PHP testing whether logged in...

Soldato
Joined
26 Aug 2006
Posts
9,726
Location
62.156684,-49.781113
Right, here goes. Been on this most of the night and failing...

I've got a checklogin.php:

Code:
<?php
ob_start();

mysql_connect ("*********", "************", "***********") or die(mysql_error());
mysql_select_db("musync_articles") or die(mysql_error());

$username = $_POST['myusername'];
$password = $_POST['mypassword'];

$result = mysql_query("SELECT * FROM `users` WHERE username='$username' and password='$password'") or die(mysql_error());

$count = mysql_num_rows($result);

if($count==1){
session_start();
$_SESSION['username']=$username;
$_SESSION['password']=$password;
if (isset($_SESSION)) {
header("location:http://somewhere/about.php");
} else {
header("location:http://somewhere/login.php?err=1");
}

exit();
ob_end_flush();
?>

Which then forwards fine to an "about.php" containing the following:

Code:
<?php echo $_SESSION['username']; echo $_SESSION['password']; ?>

If I echo these values instead of redirecting to this page, they appear. But it seems once I navigate away, they disappear...

Somebody please point out what I'm doing wrong :p
 
Last edited:
jdickerson said:
I haven't time to look at your problem, but please remember to escape your user input

That's on the to-do list, I've read about it and don't think it'll be too hard to sort. While I'm not entirely live at the moment, more concerned about getting the functionality working :)
 
marc2003 said:
have you a session_start() in your about.php? :)

I need to put that at top of every file? Does that not defeat the object? I presumed that was just needed when setting up the session.

I want a logout button to appear in the footer when logged in, so do I need to put it in there too?

Confusion! :)

And I'll edit my previous posts :p
 
Right, I took it as that it made a new session each time. Obviously not...

Shut my computer down now, I'll edit tomorrow when my head's clearer. And I'll try and get back to more varied functionality that I cut down on in trying to get it all to work!

Anything else you think I've missed with all this session stuff? :)
 
jdickerson said:
I was going to test it but Apache has decided to die out and I can't afford a restart.

I *think* as above it's just session start needed!

RE: sql injection, I think the following should work (after you've connected to mysql):
Code:
function anti_sql_injct($value){
	$value = trim($value);	
    $value = stripslashes($value);
    $value = mysql_real_escape_string($value);
	
	$regex_chars = '\?(){}[]^$<>';
		for ($i=0; $i<strlen($regex_chars); $i++) {
			$char = substr($regex_chars, $i, 1);
			$value = str_replace($char, '\\'.$char, $value);
		}
    return $value;
}

Cheers for the code, I'll plonk it in tonight and give it a bash.

I'd put session_start() on one page, and the username appeared in the footer of it, just got to replicate that change to every other...
 
Back
Top Bottom