views:

61

answers:

2

hi, I am working on a simple login and logout module for my website without any security. I am using wamp on a windows xp machine. I am creating session when a user submits the login informaton it redirects to a process.php file which creates the session variables and starts session. Now if the login is successful user is redirected to the welcome page which includes a header file(which displays the header involving signin logout help options) The problem is the header is not changing the signin link to logout as the user logs successfully. The below code is from process.php which initiates a login.

$username = $_POST['username'];
        $password = $_POST['password'];

        //echo "{$username}:{$password}";
        $connection = mysql_connect("localhost","root","");
        if(!$connection)
        {
            die("Database Connection Failed".mysql_error());
        }
        $db_select = mysql_select_db("tester",$connection);
        if(!$db_select)
        {
            die("Database Selection Failed".mysql_error());
        }
        $result = mysql_query("SELECT * FROM user",$connection);
        if(!$result)
        {
            die("Database Selection Failed".mysql_error());
        }


        $q = "SELECT * FROM user " ."WHERE Name='".$username."' AND Password='".$password. "' ";
         // Run query
         $r = mysql_query($q);

         if ( $obj = @mysql_fetch_object($r) )
        {
            session_start();
            // Login good, create session variables
            $_SESSION["valid_id"] = session_id();
            $_SESSION["valid_user"] = $_POST["username"];
            $_SESSION["valid_time"] = time();

            Header('Location: welcome.php');

The following code is from header.php which is included in welcome.php

    </div>

    <div id = "userdetail">

        <?php

        if(isset($_SESSION["valid_user"]))
        {
            echo($_SESSION["valid_user"]." " ); 
             echo("<a href=logout.php>Logout</a>"); 

        }
        else
        {
            echo("<a href = login.php>Sign In</a>");
        }

        ?>

              | Help |  Search      

            <input type = "text" name = "searchbox" value = "" />
    </div>
</div>
A: 

What happens when you display print_r($_SESSION)?

Ben Fransen
if i place it in header.php it says undefined variable Session in header.php
aeonsleo
A: 

You have to call start_session() every time on every called page. This should always the first call you do in your pages.

on logout call session_destroy.

additionally you should clear the $_SESSION variable

$_SESSION = array();

A coding tip: Split you display stuff from the php code with a template-engine like smarty You code contains a sql injection bug, see my comment on your post.

you also should use hashed passwords and don't forget the salt. do not store plain passwords into your database.

SQL injection

Bernd Ott
Thanks Bernd. I didn't knew that i had to place session_start() at each file involving sessions.The problem is solved.
aeonsleo
but also fix the sql-inqjection or anyone can login, even the dont know any user/password.
Bernd Ott
I have not fully understood sql-injection but will definitely find time to understand it thoroughly before writing further login code.Thank for all the help.
aeonsleo
Ok, try to use the following username' or 1=1 --look what happens to the string in your sql statement.take a look on final executed sql.
Bernd Ott