value not being saved in session

SeanKann

I have a login page that works 100% but it's only storing the username and not my other value which is user_level



<?php

session_start();

include('connection.php');

$login = mysql_query("SELECT * FROM $table2 WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "')");


if (mysql_num_rows($login) == 1) {
$_SESSION['username'] = $_POST['username'];
$_SESSION['user_level'] = $_POST['user_level'];

header('Location: .././site/index.php');
}

else {

header('Location: .././index.php');

}

?>

Not sure if I have to but something in where the $login connection to the database is? or should my $_SESSION['user_level'] enough?

my other page where I'm testing to make sure that the user_level is stored correctly isn't showing up, but the username is showing.


Your Username <?php echo $_SESSION['username']; ?><br>
Userlevel <?php echo $_SESSION['user_level']; ?><br>
<a href='.././user/logout.php'>Logout</a><br>

First time I have worked with sessions

bradgrafelman

What does the form look like that is POST'ing the data to the first script above?

Also, why do you execute a MySQL query yet never attempt to retrieve any data from the result set?

EDIT: Ah, nevermind - missed the if() that checks to see if a row was matched. Not only should you never do a 'SELECT *', but in this case you could just do something like 'SELECT 1' or some constant value since you don't plan on actually retrieving any information from the DB.

SeanKann

this page

<?php 

session_start(); 

include('connection.php'); 

$login = mysql_query("SELECT * FROM $table2 WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "')"); 


if (mysql_num_rows($login) == 1) { 
$_SESSION['username'] = $_POST['username']; 
$_SESSION['user_level'] = $_POST['user_level']; 

header('Location: .././site/index.php'); 
} 

else { 

header('Location: .././index.php'); 

} 

?>

is just a login check after logging in. it all is good it goes to the ../site/index.php page where I'm going to the site and one option that i want to have is to store the username and user_level in a session so that I can limit options on what pages they can view.

if userlevel = 1
echo adminpage.php
}else{
echo standardpage.php

this page


Your Username <?php echo $_SESSION['username']; ?><br> 
Userlevel <?php echo $_SESSION['user_level']; ?><br> 
<a href='.././user/logout.php'>Logout</a><br>

I'm just testing to make sure the values are there before continuing you to the next set of pages

bradgrafelman

You still haven't posted what I asked for above; what does the HTML form look like that gets submitted to the first page in your post?

Furthermore, why are you getting the 'user_level' value from that POST'ed data? What if a malicious user simply tells you their user_level is 9 or some value that grants them access to something they shouldn't have?

SeanKann


<html>
<title>Login</title>
<body>

<h3>Login Page</h3>

<table border='0'>
<form method='post' action='.././user/logincheck.php'>
<tr><td>Username</td><td>:</td><td><input type='text' name='username' size='20'></td></tr>
<tr><td>Password</td><td>:</td><td><input type='password' name='password' size='20'></td></tr>
<br>
<td><input type='submit' value='Login'></td></tr>
</form>
</table>
</body>
</html>

This page?

Or this page



<?

require_once('connection.php');

$username=$_POST["username"];
$password=$_POST["password"];
$user_level = "0";

$dbcheck = mysql_query("SELECT * FROM $table2 WHERE username='$username'");
if (mysql_num_rows($dbcheck) > 0 ) {

echo "That username is already taken. Please go back and select a new one";

} else {

$query = "INSERT INTO $table2 VALUES ('', '$username', md5('$password'), '$user_level')";
$results = mysql_query($query);

echo "You have now registered with the website. Please go back and login <a href='.././index.php'> Main Page</a>";

}

mysql_close();

?>

Default it sets the limit to 0 only I can change their user_level

bradgrafelman

Your problem is here:

$_SESSION['user_level'] = $_POST['user_level'];

There is no such form entity called 'user_level' in the HTML form you showed above, so $_POST['user_level'] won't exist. As such, I'm guessing you either don't have error_reporting set to E_ALL and/or display_errors isn't set to On (or log_errors, depending upon which environment you're in). Do those and you'll start seeing a bunch of helpful error messages PHP is trying to provide to you.

Next, you'll have to figure out where user_level is supposed to come from. It's not coming from the form (nor does it make sense that it should), so the $_POST array isn't going to be any help.