help with syntax setting a session

CodeMama

I can't get the AdminID session to set, the user and adminlogin set fine because they come from a login form but I think I have the wrong method or syntax for setting the adminID which I'm getting from the db

<?php 
//start session
session_start();
//db connection include	
include("inc/dbconn_open.php") ;
//errors on
error_reporting(E_ALL);
ini_set('display_errors', '1');




if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else {$UserName = '';}
if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else {$Password = '';}

$msg = '';

if (!empty($UserName)) {

$sql = "SELECT `AdminID`,`UserName` FROM `admin` WHERE  `UserName`='$UserName' and    `Password`='$Password'";
$result = mysql_query ($sql);
$row = mysql_fetch_object ($result);

   if(isset($_SESSION['AdminID']))
    $_SESSION['AdminID'] = $_SESSION['AdminID'];
else
    $_SESSION['AdminID'] = $AdminID;



If (mysql_num_rows($result) > 0) {
	$_SESSION['AdminLogin'] = true;
	$_SESSION['user']=$UserName;
	$_SESSION['AdminID']=$AdminID; 

	header ('Location: Main.php');

coldwerturkey

$AdminID is undefined.

Something similar to this would do the trick

$_SESSION['AdminID'] = (isset($_SESSION['AdminID'])) ? $_SESSION['AdminID'] : $row->id;

(with this you're setting the session with the 'ID' value from the array $row which is from the mysql_query)

your php errors should have informed you about this.

additionally your method of verifying the user is a little ...less then perfect..

firstly, you should be using mysql_real_escape_string() to prevent mysql injection

secondly, granted the the passwords aren't instated by the script and are user confidential, you should be using some form of hash like md5() or sha1() with a salt to keep them private.. and away from malicious visitors.

thirdly, your query WHERE UserName='$UserName' and Password='$Password' you should only be selecting the hashed password where the username = $username, than compare the two (I've been told this is safer)

Take what you can from what I've done below, it by no means is the "right" way to do it, but it may be helpful

//start session
session_start();

//db connection include	
include("inc/dbconn_open.php");

//errors on
error_reporting(E_ALL);
ini_set('display_errors', '1');

//escape username/password
$UserName = (isset($_POST['UserName'])) ? mysql_real_escape_string($_POST['UserName']) : '';
$Password = (isset($_POST['Password'])) ? mysql_real_escape_string($_POST['Password']) : '';

if (!empty($UserName)) {
	$sql = "SELECT `AdminID`,`UserName`,`Password` FROM `admin` WHERE `UserName`='$UserName'";
	$result = mysql_query($sql);
	$row = mysql_fetch_array($result);

//If hashed passwords match proceed login
if (sha1($Password) == $row['Password']) { //granted the password was sha1() before insertion into db
	$_SESSION['AdminID'] = (isset($_SESSION['AdminID'])) ? $_SESSION['AdminID'] : $row['id']; 
	$_SESSION['AdminLogin'] = true;
	$_SESSION['user'] = $UserName;
	header ('Location: Main.php');
}
}

CodeMama

I tried your suggestion and now I get a blank page and no errors showing so I don't know what to do to fix it or where to start looking, is there a common thing to look for when a blank page is what you get?

CodeMama

Well I got this work and now have the 3 session variables, but how do I use them without passing them in the url, I keep getting logged out even though if I expose my variables the sessions are still there from page to page...

Weedpacket

If you're storing them in the session then you don't need to pass them in the URL (that's kind of the point).

What does Main.php look like? Are you starting the session there, too?

Incidentally, one should always write "exit;" after calls to "header('Location:...');" because otherwise PHP will continue to process whatever is on that page.

CodeMama

I do start the session_start() on all pages in this app, then on main , which is a frameset I have this:

<?php
session_start();
error_reporting(E_ALL);
ini_set('display_errors', '1');

include("inc/dbconn_open.php");

if (empty($_SESSION['AdminLogin']) || $_SESSION['AdminLogin'] !=  true){
   // header ("Location: LogOut.php");
	$_SESSION['user']=$UserName;
	$_SESSION['AdminID']=$AdminID;
}



?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Work Order System - Administrative Section</title>
</head>

<frameset cols="200,*" frameborder="NO" border="0" framespacing="0">
  <frame src="Menu.php?AdminID=<?php echo $_SESSION['AdminLogin']; ?>" name="leftFrame" scrolling="auto" noresize>
  <frame src="Welcome.php?AdminID=<?php echo $_SESSION['AdminLogin']; ?>" name="mainFrame">
</frameset>
<noframes><body>
</body></noframes>
</html>

Seems that if I take the session variable out of the url, it gives me the blank page of death, even though if I echo the variables it does say they are there but are they only being derived from the url?

Weedpacket

Then it would appear that either your browser is refusing cookies or your server isn't configured to use them, and nor is your server configured to automatically put the session ID into the URL (which is the backup method if cookies are not available). The settings in php.ini to look at are session.use_cookies, session.use_only_cookies, and session.use_trans_sid.