SESSION variables

lukeurtnowski · October 21, 2013, 9:02pm

Im toying around with these Variables, created as login form,
http://shores-rentals.com/login.php
Upon successfull login (checks a users mysql table) Im trying to set a few session variables


<?php
session_start();  
include $_SERVER['DOCUMENT_ROOT'].'/db/config.php'; 
    $user = $_POST['username'];
    $pass = $_POST['password'];
    $sql = "select * from users where username = '".$user."' && password = '".$pass."'  limit 1";
     $result = mysql_query($sql); 
    $info = mysql_fetch_assoc($result);

    if(mysql_num_rows($result)!=1){
             header("location:login_fail.php");
    } else {
    $_SESSION['logged'] = '1';
    $_SESSION['user'] = $user;
    $_SESSION['email'] = $info['email'];
        if($info['isAdmin']==1) {
            header("location:admin");    
        } else {
            header("location:login_success.php");
        }
    }
mysql_close($db_connect);
?>

After I login it takes me to the admin section, I look in the top where I have a


echo '<pre>';
var_dump($_SESSION);
echo '</pre>';

and all I see is,
array(1) {
[“user”]=>
string(5) “Admin”
}

Where are the other session variables?

force · October 21, 2013, 9:11pm

While this won’t resolve your specific issue, you should be aware that the mysql_* functions have been depreciated and you should be using [URL=“http://php.net/manual/en/book.mysqli.php”]mysqli or [URL=“http://php.net/manual/en/book.pdo.php”]PDO instead.

You should also be escaping and validating your POST variables before using them. As-is, your script is vulnerable to SQL injections.

As for your specific issue, comment out the header redirects and add a var_dump($_SESSION) at the end of the script. Are your session variables still missing?

lukeurtnowski · October 22, 2013, 1:16am

Yes,m they are, heres the script,


<?php
session_start();  
include $_SERVER['DOCUMENT_ROOT'].'/db/config.php'; 
include $_SERVER['DOCUMENT_ROOT'].'/db/functions.php'; 
    $user = mysql_prep($_POST['username']);
    $pass = mysql_prep($_POST['password']);
    $sql = "select * from users where username = '".$user."' && password = '".$pass."'  limit 1";
     $result = mysqli_query($sql); 
    $info = mysqli_fetch_assoc($result);

    if(mysqli_num_rows($result)!=1){
             //header("location:login_fail.php");
    } else {
    $_SESSION['logged'] = '1';
    $_SESSION['user'] = $user;
    $_SESSION['id'] = $info['id'];
    $_SESSION['email'] = $info['email'];
        if($info['isAdmin']==1) {
            //header("location:admin");    
        } else {
            //header("location:login_success.php");
        }
    }
mysqli_close($db_connect);
var_dump($_SESSION);
?>

the form that calls the script,
http://shores-rentals.com/login.php

lukeurtnowski · October 22, 2013, 1:18am

heres the function,

<?php
function mysql_prep( $value ) {
    $magic_quotes_active = get_magic_quotes_gpc();
    $new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
    if( $new_enough_php ) { // PHP v4.3.0 or higher
        // undo any magic quote effects so mysql_real_escape_string can do the work
        if( $magic_quotes_active ) { $value = stripslashes( $value ); }
        $value = mysql_real_escape_string( $value );
    } else { // before PHP v4.3.0
        // if magic quotes aren't already on then add slashes manually
        if( !$magic_quotes_active ) { $value = addslashes( $value ); }
        // if magic quotes are active, then the slashes already exist
    }
    return $value;
}
?>

QMonkey · October 22, 2013, 4:27pm

Call session_write_close() before the redirect.

lukeurtnowski · October 22, 2013, 6:20pm

Think I found something, if I get rid of the mysqli thing


<?php
session_start();  
include $_SERVER['DOCUMENT_ROOT'].'/db/config.php'; 
include $_SERVER['DOCUMENT_ROOT'].'/db/functions.php'; 
    $user = mysql_prep($_POST['username']);
    $pass = mysql_prep($_POST['password']);
    $sql = "select * from users where username = '".$user."' && password = '".$pass."'  limit 1";
     $result = mysql_query($sql); 
    $info = mysql_fetch_assoc($result);

    if(mysql_num_rows($result)!=1){
              //header("location:login_fail.php");
    } else {
    $_SESSION['logged'] = '1';
    $_SESSION['user'] = $user;
    $_SESSION['id'] = $info['id'];
    $_SESSION['email'] = $info['email'];
        if($info['isAdmin']==1) {
            //header("location:admin");    
        } else {
            //header("location:login_success.php");
        }
    }
mysql_close($db_connect);
var_dump($_SESSION);
?>

The script produces the session variables


array(4) {   ["logged"]=>   string(1) "1"   ["user"]=>   string(1) "1"   ["id"]=>   string(1) "2"   ["email"]=>   string(20) "lukemaxpro@excte.com" }

But when I add the i thing at the end of mysql in mysql_query() , the script shows no session variables.
Im running PHP 5.2, is this ok?

force · October 22, 2013, 6:53pm

Sorry, I didn’t catch that you changed that.

mysqli_* and PDO are not a drop-in replacements for mysql_*. You will need to read the documentation on using it that I liked to in my previous post.

