3

I am having an issue with 2 files: login_config.php and profile.php.

  • login_config.php consists of a log in system, which sets $_SESSION['key'] true upon the completion of several forms of authentication.
  • profile.php is the page the user is redirected to after success.

I want data on profile.php to only be accessible with $_SESSION['key'] set (upon successful login).

My question: What is incorrect with my code? Furthermore, why am I presented with the error upon login submission that is only supposed to return if $_SESSION['key'] is false/not set, as opposed to the targeted profile.php page?

CODE: (login_config.php)

<?php

// POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];

require 'password_config.php';

if(isset($submit)){

    require 'db/connect.php';

    // PASSWORD VERIFYING
    $pass_query = "SELECT password FROM users WHERE email='$email'";
    $queried = mysql_query($pass_query);
    while($row = mysql_fetch_array($queried)){
        $user_pass = $row['password'];
        $veri_password = password_verify($password, $user_pass);
    }
    if(!$veri_password === true){$errors[] = '-Account does not exist ';}

    // CHECKING NUM ROWS
    $sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
    $entered_user = mysql_query($sql);
    $num_rows = mysql_num_rows($entered_user);


    // ERRS ARRAY ESTABLISHED
    $errors = array();

    // FURTHER VERIFYING
    if( empty($password) || empty($email) )
    {
        $errors[] = 'Please do not leave fields empty';
    }
    elseif( $num_rows != 1 )
    {
        $errors[] = '-Account does not exist ';
    }
    elseif( $num_rows == 1 )
    {
        session_start();
        $_SESSION['key'] === true;

        while($row = mysql_fetch_array($entered_user)){
            $_SESSION['id'] = $row['id'];
            $_SESSION['email'] = $email;
            $_SESSION['user'] = $row['username'];
            $_SESSION['pass'] = $password;
            header('Location: profile.php');
            exit();
        }

    }
}

CODE: (profile.php)

<?php

session_start();

if($_SESSION['key'] !== true){
    die ("please <a href='login.php'>log in</a> to view this page");
}
?>
<html>
<head>
    <title>Profile</title>
    <link href='css/main.css' rel='stylesheet' />
</head>
<body>
    <div id='container'>
        <?php require 'include/header.php'; ?>
        <?= 'NJM ID # ==>'.$_SESSION['id'].'<br />'.'Username ==>'.$_SESSION['user'].'<br/>'.'Password ==>'.$_SESSION['pass'].'<br/>'.'<br />' ?>
        <a href='logout.php'>Log out!</a>
        <br />
        -OR-
        <br />
        <p>Try our beta mode<a href='forum.php'> forum</a></p>
        <?php require 'include/footer.php'; ?>
    </div>
</body>
</html>

Note: I am aware I am vulnerable to SQL attacks at the current state of code, I will be fixing this later, also I am stuck with the deprecated version of MySQL.

Improve this question
4
  • Also, thanks in advance for any help -Eugene Commented Jul 12, 2015 at 11:54
  • Not entirely sure why this question has gotten down voted. Still have not received a solution. Commented Jul 12, 2015 at 12:13
  • 2
    You could indent your code and be more specific about which error it is you are getting. Annotate your code to show where the logic fails and what you expect to see/what you actually are seeing Commented Jul 12, 2015 at 12:15
  • session_start(); should always start first, you cant do this after there is something rendered, it be code, it be html. Its the very first thing that needs to be opened. So you should use it before you even set the variables. A sessin is always active then, despite if ou use it, yes or no. Also, i would suggest to do a var dump of your session after you set it and check if the variable is saved. Cause does your session save anything? Is this only here on throughout the rest of your pages? Commented Jul 12, 2015 at 12:21

4 Answers 4

Reset to default
3

In profile.php you have to call session_start(); before using $_SESSION. session_start() doesn't just start a new session, but will also continue an existing session (it will 'start' the session handling functionality, if you will). Without calling it, you cannot use $_SESSION.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

1st: I would use termary operators for checking the existence of the values I need, for avoiding the "undefined index 'login_username'" error. Like this:

$username = isset($_POST['login_username']) ? $_POST['login_username'] : '';
$password = isset($_POST['login_password']) ? $_POST['login_password']) : '';
$email = isset($_POST['login_email']) ? $_POST['login_email'] : '';

2nd: I would use PDO for connecting with the MySQL server, for security reasons, and not only.

session_start();

if (isset($submit)){
    // select all data from db for the current user
    $st = $db->prepare('SELECT * FROM users WHERE email=?');
    $st->execute([$email]);
    //$rows = count_rows_here
    if($rows == 1){
        $row = $stmt->fetch();
        if(password_verify($password, $row['pass'])){
            $_SESSION['key'] = true; // notice the '=', and not '==='
            $_SESSION['id'] = $row['id'];
            $_SESSION['email'] = $row['email'];
            $_SESSION['user'] = $row['username'];
            $_SESSION['pass'] = $row['password'];
            header('Location: profile.php');
       } else {
           echo 'Error!';
       }
   }
}
Improve this answer

1 Comment

Never heard of termary operators before, will check them out!
0

I have fixed this by assigning the $_SESSION['key'] a variable with a value.

$_SESSION['key'] = $check = 'check';

Then to test this in profile.php, I have entered the following code: 

if(isset(!$_SESSION['key'])){die ('example')}
Improve this answer

Comments

0

I would try first to remove the exit() call after you have headered to the next PHP page. It isn't necessary as you have no code below it and it might be affecting the session (I don't think so though)

If this doesn't work (probably wont) add to profile.php after you have started the session var_dump($_SESSION) and have a look/post its contents.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.