/    Sign up×
Community /Pin to ProfileBookmark

[RESOLVED] more sessions problems

Copy linkTweet thisAlerts:
Oct 11.2006

I know you guys constantly get questions about sessions. However, I’ve read all of the manuals and tutorials that I could possibly Google and am still having some trouble. I have a login page (test_login.php):

[CODE]<?php
session_start();

if($_POST[‘submit’])
{
# connect to db
include ‘db_connect.php’;

# set user/pass
$_SESSION[‘user’] = strip_tags(substr($_POST[‘tfUser’],0,32)); #from form textfield tfUser
$_SESSION[‘pass’] = strip_tags(substr($_POST[‘tfPass’],0,32)); #from form textfield tfPass

$query = “SELECT * FROM test_admin WHERE
user = ‘”. mysql_real_escape_string($_SESSION[‘$user’]).”‘ AND
pass= ‘”. mysql_real_escape_string($_SESSION[‘$pass’]).”‘”;

$result = mysql_query($query) or die( “QUERY ERROR: ” . mysql_error() );

if(mysql_num_rows($result) > 0) # found a match
{
$_SESSION[‘logged’] = TRUE;
header(“Location: test.php”);
}

else
{
$error_invalid = “<font size=’1′ color=’#FF0000′ face=’Arial’>Invalid username and/or password.”;
}
}
?>[/CODE]

If a match is found then the user is directed to test.php:

[CODE]<?php session_start();

if ( $_SESSION[‘logged’] = TRUE )
{
?>

<html>
<head>
</head>
<body>
// here I have some html
</body>
</html>

<?php
}
else
{
header(“Location: test_login.php”); # redirect back to login page
}
?>
[/CODE]

Earlier today I had it accepting my login with the correct user/pass. However, I tried to change the code so that I could not surf onto test.php without first logging in and I ran into trouble. Now when I try to login with the correct user/pass, I am given my error of, “Invalid username and/or password”. ? What am I doing wrong? Thanks in advance!

to post a comment
PHP

6 Comments(s)

Copy linkTweet thisAlerts:
@NogDogOct 11.2006 — Use "==" for comparison, "=" for assignment. Also, to prevent parser notices, check that the variable is set before checking its value.
[code=php]
if (isset($_SESSION['logged']) and $_SESSION['logged'] == TRUE )
{
[/code]
Copy linkTweet thisAlerts:
@rbraggauthorOct 12.2006 — Thanks for your assistance. I made your recommended changes to test_login.php:

[CODE]if(mysql_num_rows($result) > 0) # found a match
{
[B]$_SESSION['logged'] == TRUE;[/B]
header("Location: test.php");
}[/CODE]

And these changes to test.php:

[CODE]<?php
session_start();

[B]if (isset($_SESSION['logged']) and $_SESSION['logged'] == TRUE )[/B]
{
?>

<html>
<head>
</head>
<body>
// here I have some html
</body>
</html>

<?php
}
else
{
header("Location: test_login.php"); # redirect back to login page
}
?>[/CODE]

This does solve one of my problems - that of accessing test.php directly without first logging in b/c it redirects me to my login page. However, I still get the "Invalid username and/or password" error on my login page after typing the correct user/pass. ?

This is my form information on test_login:

[CODE]<form action="<?php echo $_SESSION['PHP_SELF'] ?>" method="POST">[/CODE]
Copy linkTweet thisAlerts:
@NogDogOct 12.2006 — Thanks for your assistance. I made your recommended changes to test_login.php:

[CODE]if(mysql_num_rows($result) > 0) # found a match
{
[B]$_SESSION['logged'] == TRUE;[/B]
header("Location: test.php");
}[/CODE]

...[/QUOTE]
No! In this case you are assigning the value TRUE to the session variable, so you want to use "=", NOT "==". Just remember that one equal sign is an assignment operator, while the double equal sign is comparison operator.
Copy linkTweet thisAlerts:
@rbraggauthorOct 12.2006 — Thanks for the explanation. After adding the second "=" on test.php, I still had the error. That's why I went back and added the double "=" on my login page. I have just now removed it from the login page and have the same error. ?
Copy linkTweet thisAlerts:
@pcthugOct 13.2006 — Ok, I looked at your code and there were a few errors and flaws. In [FONT=Courier New]test_login.php[/FONT] you are referencing the your session array variables via a single quoted variable key. 1. Variables enclosed within single quotes will not be parsed, and 2. You should not be referencing with variables, rather as a string. Here is the amended code:
[code=php]
<?php
session_start();

if($_POST['submit'])
{
# connect to db
include 'db_connect.php';

# set user/pass
$_SESSION['user'] = strip_tags(substr($_POST['tfUser'],0,32)); #from form textfield tfUser
$_SESSION['pass'] = strip_tags(substr($_POST['tfPass'],0,32)); #from form textfield tfPass

$query = "SELECT * FROM test_admin WHERE
user = '". mysql_real_escape_string($_SESSION['user'])."' AND
pass = '". mysql_real_escape_string($_SESSION['pass'])."'";

$result = mysql_query($query) or die( "QUERY ERROR: " . mysql_error() );

if(mysql_num_rows($result) > 0) # found a match
{
$_SESSION['logged'] = TRUE;
header("Location: test.php");
}

else
{
$error_invalid = "<font size='1' color='#FF0000' face='Arial'>Invalid username and/or password.";
}
}
?>[/code]As there is no set key within your session array with the litaeral value of [I]$user[/I] or [I]$pass[/I] they would have trigged an error notice and have been assigned an empty value ''. So you would have been searching your database for all users named '' with passwords of ''.

As for [FONT=Courier New]test.php[/FONT], you are currently checking to see if [FONT=Courier New]$_SESSION['logged'][/FONT] is equal to [FONT=Courier New]TRUE[/FONT]. As all strings that are not explicitly set to a false value ('false', '0') will be considered true, you should use the '=== ' operator when checking to see if [FONT=Courier New]$_SESSION['logged'][/FONT] is explicitly set to the boolean value of [FONT=Courier New]TRUE[/FONT]. Use this amended code:[code=php]<?php
session_start();

if (isset($_SESSION['logged']) and $_SESSION['logged'] === TRUE )
{
?>

<html>
<head>
</head>
<body>
// here I have some html
</body>
</html>

<?php
}
else
{
header("Location: test_login.php"); # redirect back to login page
}
?>[/code]
Copy linkTweet thisAlerts:
@rbraggauthorOct 13.2006 — Thanks so much! I don't know why I was referencing variables there in the first place:

[CODE]$query = " SELECT * FROM test_admin WHERE
user = '". mysql_real_escape_string($_SESSION['[B]user[/B]'])."' AND
pass= '". mysql_real_escape_string($_SESSION['[B]pass[/B]'])."' ";[/CODE]

It works beautifully now.
×

Success!

Help @rbragg spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...