/public_html/talent/auth.php on line 10

Warning: Cannot modify header information - headers already sent by (output started at /home/carterr/public_html/talent/auth.php:9) in /home/carterr/public_html/talent/auth.php on line 35

So this is basically showing me what i suspected all along, that the session has disappeared.

Obviously the third error about the headers is due to the previous output before the header(location: default.php?msg=1); is sent.

All of my pages on the site are working fine, apart from the uploadmp3.php file which is the file that processes my upload which is sent from addmp3.php.

The session just doesn't work after submitting the form, but as i said, the rest of the website works fine 🙁

--EDIT--

Just out of curiosity, i decided to create some other pages. One with a form on, and one to process the input, and the same thing is happening again.. Seems i must be doing something wrong as the form inputs seem to be destroying the sessions.. Any help anyone? 🙂

Thanks a bunch for all your help so far

dalecosp

daveyc wrote:
I've added the "error_reporting" statement.

uploadmp3.php is kicking out the following errors:
Notice: Undefined index: user in /home/carterr/public_html/talent/auth.php on line 9

Notice: Undefined index: pass in /home/carterr/public_html/talent/auth.php on line 10

Warning: Cannot modify header information - headers already sent by (output started at /home/carterr/public_html/talent/auth.php:9) in /home/carterr/public_html/talent/auth.php on line 35
So this is basically showing me what i suspected all along, that the session has disappeared.

No, this says three things. 1> no value was passed for a variable called "user", and the variable wasn't created prior to being referred to in the script 2> no value was passed for a variable called "pass", and the variable wasn't created prior to being referred to by the script, and 3> there's output prior to the header call in auth.php and $num is less than one (condition is being met).

I'd venture to guess that the "session disappearing" problem stems from this:

}else{

if($_SESSION){
$user = $_POST['user']=$_SESSION['user'];
$pass = $_POST['pass']=$_SESSION['pass'];
$mdpass = md5($pass);
}
}

You can't set the $_POST array like this, so I'm thinking you end up setting $user and $pass to either 0 or NULL when this code executes.

daveyc

Hi Guys.

Thanks for all of your help. After i posted my last message, I decided to get some sleep and come back to it with a fresh head the next morning.

I realised that the if code at the beginning of auth.php was in the incorrect order.

if($_POST){ 
  $user = $_SESSION['user']=$_POST["user"]; 
  $pass = $_SESSION['pass']=$_POST["pass"];    

  $mdpass = md5($pass); 
}else{ 

if($_SESSION){ 
$user = $_POST['user']=$_SESSION['user']; 
$pass = $_POST['pass']=$_SESSION['pass']; 
$mdpass = md5($pass); 
} 
}

addmp3.php was submitting a form, so when uploadmp3.php tried to process it, auth.php was seeing that something had been posted, and was sending null to the user and pass variables.

So, i just swapped the code around, and it works 🙂

if($_SESSION){ 
    $user = $_POST['user']=$_SESSION['user']; 
    $pass = $_POST['pass']=$_SESSION['pass']; 
    $mdpass = md5($pass); 
}else{ 

 if($_POST){ 
  $user = $_SESSION['user']=$_POST["user"]; 
  $pass = $_SESSION['pass']=$_POST["pass"];    

  $mdpass = md5($pass); 

} 
}

Thanks a lot for your help again 🙂

Davey (Feeling rather happy with ones self)

halojoy

Great!
You solved it.
Hope it works also in other possible cases.
It would depend on how your other scripts will use this 'auth.php'