I am working off of the Kevin Yank tutorial on how to Manage Users and Sessions with PHP. (First question: is there a newer way of doing this?)
I was able to get a simple test work with sessions, but not my user login session. What happens is everything works (users register in database, email password, even error if same user name) except when I try to log in, it says “access denied” even though my user name and password are correct (they exist in the database, and I ma connecting to it).
This stymies me. The code says to check if the values in the table are =0 and I have looked at the database using PHPMySQL and they are there! (Besides, I am getting the confirmation email).
I am on GoDaddy Linux host, I have turned globals on in my PHP.INI file, added a session path to my PHP.INI, but still no error, just “Access Denied”. What have I done wrong?
here is my connection script:
<?php
//Connect to DBServer:
function dbConnect($db='mydatabasename') {
global $dbhost, $dbuser, $dbpass;
$dbcnx = @mysql_connect('hostname, 'user name', 'password');
if (!$dbcnx) {
exit ('<p>unable to connect to the database at this time<p>');
}
//select the database
if (!@mysql_select_db('mydatabasename')) {
exit ('<p>Unable to locate database now.<p>');
}
}
?>
and here is my accesscontrol.php:
<?php
session_start();
include_once 'common.php';
include_once 'cnxlct.php';
$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
if(!isset($uid)) {
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Please Log In for Access </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Login Required </h1>
<p>You must log in to access this area of the site. If you are
not a registered user, <a href="signup.php">click here</a>
to sign up for access!</p>
<p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
<table width="267" border="0">
<tr>
<td width="81">User ID: </td>
<td width="170" align="right"><input type="text" name="uid" size="26" /> </td>
</tr>
<tr>
<td>Password: </td>
<td align="right"><input type="password" name="pwd" size="26" /> </td>
</tr>
</table>
<input type="submit" value="Log in" />
</form></p>
</body>
</html>
<?php
exit;
}
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;
dbConnect("mydatabasename");
$sql = "SELECT * FROM user WHERE
userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred while checking your '.
'login details.\\\
If this error persists, please '.
'contact me.');
}
if (mysql_num_rows($result) == 0) {
unset($_SESSION['uid']);
unset($_SESSION['pwd']);
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Access Denied </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Access Denied </h1>
<p>Your user ID or password is incorrect, or you are not a
registered user on this site. To try logging in again, click
<a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
access, click <a href="signup.php">here</a>.</p>
</body>
</html>
<?php
exit;
}
$username = mysql_result($result,0,'fullname');
?>
It may have something to do with this line…
I replaced it with echo “Welcome, $firstname”; still get no results.
Could it be still not accepting the $result in this line…
However, I can’t figure out how to echo the SQL. Which part of the SQL were you suggesting (the uid, pwd, array)?
I did try putting a
print_r($_SESSION);
right under the session_start statement (is that the same thing?) and it shows: “()” empty parentheses when I try to login. Does this mean that somehow the array data is not getting passed? If so, why not?
(I checked all the whitespace in the code last night and that didn’t help).
I am thinking: shouldn’t one or more of the above statements have been: $_POST[‘userid’] and $POST[‘password’]? It seems like we are defining uid and pwd with themselves… Not sure which to try…
That shouldn’t be happening. If you echo or print the $sql after you declare it, then it should at least put something on the screen, even if it is just this:
SELECT * FROM user WHERE
userid = ‘’ AND password = PASSWORD(‘’)
The thing I am thinking is that the $uid and $pwd are not getting set right, but until we know that, there isn’t much we can do to help.
The problem with putting it into phpmyadmin with $uid and $pwd in there like you showed before is that $uid and $pwd are meaningless to phpmyadmin and mysql. The values they hold will be converted by your script to something meaningful and that’s what we need to check first.
I’m assuming that you are getting a proper result if you put the echo’d query in phpmyadmin.
Then I am at a loss, because I just tested a virtually identical script and it worked fine. The only reason I could think of it failing is because your query isn’t right in some way.
OK, me too. Maybe you will see something if I post specifically what my $print_r and $echo statements output (could be that I am misreading what is ‘proper’?):
with the two statements in the code right after the session_start directive, I get the two output echoes, at the very top of my “access denied” page. They look like this:
Array ( ) SELECT * FROM user WHERE userid = ‘myusername’ AND password = PASSWORD(‘mypassword’)
I don’t get it, how can it echo the right usr/psw, and still say: access denied???:injured:
No, that part has been changed to protect the innocent.
The “array()” is from the print_r statement, and the other stuff is from the echo $sql statement. It echoes the correct user name and the password, exactly.
Could it be that my server does not know how to recognize the truncated random string?
@aamokey: good point. Going back to exactly Kevin’s code, yields the same result. I actually had better luck using my own connection code (see above). But that is really all I changed (other than db name). Has anyone else had problem’s with using Kevin’s code(it’s quite old now…)?
I have decided to try another approach. Different code, maybe different host. (I guess I shouldn’t have wasted my time if the tutorial code didn’t work!)
I finally decided to test this setup on another host, and it worked! I wish GoDaddy would tell us beforehand that they have effectively gutted PHP (why provide a scripting environment at all if it only works “for some stuff”?). Not to mention they provide a very un-secure environment, if you able to do so. Ridiculous. I am only sorry that I gave them the benefit of the doubt for so long. I even went back with the exact code that worked, and told them about it. All they did was babble incoherently…trust me, if they made any sense at all, I would have understood…
Now, I need help with restricting access by account type: