PHP - Strange Session Behaviour
I have something strange going on with sessions set after a user logs in.
After posting the form, the following code (only part of the log in script) correctly assigns the users ID to $_SESSION['id'] but after a while it starts showing up as the users level ($_SESSION['level']). I have rechecked all of my code to see if something mistakenly assigns the level to $_SESSION['id'] but everything seems fine. I am going to rewrite the log in script today, as I am sure that I can streamline it but wondered if anyone can give any advice on what it happening here to make sure I do not fall into the same trap! Thanks Steve $username = mysql_escape_string($_POST['Lname']); $password = mysql_escape_string(md5($_POST['Lpassword'])); $search = mysql_query("SELECT userid, username, password, active, level FROM users WHERE username like binary '".$username."' AND password='".$password."' AND active='1'") or die(mysql_error()); $match = mysql_num_rows($search); $level = mysql_fetch_assoc($search); if($match > 0) //The username and password is correct {//START MANUAL LOGIN & SET SESSION VARIABLES $_SESSION['user'] = $username; $_SESSION['level'] = $level['level']; $_SESSION['loggedin'] = '1'; $_SESSION['id'] = $level['userid']; Similar TutorialsHi. I have to check if a session is started or not, and then, check for the rank of the user. For that i use two functions like is_administrator,etc. Well, but this isnt working. I cant get any clear way to know if a session have been already started or not. Code: [Select] function is_administrator() { session_start(); if (isset($_SESSION['usr']) and empty($_SESSION['usr'])) { $l = conect(); $user = $_SESSION['usr']; $cons = "SELECT * FROM `users` WHERE usr='" . $user . '\';'; $res = mysql_query ($cons,$l); $ob = mysql_fetch_array($res); if ($ob['tipo'] == 'A') { return true; } } return false; } What i want to do is to check if a sesion exist, if not, return false. If the sesion exist, check for the user rank and return true/false. When signed in as a user, the username shows up on the top right page. Then, if I click a particular product of another user it changes the session variable to that of the other user. Why would this happen? It's really odd. I think I put this in the wrong forum, as it seems to be more of a php problem (I think) I'm trying to populate a profile page with information from the database. Really bizarrely, every $row variable that isn't null returns as 'website', which is the database username. I have absolutely no idea why this is. It might be worth noting I have just changed hosts...the only thing I can think might make a difference. Any help would be great, thankyou $query = "SELECT * FROM member WHERE username='$member'"; $result = mysqli_query ($dbc, $query) or trigger_error ("query: $query\n<br />MySQL Error: " . mysqli_error($dbc)); if ($result) { while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) { $member_id = $row['member_id']; $username = $row['username_id']; $photo = $row['photo']; $about = $row['about']; $slink = $row['soundcloud_link']; $mlink = $row['mixcloud_link']; $flink = $row['facebook_link']; $dlink = $row['divshare_link']; $mylink = $row['myspace_link']; $plink = $row['postbocks_links']; $website = $row['personal_website']; $type = $row['member_type']; $status = $row['status']; } } } I've echo'd the $query and put the result into sql directly and it comes out fine. I have a development machine running WAMP on a win7 64 bit box. php 5.3.13
I have a server that runs Apache 2.2, php 5.3.12 MySql, etc.
I am running joomla 2.5.27 on both machines.
I require a number of php includes to many of the joomla articles (this works great via a plugin called Directphp)
After considerable time getting the site fully working on the dev machine, I ran into an unforseen problem when I uploaded to the production box.
For some unknown reason, the includes work fine on the dev machine using $DOCUMENT_ROOT to define the root (then tag the correct path and file to this)
However, on the production box, this doesn't work - but... $_SERVER['DOCUMENT_ROOT'] does.
Annoyingly, $_SERVER['DOCUMENT_ROOT'] won't work on the dev machine - and $DOCUMENT_ROOT doesn't work on the production box.
So, I can't come up with a generic method to keep both machines happy.
I've checked the php.ini files on both boxes and the register global is OFF on both.
They also seem to interperate the syntax differently in the actual include files - one box hates double quotes - the other has issues with single quotes.
This is really annoying as most of the includes are HTML snippets, coded into php.
The double/single quote problem means I would need to have two versions of the include files.
Can anyone help me with this? - serious hair pulling has started!
Please help. I have tried to condense the following code to make it easier for someone to shed insight. The results make totally no sense to me.
I have the following two lines of code: require_once('/var/www/bidjunction/application/classes_3rd/htmlpurifier/library/HTMLPurifier.auto.php'); $config = HTMLPurifier_Conf::createDefault();Let me explain what happens in these two lines of code. First.... require_once('/var/www/bidjunction/application/classes_3rd/htmlpurifier/library/HTMLPurifier.auto.php'):HTMLPurifier.auto.php is shown below: <?php /** * This is a stub include that automatically configures the include path. */ set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() ); require_once 'HTMLPurifier/Bootstrap.php'; require_once 'HTMLPurifier.autoload.php'; // vim: et sw=4 sts=4The only thing Bootstrap.php does is define a class and execute the following line: define('HTMLPURIFIER_PREFIX', realpath(dirname(__FILE__) . '/..'));The only thing HTMLPurifier.autoload.php does is execute HTMLPurifier_Bootstrap::registerAutoload() (which was one of the classes defined in Bootstrap.php). The only thing HTMLPurifier_Bootstrap::registerAutoload() does is: spl_autoload_register(array('HTMLPurifier_Bootstrap','autoload'), true, true);Now the second line: $config = HTMLPurifier_Conf::createDefault();I expected that HTMLPurifier_Conf::createDefault() would be executed, but no, instead the script goes to HTMLPurifier_Bootstrap:autoload() which returns false. Next, the script goes to function PHPMailerAutoload() which is in PHPMailerAutoload.php. What!!! What does PHPMailerAutoload have to do with this? While a perfect answer would be great, general comments and a strategy to troubleshoot be the next best thing. I am stumped! Please help. I have 2 pieces of different code that get run at different times, but act on the same text file. (The first example writes data and the second rewrites data with some expired data removed from the rewrite.) The first code example appends data to a new line each time it is run except when it is run just after the second code example has ran. When run after the second example, the first code example will append the data to the last line of the text file instead of appending to a new line. Why is this? Here is the first code example... Code: [Select] <?php $message = "Hello, World! \nGoodbye!"; $message_br = str_replace("\n", '<br />', $message); // couldn't use nl2br because i needed to remove the \n completely. $userName = "Anon"; $coordinates = "1234567890"; $locationType = "geo"; $dateDay = "23"; $dateMonth = "2"; $dateYear = "2011"; $timeHour = "9"; $timeMins = 45; $timeAMPM = "AM"; // Format the time/Date date_default_timezone_set('UTC'); $inputTime = date('c', mktime((int)$timeHour, (int)$timeMins, 0, (int)$dateMonth, (int)$dateDay, (int)$dateYear)); // Send all data so far, to an array. $entry_array = array(); array_push($entry_array, $inputTime, $locationType, $coordinates, $userName, $message_br); // write the array to CSV file. $fp = fopen('messages.txt', 'a'); fputcsv($fp, $entry_array, "|"); fclose($fp); ?> Here is the second... Code: [Select] <?php $one_day = 60*60*24; $timestamp = time(); date_default_timezone_set('UTC'); $expiry_date = date('c', $timestamp+$one_day); $future_date = array(); $delete_line = array(); // Open existing data in the text file. $lines = file('messages.txt', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); foreach ($lines as $line){ list($field1, $field2, $field3, $field4, $field5) = explode('|', $line); if ($field1 < $expiry_date){ array_push($delete_line, $line); // add to the to-be-deleted array. } else { array_push($future_date, $line); } } $array2string = implode("\n", $future_date); // convert array data to string. // write the data to CSV file. $fp = fopen('messages.txt', 'w'); fwrite($fp, $array2string); fclose($fp); ?> I am trying to create an index page which contains registration and login field the problem that i get is on successful login a warning is displayed session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\xampp\htdocs\Eventz.com\index.php:116) in C:\xampp\htdocs\Eventz.com\index.php on line 235 This is the login part of my index.php this tag is inside an html table below the login form I also have a registration form and its php code above the login form Code: [Select] <?php if (isset($_REQUEST['pass'])) { $id=$_POST['id']; $pass=$_POST['pass']; $conn =mysql_connect("localhost","root",""); if (!$conn) { die('Could not connect: ' . mysql_error()); } /* checking connection....success! */ $e=mysql_select_db('test', $conn); if(!$e) { die(''.mysql_error()); } else { echo 'database selected successfully'; } if (isset($_REQUEST['id']) || (isset($_REQUEST['pass']))) { if($_REQUEST['id'] == "" || $_REQUEST['pass']=="") { echo "login fields cannot be empty"; } else { $sql=mysql_query("Select email,password from login where email='$id' AND password='$pass'"); $count=mysql_num_rows($sql); if($count==1) /* $count checks if username and password are in same row */ { session_start(); $_SESSION['id']=$id; echo "</br>Login Successful</br>"; } else { echo "</br>invalid</br>"; echo "please try to login again</br>"; } } } } ?> Any help or suggestion would be appreciated in this page http://maximaart.com/newscp/ i have this problem Code: [Select] Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/maximasy/public_html/newscp/index.php:1) in /home/maximasy/public_html/newscp/index.php on line 2 my source code is <?php session_start(); include_once("config.php"); include_once("functions.php"); $errorMessage = ''; if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { if ($_POST['txtUserId'] === "$user" && $_POST['txtPassword'] === "$pass") { // the user id and password match, $_SESSION['basic_is_logged_in'] = true; require("main.php"); exit;?