ansaurus

Question

PHP MYSQL question

Answer 1

A:

I see that your code has only two options - display "wrong code" or redirect to the other page. no place where you are redirecting to the login page?

Tomasz Kowalczyk 2010-09-12 18:24:55

Answer 2

A:

You need to initiate the session by sessions_start() before the rest of the code.

Fanis 2010-09-12 18:25:00

yes you need need to use the session_sart() on every page you want to get access, if you are using sessions.

Ibrahim Azhar Armar 2010-09-12 18:27:56

Answer 3

+1 A:

I would use a user defined function and make it to check the login credentials and return true or false from the function.

you can use something like this.

function check_login ($username, $password) {
             $query = "SELECT `confirmcode` FROM  `fb_network` WHERE `username` = '$username' AND `status`='Confirmed' ";
             $result = mysql_query($query);
             $row = mysql_fetch_array($result);
         if( mysql_num_rows($result) == 0) {
             return false;
             }
         if( mysql_num_rows($result) == 1) {
             $_SESSION['loggedin'] = "true";
             header('location:profile.php?conf='.$row[0]);
             return true;
             }
             }

and then call the function easily and display the appropriate message.

check the following code..

<?php
    session_start();
    /** If the User is already Logged in then redirect to login.php **/
    if(isset($_SESSION['loggedin'])){
    header("Location: login.php");
    }
    else {
    if( check_login($_POST['username'], $_POST['password'])) {
    header('location:profile.php?conf='.$row[0]);
    }
    }

althoough the code is not exact but this might be enough to get you going.

Ibrahim Azhar Armar 2010-09-12 18:32:57

and remember if you are using session then you need to use session_start() on every page.

Ibrahim Azhar Armar 2010-09-12 18:35:10

Answer 4

+1 A:

no it shouldn't work in theory
try this

<?php
$username = mysql_real_escape_string($_POST['username']);
$query = "SELECT `confirmcode` FROM  `fb_network` 
            WHERE `username` = '$username' AND `status`='Confirmed' ";
$result = mysql_query($query) or trigger_error(mysql_error().$query);
if ($row = mysql_fetch_row($result)){     
  session_start();
  $_SESSION['conf_code'] = $row[0];
  header('Location: profile.php');
  exit;
} else {
  echo 'Wrong username';
}

but there can be other issues, from code you didn't post here r other reasons.
as a matter of fact, only debugging can tell you what's the problem for sure

Col. Shrapnel 2010-09-12 18:35:05

Did you mean to eliminate `$result2`? Your `fetch` still has the `$results2` rather than `$results`

d2burke 2010-09-12 18:41:53

thanks. corrected

Col. Shrapnel 2010-09-12 18:42:38

Good post though, I wondered why the query was running twice. What did you see in the original that would keep it from running correctly, other than the error throwing you added and the dup queries?

d2burke 2010-09-12 18:51:35

@d2burke too bad I see no critical problem. Thought at first it was, but as a fact it's just more clear code. It could be anything. Headers already sent error for example

Col. Shrapnel 2010-09-12 19:15:49

Thank you, this did the trick. The problem was also in the profile.php and the way it was seeing how sessions are registered. I added this if(!isset($_SESSION['conf_code'])){ header("Location: login.php"); }

2010-09-12 21:31:29

Answer 5

A:

If you have any sort of 'test' script on the profile page that re-directs you if you're not logged in, it may be that the above code logs you in, but does not carry the session variable correctly to the profile page...and subsequently sends the user back to log in again.

Make sure the session is properly initiated on each page using the variable and make sure they match on both ends.

d2burke 2010-09-12 18:39:43

Answer 6

A:

You have two main problems:

You are not using session_start to tell PHP to start tracking sessions
You are using session_register. session_register requires register_globals to be on, which it hopefully is not in your environment. It also expects its argument to be a string which is the name of the variable you wish to store. You should instead use $_SESSION['uid'] = $row[0];

You should also read about SQL injection, a very serious and common security flaw that your code exhibits.

Here is a corrected version of your code:

<?php
session_start(); //it's fine to just do this by habit at the top of every page

$username = $_POST['username'];

//I added mysql_real_escape_string - please read about "sql injection", as it is a very serious and common problem!
$query = "SELECT `confirmcode` FROM  `fb_network` WHERE `username` = '".mysql_real_escape_string($username)."' AND `status`='Confirmed' ";

$result = mysql_query($query);

if (mysql_num_rows($result) == 1) {

    $result2 = mysql_query($query);

    $row = mysql_fetch_row($result2);

    $_SESSION['conf_code'] = $row[0];

    //not sure if this is what you weree going for or not
    $_SESSION['uid'] = $row[0];

    header('location:profile.php?conf='.$row[0]);   

}       
else {
    echo 'Wrong username';
}

Then in profile.php, to check if someone is logged in:

<?php 
session_start();

if( ! isset($_SESSION['uid']))
    //Not logged in!

if( $_SESSION['uid'] != $_GET['conf'])
    //trying to access someone else's page!

notJim 2010-09-12 19:09:04

that's silly access rights checking, don't you think? there should be no GET usage at all.

Col. Shrapnel 2010-09-12 19:12:36

I agree, but I wanted to keep it as close to the originally-submitted code as possible. Can't teach everything at once!

notJim 2010-09-12 19:20:54

ansaurus

tags:

views:

answers:

PHP MYSQL question

related questions