Regardless of what version of PHP you are running, you should start migrating your code over to mysqli or PDO since mysql_* will be removed from future versions of PHP.

Here’s a guide on getting started with PDO: http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

lukeurtnowski · October 22, 2013, 7:53pm

thanks for the link!

I thought session variables can easily be transferred to other php pages. Once I use the form to login
http://shores-rentals.com/login.php
im rediredted to login_success.php
Heres the scriiipt where the redirection happens


<?php
session_start();  
include $_SERVER['DOCUMENT_ROOT'].'/db/config.php'; 
include $_SERVER['DOCUMENT_ROOT'].'/db/functions.php'; 
    $user = mysql_prep($_POST['username']);
    $pass = mysql_prep($_POST['password']);
    $sql = "select * from users where username = '".$user."' && password = '".$pass."'  limit 1";
     $result = mysql_query($sql); 
    $info = mysql_fetch_assoc($result);

    if(mysql_num_rows($result)!=1){
              header("location:login_fail.php");
    } else {
    $_SESSION['logged'] = '1';
    $_SESSION['user'] = $user;
    $_SESSION['id'] = $info['id'];
    $_SESSION['email'] = $info['email'];
        if($info['isAdmin']==1) {
            header("location:admin");    
        } else {
            header("location:login_success.php");
        }
    }
mysql_close($db_connect);
//var_dump($_SESSION);
?>

So I gather the 4 session variables are set
but heres login_success.php


<?php
session_start();  
var_dump($_SESSION);
?>
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="/css/style.css">
</head>
<body>
<div id="background">
  <div id="outer-wrapper">
      <div id="inner-wrapper">
          <header>
<?php include 'inc/header.php'; ?>
          </header>
          <div id="content">
<div id="success">
<h2>Welcome <?=$_SESSION['user']?></h2>
<p align="center">Thank you for Logging in.  You may now <a href="rentals/add_a_rental.php">add a rental</a><br><br>
<?php
$success = array('success.jpg','success1.jpg','success2.jpg','success3.jpg','success4.jpg','success5.jpg','success6.jpg','success7.jpg');
echo "<img src=\\"images/".$success[array_rand($success)]."\\" class=\\"result\\" />";
?>
</p>
</div>
          </div><!--END CONTENT-->
          <footer>
<?php include 'inc/footer.html'; ?>
          </footer>
      
      </div><!--END INNER-WRAPPER-->
  </div><!--END OUTER-WRAPPER-->
</div><!--END BACKGROUND-->
</body>
</html>

why aren’t the variables being transferred?

lukeurtnowski · October 22, 2013, 8:51pm

great article, im going to maker the move to the PDO thing.

QMonkey · October 22, 2013, 10:27pm

Do you want to try it? I’ve seen this before.

lukeurtnowski · October 23, 2013, 12:53am

yes, I put it before the code


<?php
session_start();  
include $_SERVER['DOCUMENT_ROOT'].'/db/config.php'; 
include $_SERVER['DOCUMENT_ROOT'].'/db/functions.php'; 
    $user = mysql_prep($_POST['username']);
    $pass = mysql_prep($_POST['password']);
    $sql = "select * from users where username = '".$user."' && password = '".$pass."'  limit 1";
     $result = mysql_query($sql); 
    $info = mysql_fetch_assoc($result);

    if(mysql_num_rows($result)!=1){
              header("location:login_fail.php");
    } else {
    $_SESSION['logged'] = '1';
    $_SESSION['user'] = $user;
    $_SESSION['id'] = $info['id'];
    $_SESSION['email'] = $info['email'];
        if($info['isAdmin']==1) {
            header("location:admin");    
        } else {
session_write_close();
             header("location:login_success.php");
        }
    }
mysql_close($db_connect);
//var_dump($_SESSION);
?>

But I get redirected, but the var_dump thing s hows an empty array

lukeurtnowski · October 23, 2013, 1:36am

k, think something mat be wrong with my server or something
Attached 2 screenshots, the first is after I submit the authentication form, which shows the 4 session variables, then I click on the link to see if they are available (this is all I have on it)


<?php
session_start();  
echo "<pre>";
var_dump($_SESSION);
echo "</pre>";
?>

It shows an empty array, shouldn’t there be four?

Drummin · October 23, 2013, 1:49am

And how about with using this line instead?

<h2>Welcome <?php echo "{$_SESSION['user']}"; ?></h2>

lukeurtnowski · October 23, 2013, 2:05am

No, that doesn’t work, all I get is <h2>welcome</h2>

lukeurtnowski · October 23, 2013, 5:12am

the idiots at my server never set up the session save path, so its all set up now, its in the php.ini file, just did a php_info();

force · October 23, 2013, 1:42pm

Wow, that never even occurred to me. Glad you found the issue. I was wondering what the issue might be since I didn’t see any obvious problems in your code.