> I am having trouble resolving an error. Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/s519970/public_html/header.php:27) in /home/s519970/public_html/admin/login.php on line 2 What I can gather is I can't use "header (Location: 'admin.php')" after i've used session_start(). I have tried to replace the header (Location: 'admin.php') with this: echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; I've been trying to read up on solutions but haven't been able to get it sorted. If anyone can offer some advice that would be greatly appreciated as im new to php. Code: [Select] <?php session_start(); if(isset($_SESSION['user'])) echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; ?> <div id="loginform"> <form action="dologin.php" method="post"> <table> <tr> <td><span>Username:</span></td> <td><input type="text" name="username" /></td> </tr> <tr> <td><span>Password:</span></td> <td><input type="password" name="password" /></td> </tr> <tr> <td colspan="2" align="right"><input type="submit" name="login" value="Login" /></td> </tr> </table> </form> </div> I have tried using require_once('yourpage.php'); before my <head></head> tags in the header document where I've specified the html information but this doesn't seem to work. I've been advised to use ob_start("ob_gzhandler"); but I am not sure how to implement this. Any advice is greatly appreciated! Hi Guys, I am fairly new to PHP, and I recently changed my whole site to use PHP sessions, which worked fine. Then I added PHP parts in my pages that display different menu choices depending on if a PHP session exists. This also works fine, until I found that any HTML/PHP pages that have form/submits no longer work, and I get kicked back to the index.php After slow backtracking, I removed new parts, and found the forms started working again if I removed the PHP part that chooses which JavaScript file to reference, as follows from contact.php <?php if (isset($_SESSION['SESS_MEMBER_ID'])){ echo "<script language=\"JavaScript\" type=\"text/javascript\" src=\"menu_horz.js\"></script>"; } else {echo "<script language=\"JavaScript\" type=\"text/javascript\" src=\"log_menu_horz.js\"></script>"; } ?> I tried changing the echo ".." to use single quotes ' ' instead, but then it doesn't work at all then with a form or no form on the page. I assume I am doing something wrong, but I can't find any resources that give me a definitive way of referencing Javascript files. What freaked me out was only the ones with forms were an issue. I am using <?php session_start(); ?> at the beginning of every page (before any output). Other PHP code on the page is working fine. Only the above part seems to be the problem, and works too, as long as I don't submit a form. - Could it be more weirder :-) - I tried also to find a workaround, but it would mean having PHP inside my JavaScript file, but I am not sure it would work, since JS is client side, and PHP server... Essentially, I just want to run certain JS menus depending if the person is logged in or not. - Example contact.php attached Any ideas of what the problem might be with the code above? Will be grateful for any help you can give. Regards D This topic has been moved to JavaScript Help. http://www.phpfreaks.com/forums/index.php?topic=306496.0 I'm making a simple login system with MySQL and PHP (very simple, I'm just starting with PHP). The MySQL portion is done, but I need to ensure only people who are logged in can see certain content. To check if people are logged in, my website checks that they have the $_SESSION['user'] variable set. If it is set, then it lets them continue through the website, if not, it tells them to login. Is that enough security, or can people simply inject a session cookie into their browser to spoof that they are logged in? My idea was to generate a session key cookie when they login (just a random string of letters and numbers) and store that in the database, then on every page, check to make sure their session key is the same thing that's in the database. Is this necessary? It seems expensive. hi everyone. i'm wondering what the best way is to create a session variable and pass it to an iframe. i need to do something along these lines, but it doesn't seem to pass the ID. Any hints on how i should accomplish this? Code: [Select] session_start(); $_SESSION['ID']=$_GET['ID']; // id from previous page $ID=session_id(); <iframe src="iframepage.php?ID=<?php echo $ID; ?>" style="width:680px; height:200px;" noresize="noresize" frameborder="0" border="0" scrolling="Yes" allowtransparency="true" /> </iframe> Evening! I've been iffing and ahhing over this and well im not too sure, hence the post. Code: [Select] // Redirects if there is no session id selected and echos the error on the previous page if(!isset($_GET['get']) || ($_GET['getget'])){ header("Location: #.php?error"); } So it should simply check if get is set if it isnt then see if getget is set? If not redirect and show the error. Now ive tried it and even when get/getget is set it still redirects, probably something silly. Care to share anyone? Harry. Just curious how other people feel about this. I am working on an application where a lot of info is pulled from MySQL and needed on multiple pages.
Would it make more sense to...
1. Pull all data ONCE and store it in SESSION variables to use on other pages
2. Pull the data from the database on each new page that needs it
I assume the preferred method is #1, but maybe there is some downside to using SESSION variables "too much"?
Side question that's kind of related: As far as URLs, is it preferable to have data stored in them (i.e. domain.com/somepage.php?somedata=something&otherdata=thisdata) or use SESSION variables to store that data so the URLs can stay general/clean (i.e. domain.com/somepage.php)?
Both are probably loaded questions but any possible insight would be appreciated.
Thanks!
Greg
Edited by galvin, 04 November 2014 - 10:30 AM. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <?php session_start(); ini_set('display_errors', 'On'); error_reporting(-1); //Connect to Database and Check cookies for logged in user $db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASS); mysql_select_db(MYSQL_DB_NAME); if (!isset($_GET['act'])) { if (!isset($_POST['act'])) { $act = 'idx'; } if (isset($_POST['act'])) { $act = mysql_real_escape_string($_POST['act']); } } if (isset($_GET['act'])) { $act = mysql_real_escape_string($_GET['act']); } If ($act == 'login' && $_GET['CODE']=='1') { $usernameUsed = mysql_real_escape_string($_POST['Username']); $passwordUsed = mysql_real_escape_string($_POST['Password']); $SaltPassword = MEMBER_PASS_SALT_1.$passwordUsed.MEMBER_PASS_SALT_2; $HashPassword = md5($SaltPassword); $QueryLogin = "SELECT * FROM ".MEMBER_LOGIN_TABLE." WHERE username='{$usernameUsed}' AND password='{$HashPassword}'"; $LoginResult = mysql_query($QueryLogin); if (mysql_num_rows($LoginResult) > 0) { $UserID = mysql_result($LoginResult, 0, 'user_id'); $Id = uniqid(); $IdQry = "UPDATE ".MEMBER_LOGIN_TABLE." SET `unique_id`='{$Id}' WHERE user_id='{$UserID}'"; $IdRes = mysql_query($IdQry, $db); setcookie('RAYTH_MEMBER_ID', $Id, time()+2592000); } } If ($act == 'logout' && $_GET['CODE'] == '1') { setcookie('RAYTH_MEMBER_ID', "", time()-3600); } if (isset($_COOKIE['RAYTH_SKIN'])) { $Skin = $_COOKIE['RAYTH_SKIN']; } Else { $Skin = 'redskin'; } if (isset($_COOKIE['RAYTH_MEMBER_ID'])) { $Id = mysql_real_escape_string($_COOKIE['RAYTH_MEMBER_ID']); $MemIdQry = "SELECT user_id FROM ".MEMBER_LOGIN_TABLE." WHERE `unique_id`='{$Id}'"; $memidres = mysql_query($MemIdQry, $db); $memidnum = mysql_num_rows($memidres); If ($memidnum < 1) { setcookie('RAYTH_MEMBER_ID', '', time()-3600); } Else { $memid = intval(mysql_result($memidres, 0, 'user_id')); } } if (isset($memid)) { $query_meminfo = "SELECT * FROM ".MEMBER_PROFILE_TABLE." WHERE `user_id`='{$memid}'"; $query_result = mysql_query($query_meminfo, $db); $MemName = mysql_result($query_result, 0, 'display_name'); $MemGroup = mysql_result($query_result, 0, 'Group'); $AdsEnabled = mysql_result($query_result, 0, 'ads_enabled'); $UserLevel = intval(mysql_result($query_result, 0, 'user_level')); $LevelQuery = "SELECT group_level FROM ".MEMBER_GROUPS." WHERE group_id='{$MemGroup}'"; $LevelResult = intval(mysql_result(mysql_query($LevelQuery, $db), 0, 'group_level')); If ($UserLevel < $LevelResult) { $MemLevel = $LevelResult; } Else { $MemLevel = $UserLevel; } } else { $MemLevel = 0; $AdsEnabled = 'yes'; } ?> <html> <HEAD> <title>Rayth.Info ..::Home::..</title> <?php $File = './skins/'.$Skin.'/'.$Skin.'.php'; If (file_exists($File)) { include("./skins/{$Skin}/{$Skin}.php"); } Else { include("../skins/{$Skin}/{$Skin}.php"); } ?> Ok this code is the Headers code which checks if user is logged in, what skin to load etc. It is also used in the forum (so used in home and forum) via php include. Now somethin strange happens. If I use the home page to login (Rayth.Info) it logs me in for both home page and forum (rayth.info/forum) Now, if I then logout, and goto the forum, relogin, it doesn't log me in on the home page. Both pages use the same login/logout/register forms by php include and the same headers.php by include so I cant see any reason why this is happening. The cookie is obviously being set when user logs in since it sees them logged in on one page. Im installing and testing a web application, and im having a strange bug that annoyes me because it dint have any sense and also it dont affects really to the web functionality: if($_POST["eliminar"]==""){ $consulta='SELECT * FROM impressora where Activa=0'; $result=mysql_query($consulta,$conexion); echo"<table align=CENTER class='sample'>"; echo"<p align=center>LLISTA D'IMPRESSORES INACTIVES.</p>"; printf("<th>MODEL</th><th>MARCA </th>"); while($fila=mysql_fetch_array($result,MYSQL_ASSOC)){ echo"<tr>"; echo "<td>" . $fila["Model"] . "</td>"; echo "<td>" . $fila["Marca"] . "</td>"; echo"</td>"; if($_SESSION["admin"]!=0){ ?> <form method= "post" ACTION="impressores_inactives.php?idr=<?php echo($fila["Id_impressora"])?>"> <td colspan="2"><INPUT TYPE ="SUBMIT" NAME="eliminar" VALUE="Eliminar"></td> </form></td> <?php } echo "</tr>"; } echo"</table>"; }else{ echo 'eliminado'; echo $_POST["eliminar"]; //BORRAMOS DE LA BBDD LA IMPRESSORA $consulta="delete from impressora where Id_impressora='".$_GET["idr"] ."'"; $result=mysql_query($consulta); echo "<meta http-equiv=Refresh content=\" ; url=../Impressores/impressores_inactives.php\">"; } The problem is that php say that eliminar is undefinded, and if i test $_POST it says its empty. See that eliminar is the name of the submit post and its checked for a function that deletes a item. The problem is that script is actually working. I can delete the printer but with that error... and if i test the value of eliminar is always empty. Ask for any other explanation without a problem , the code is in spanish. So i am currently coding database connection class and i have encountered very strange behavior from my script. base.class.php: Code: [Select] <?php class base{ private $settings; function get_settings(){ $settings["dbhost"] = 'localhost'; $settings["dbuser"] = '*****'; $settings["dbpass"] = '*****'; $settings["dbname"] = 'core'; return $settings; } } ?> database.class.php Code: [Select] <?php require_once 'base.class.php'; class database extends base{ private $query_now; private $link; public function __construct(){ $settings = base::get_settings(); $dbhost = $settings["dbhost"]; $dbuser = $settings["dbuser"]; $dbpass = $settings["dbpass"]; $dbname = $settings["dbname"]; $this->link = mysql_connect($dbhost, $dbname, $dbpass) or die ("Could not connect to the mysql database"); mysql_select_db($dbname, $this->link) or die ("Could not select the database"); } function query($query){ $this->query_now = $query; return mysql_query($query, $this->link); } function getArray($result){ return mysql_fetch_array($result); } } ?> When i try to create an instance of database class, i get mysql_connect error. I have tried to echo my array and it seems that correct information is being passed over. Now the strange thing is if i remove my password from the base class i don't get a mysql_connect error but this time instead i get "Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'core'@'localhost' (using password: YES) " In case you are wondering, does my mysql database user has a password, the answer is: yes for sure... (Also i have tried to setup a simple script for connecting to my database and everything worked fine) So any ideas? HI every one I have uploaded a web site 2 month ago and It worked well . Since 1 week ago , it shows me this error and I don't know what is the problem . I have completely uploaded my web site again but it hasn't make different . This is the address birjand-niazmandi.com . I have uploaded class.phpmailer.php again but I can't understand what is the problem ? How can I solve it ? thanks |