PHP testing whether logged in...

gumbald · 23 Jul 2007 at 21:53

Right, here goes. Been on this most of the night and failing...

I've got a checklogin.php:

Code:

<?php
ob_start();

mysql_connect ("*********", "************", "***********") or die(mysql_error());
mysql_select_db("musync_articles") or die(mysql_error());

$username = $_POST['myusername'];
$password = $_POST['mypassword'];

$result = mysql_query("SELECT * FROM `users` WHERE username='$username' and password='$password'") or die(mysql_error());

$count = mysql_num_rows($result);

if($count==1){
session_start();
$_SESSION['username']=$username;
$_SESSION['password']=$password;
if (isset($_SESSION)) {
header("location:http://somewhere/about.php");
} else {
header("location:http://somewhere/login.php?err=1");
}

exit();
ob_end_flush();
?>

Which then forwards fine to an "about.php" containing the following:

Code:

<?php echo $_SESSION['username']; echo $_SESSION['password']; ?>

If I echo these values instead of redirecting to this page, they appear. But it seems once I navigate away, they disappear...

Somebody please point out what I'm doing wrong

meghatronic · 23 Jul 2007 at 22:39

gumbald said:
snip

I haven't time to look at your problem, but please remember to escape your user input

gumbald · 23 Jul 2007 at 22:47

jdickerson said:
I haven't time to look at your problem, but please remember to escape your user input

That's on the to-do list, I've read about it and don't think it'll be too hard to sort. While I'm not entirely live at the moment, more concerned about getting the functionality working

marc2003 · 23 Jul 2007 at 22:47

have you a session_start() in your about.php?

also post code using

Code:

 tags on ocuk. it's impossible to read with the php tags. :p

gumbald · 23 Jul 2007 at 23:03

marc2003 said:
have you a session_start() in your about.php?

I need to put that at top of every file? Does that not defeat the object? I presumed that was just needed when setting up the session.

I want a logout button to appear in the footer when logged in, so do I need to put it in there too?

Confusion!

And I'll edit my previous posts

marc2003 · 23 Jul 2007 at 23:04

gumbald said:
I need to put that at top of every file?

yes

gumbald · 23 Jul 2007 at 23:08

Right, I took it as that it made a new session each time. Obviously not...

Shut my computer down now, I'll edit tomorrow when my head's clearer. And I'll try and get back to more varied functionality that I cut down on in trying to get it all to work!

Anything else you think I've missed with all this session stuff?

meghatronic · 24 Jul 2007 at 00:07

gumbald said:
Right, I took it as that it made a new session each time. Obviously not...

Shut my computer down now, I'll edit tomorrow when my head's clearer. And I'll try and get back to more varied functionality that I cut down on in trying to get it all to work!

Anything else you think I've missed with all this session stuff?

I was going to test it but Apache has decided to die out and I can't afford a restart.

I *think* as above it's just session start needed!

RE: sql injection, I think the following should work (after you've connected to mysql):

Code:

function anti_sql_injct($value){
	$value = trim($value);	
    $value = stripslashes($value);
    $value = mysql_real_escape_string($value);
	
	$regex_chars = '\?(){}[]^$<>';
		for ($i=0; $i<strlen($regex_chars); $i++) {
			$char = substr($regex_chars, $i, 1);
			$value = str_replace($char, '\\'.$char, $value);
		}
    return $value;
}

gumbald · 24 Jul 2007 at 07:15

jdickerson said:
I was going to test it but Apache has decided to die out and I can't afford a restart.

I *think* as above it's just session start needed!

RE: sql injection, I think the following should work (after you've connected to mysql):

Code:

function anti_sql_injct($value){ $value = trim($value); $value = stripslashes($value); $value = mysql_real_escape_string($value); $regex_chars = '\?(){}[]^$<>'; for ($i=0; $i<strlen($regex_chars); $i++) { $char = substr($regex_chars, $i, 1); $value = str_replace($char, '\\'.$char, $value); } return $value; }

Cheers for the code, I'll plonk it in tonight and give it a bash.

I'd put session_start() on one page, and the username appeared in the footer of it, just got to replicate that change to every other...

marc2003 · 24 Jul 2007 at 08:48

jdickerson said:

RE: sql injection, I think the following should work (after you've connected to mysql):

Code:

function anti_sql_injct($value){
	$value = trim($value);	
    $value = stripslashes($value);
    $value = mysql_real_escape_string($value);
	
	$regex_chars = '\?(){}[]^$<>';
		for ($i=0; $i<strlen($regex_chars); $i++) {
			$char = substr($regex_chars, $i, 1);
			$value = str_replace($char, '\\'.$char, $value);
		}
    return $value;
}

i'm a relative php noob so i have to ask..... what the fudge is all that about? :confused:

mysql_real_escape_string is enough surely? assuming you know magic quotes is turned off. if you're unsure about that, this code would be enough....

Code:

if(get_magic_quotes_gpc()) {
    $value = stripslashes($_POST['value']);
} else {
    $value = $_POST['value'];
}
$value = mysql_real_escape_string($value);

taken from here.....

http://uk3.php.net/mysql_real_escape_string

as a learner i always like to keep things simple and it confuses me when i see this sort of stuff.

meghatronic · 24 Jul 2007 at 10:53

marc2003 said:
i'm a relative php noob so i have to ask..... what the fudge is all that about?

mysql_real_escape_string is enough surely? assuming you know magic quotes is turned off. if you're unsure about that, this code would be enough....

Code:

if(get_magic_quotes_gpc()) { $value = stripslashes($_POST['value']); } else { $value = $_POST['value']; } $value = mysql_real_escape_string($value);

taken from here.....

http://uk3.php.net/mysql_real_escape_string

as a learner i always like to keep things simple and it confuses me when i see this sort of stuff.

The second part of my thing was to escape characters for something else I was running on the page.

marc2003 · 24 Jul 2007 at 13:40

jdickerson said:
The second part of my thing was to escape characters for something else I was running on the page.

well you could have removed it then?

it's confusing enough to learn php without un-necessary stuff being tossed into the mix. and i'm still baffled by what you're trying to achieve with it...

gumbald, if you have htaccess support with your webhost, edit an .htaccess file at the root of your webfolder and add this line to it..

Code:

php_flag magic_quotes_gpc off

now you can simply use mysql_real_escape_string to protect yourself against sql injection without any fancy functions....

eg

Code:

$username = mysql_real_escape_string($_POST['username']);

it's now safe to query your database using $username