PHP Sessions not working

I am working off of the Kevin Yank tutorial on how to Manage Users and Sessions with PHP. (First question: is there a newer way of doing this?)

I was able to get a simple test work with sessions, but not my user login session. What happens is everything works (users register in database, email password, even error if same user name) except when I try to log in, it says “access denied” even though my user name and password are correct (they exist in the database, and I ma connecting to it).

This stymies me. The code says to check if the values in the table are =0 and I have looked at the database using PHPMySQL and they are there! (Besides, I am getting the confirmation email).

I am on GoDaddy Linux host, I have turned globals on in my PHP.INI file, added a session path to my PHP.INI, but still no error, just “Access Denied”. What have I done wrong?

here is my connection script:

<?php 
//Connect to DBServer:
function dbConnect($db='mydatabasename') {
    global $dbhost, $dbuser, $dbpass;	
$dbcnx = @mysql_connect('hostname, 'user name', 'password');
if (!$dbcnx) {
	exit ('<p>unable to connect to the database at this time<p>');
}
//select the database
if (!@mysql_select_db('mydatabasename')) {
	exit ('<p>Unable to locate database now.<p>');
}
}
?>

and here is my accesscontrol.php:

<?php
session_start();
include_once 'common.php';
include_once 'cnxlct.php';
$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
if(!isset($uid)) {
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Login Required </h1>
  <p>You must log in to access this area of the site. If you are
     not a registered user, <a href="signup.php">click here</a>
     to sign up for access!</p>
  <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
  	<table width="267" border="0">
      <tr>
        <td width="81">User ID:&nbsp;</td>
        <td width="170" align="right"><input type="text" name="uid" size="26" />&nbsp;</td>
      </tr>
      <tr>
        <td>Password: &nbsp;</td>
        <td align="right"><input type="password" name="pwd" size="26"  />&nbsp;</td>
      </tr>
    </table>
    <input type="submit" value="Log in" />
  </form></p>
  </body>
  </html>
  <?php
  exit;
}
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;

dbConnect("mydatabasename");
$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
	  error('A database error occurred while checking your '.
        'login details.\\\
If this error persists, please '.
        'contact me.');
		}
if (mysql_num_rows($result) == 0) {
  unset($_SESSION['uid']);
  unset($_SESSION['pwd']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=iso-8859-1" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}
$username = mysql_result($result,0,'fullname');
?>

check to make sure there are no spaces before the <?php beginning. Hopes this helps

Do an echo of $sql to see what the query you’re running actually looks like. Copy and paste it into PHPMyAdmin and see if it gives any results there.

It may have something to do with this line…
I replaced it with echo “Welcome, $firstname”; still get no results.
Could it be still not accepting the $result in this line…

while($row=mysql_fetch_assoc($result)){
	echo "Welcome, $firstname";

I think you posted in the wrong thread

Guido, thanks for the reply.

However, I can’t figure out how to echo the SQL. Which part of the SQL were you suggesting (the uid, pwd, array)?

I did try putting a

print_r($_SESSION);

right under the session_start statement (is that the same thing?) and it shows: “()” empty parentheses when I try to login. Does this mean that somehow the array data is not getting passed? If so, why not?

(I checked all the whitespace in the code last night and that didn’t help).

I also just went to MyPHPAdmin and pasted this statement into the “SQL” window:

SELECT * FROM user WHERE
userid = ‘$uid’ AND password = PASSWORD(‘$pwd’)

Returned empty result. So, my query is not getting anything, but there is data there!

which brings me to:

$uid = isset($_POST[‘uid’]) ? $_POST[‘uid’] : $_SESSION[‘uid’];
$pwd = isset($_POST[‘pwd’]) ? $_POST[‘pwd’] : $_SESSION[‘pwd’];

I am thinking: shouldn’t one or more of the above statements have been: $_POST[‘userid’] and $POST[‘password’]? It seems like we are defining uid and pwd with themselves… Not sure which to try…

What he means by echo your $sql is add a line here:

$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = PASSWORD('$pwd')";

// add this line here
echo $sql;

Then you copy and paste your exact query to phpmyadmin and see what happens.

OK, I thought I had already done that, using the print_r($session) command. The output is: () Nothing.

So, I tried the echo $sql statement, and it echos the user name and password. Correctly.

So, what does this mean? I’m stuck. It appears the code is doing what it should…

That shouldn’t be happening. If you echo or print the $sql after you declare it, then it should at least put something on the screen, even if it is just this:

SELECT * FROM user WHERE
userid = ‘’ AND password = PASSWORD(‘’)

The thing I am thinking is that the $uid and $pwd are not getting set right, but until we know that, there isn’t much we can do to help.

The problem with putting it into phpmyadmin with $uid and $pwd in there like you showed before is that $uid and $pwd are meaningless to phpmyadmin and mysql. The values they hold will be converted by your script to something meaningful and that’s what we need to check first.

I’m assuming that you are getting a proper result if you put the echo’d query in phpmyadmin.

Then I am at a loss, because I just tested a virtually identical script and it worked fine. The only reason I could think of it failing is because your query isn’t right in some way.

OK, me too. Maybe you will see something if I post specifically what my $print_r and $echo statements output (could be that I am misreading what is ‘proper’?):
with the two statements in the code right after the session_start directive, I get the two output echoes, at the very top of my “access denied” page. They look like this:

Array ( ) SELECT * FROM user WHERE userid = ‘myusername’ AND password = PASSWORD(‘mypassword’)

I don’t get it, how can it echo the right usr/psw, and still say: access denied???:injured:

This is not a helpful post but is that code straight from Kevin yanks book?

And just to confirm, the user you are trying to select info on is literally named myusername and the password is supposed to be mypassword?

No, that part has been changed to protect the innocent.

The “array()” is from the print_r statement, and the other stuff is from the echo $sql statement. It echoes the correct user name and the password, exactly.

Could it be that my server does not know how to recognize the truncated random string?

@aamokey: good point. Going back to exactly Kevin’s code, yields the same result. I actually had better luck using my own connection code (see above). But that is really all I changed (other than db name). Has anyone else had problem’s with using Kevin’s code(it’s quite old now…)?

I have decided to try another approach. Different code, maybe different host. (I guess I shouldn’t have wasted my time if the tutorial code didn’t work!)

No answer.

$dbcnx = @mysql_connect('hostname, 'user name', 'password');

should be

$dbcnx = @mysql_connect('hostname', 'user name', 'password');

you were missing the ’ after hostname

Thanks, but I saw that earlier. (Strangely had NO effect).

Not even the basic code (from Kevin’s tutorial) works !

What’s the deal!? Registration, but no access…

Am I really that dumb, that everyone else gets it but me? (Pulling my hair out for days on this!) What basic thing am I missing?

Should I be using PHP4 instead of 5?

(How come the latest post on the tutorial forum is 2005? Am I missing something new that happened?)

Short answer (to a looong problem):

Don’t use GoDaddy!

I finally decided to test this setup on another host, and it worked! I wish GoDaddy would tell us beforehand that they have effectively gutted PHP (why provide a scripting environment at all if it only works “for some stuff”?). Not to mention they provide a very un-secure environment, if you able to do so. Ridiculous. I am only sorry that I gave them the benefit of the doubt for so long. I even went back with the exact code that worked, and told them about it. All they did was babble incoherently…trust me, if they made any sense at all, I would have understood…

Now, I need help with restricting access by account type:

Thanks, all for the help.

lol thats such a pain, that use to happen alot to me ;\