PHP login help

[Shicky]

So made a login system for my website that I have now b0rked. Trying to get the username and pass from my database, this seems to be working correctly. however I am messing up the session, will highlight it in the wall of text.

Subsequent pages go through this admin_check at the top of their page.

So I figure I have messed up the section highlighted, though I have tried several values in place of '$username' and I am really not sure where to go now...can it not see the variables in the above section? surely it would throw an error if this was the case. At the moment I pass the login screen, then when I try and carry out an action in the 'admin' section, I am moved back to the login screen.

<?php 
session_start();
include_once "admin_check.php";
?>

<?php
$error_msg = "";
if ($_POST['username']) {

	$host="localhost"; // Host name
	$db_username="root"; // Mysql username
	$db_password=""; // Mysql password
	$db_name="queens_radio_db"; // Database name
	$tbl_name="members"; // Table name 
	
	// Connect to server and select database.
	mysql_connect("$host", "$db_username", "$db_password")or die("cannot connect");
	mysql_select_db("$db_name")or die("cannot select DB");
	
	// username and password sent from form
	$username = $_POST['username'];
	$password = $_POST['password'];
	
	// To protect MySQL injection 
	$username = stripslashes($username);
	$password = stripslashes($password);
	$username = mysql_real_escape_string($username);
	$password = mysql_real_escape_string($password);
	
	$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
	$result=mysql_query($sql);
	
	// Mysql_num_row is counting table row
	$count=mysql_num_rows($result);
	// If result matched $username and $password, table row must be 1 row
	
	// Simple hard coded values for the correct username and password
	//$admin = "admin";
    //$adminpass = "test";
		
    if($count!=1){
		$error_msg = ': <font color="#FF0000">Your login information is incorrect</font>';
	} else {
		session_register('admin');
        $_SESSION['admin'] = '$username';
		require_once "index.php";
		exit();
	}

}// close if post username
?>


<?php
[B]if ($_SESSION['admin'] != $username) {[/B]
    echo '<h3>Only the administrator can view this directory</h3><br />
	
	<table width="340" border="0">
<form action="admin_check.php" method="post" target="_self">
  <tr>
    <td colspan="2">Please Log In Here' . $error_msg . '</td>
  </tr>
  <tr>
    <td width="96">Username:</td>
    <td width="234"><input type="text" name="username" id="username" style="width:98%" /></td>
  </tr>
  <tr>
    <td>Password:</td>
    <td><input type="password" name="password" id="password" style="width:98%" /></td>
  </tr>
  <tr>
    <td colspan="2" align="center"><input type="submit" name="button" id="button" value="Log In Now" /></td>
  </tr>
</form> 
</table>
	<br />
<br />
<br />

<a href="../">Or click here to head back to the homepage</a>';
exit();
}
?>

 

[Shicky]

You're only setting the $username variable if the username is POSTed, so on subsequent pages it will always be empty and the check for not being logged in will always pass. It should give a warning but chances are your web host has the error reporting for warnings disabled. Try putting this at the start of your script:

error_reporting(E_ALL | E_STRICT);

And for your check, something like this should do:

if (!isset($_SESSION['admin']))

Sorted it, thank you very much

 

[Shicky]

Just a tip - you can use print_r() to print out all items from an array...

So for example you can do print_r($_SESSION) and you'll get a print out of the value of all items in $_SESSION.

If you echo "<pre>" before print_r and echo "</pre>" afterw the print_r then you'll also get it to show in a nice format.

so....

echo "<pre>";
print_r($_SESSION);
echo "</pre>";

will give you a nice print out of your array and help you loads when you are debugging.

I see this being very handy mate, thank you very much