|
PHP - Two Sessions In A Given Script
Any problems with the following? Is there a better way to do it? Thanks
Similar TutorialsIf you are a PHP expert, then I really your help. I have a question regarding PHP sessions and their security. So here is my story ... I created a login script (login.php) for my website. When a user goes to the login.php page, they see a login form that they must fill with their username and password to login to the members' area and view their profile, etc. On that login page, when the user enters their username and password and then clicks the "Login" button, my script filters the data, sends MySQL query and checks if the login is valid. If the login is NOT valid, then they get a "Login Failed" message. If the login is valid, I register their username and the password in sessions and redirect them to the members.php page. Here is some of my code for my login.php page after mysql confirms the login is valid <?php $query = mysql_query('SELECT * FROM `users` WHERE username='$user' AND password='$pass'"); $numRows = mysql_num_rows($query); if ( $numRows ) { // login is valid $_SESSION['username'] = $user; $_SESSION['pass'] = $pass; // redirect user to members area header('Location: /members.php'); } else { // login is invalid echo "Login failed"; } ?> My question is ... is this login script secured? I mean, I am not generating any session id or any cookie. I am just storing the username and the password in two session variables and those are the things that i will use to display the user's profile, etc. Can attackers attack this script? Is this secured or is there any other way I can make it stronger? I have 3 php's home.php createStep1.php createCheckPass.php createStep2.php home.php unsets some $_SESSION variables if they still exist from previous pages: Code: [Select] if(!empty($_SESSION['ame'])) { unset($_SESSION['ame']); } if(!empty($_SESSION['ject'])) { unset($_SESSION['ject']); } if(!empty($_SESSION['ports'])) { unset($_SESSION['ports']); } if(!empty($_SESSION['session_age_range'])) { unset($_SESSION['range']); } createCheckPass.php gets some posted information from createStep1.php, checks everything is ok and if so sets the above session variables createStep2.php gets the session data set by createCheckPass.php and then gets to work with the user inputting data into the db. The odd problem If createCheckPass.php finds any problems with the posted data it redirects the user back to createStep1.php with the sessions set, createStep1.php then displays the errors with the info set in the sessions to the user and everything works ok. If however the user sends the form from createStep1.php with no problems and the createCheckPass.php passes the user onto createStep2.php, something strange happens... The sessions set by the createCheckPass.php are only ever unset at the home.php, yet somehow createStep2.php loses the sessions and therefore doesn't run. What is even stranger is if i comment out the unsetting of the sessions from the home.php, everything works fine and none of the sessions are lost. Really really odd Summary: createStep2.php is reading the unset session lines of code from home.php when never asked to. Has anyone ever come across anything like this before? Hello everyone, By default when someone comes to my site, it is the unencrypted web page (http://www.mydomain.com). I recently purchased a ssl certificate so when a user logs in, their password is encrypted (Posted to https://mydomain.com). Once the form is posted, the session is set and the header("Location: http://www.mydomain.com"); function is executed to bring them back to the unencrypted version of the site. However, now when a user tries to login, my site seems to drop the session when the location is set to the unencrypted version of the site. How do sites go about using a secure login form and running on the regular version of the site? Thanks! weee When using sessions, must there be a session_start() in each page for the browser to be considered part of the session? Can a user browse to a page without session_start() and still have that part of the original session that he/she began with?? Hi, I have been looking at this code for hours and I can't figure out why the product name and quantity aren't transferring from treats.php to checkOut.php. I realize checkOut.php is extremely long but if I could get some help I would really appreciate it. In case you would want the link, it 's http://auntievics.com/treats.php Hi guys, I have come across a problem when working with session data, I have been storing data from a textarea in a session, but the problem is when I retrieve the data and display it back in a textarea or to mysql it saves the carriage returns and line breaks as \r\n not converting it to actual line breaks. e.g saving the following from a text area; Line 1 Line 2 Line 3 will actually show as: Line 1 \r\nLine 2 \r\nLine3 How do I get it to show properly as intended? I have tried str_replace('\r\n', '\n'); with double and single quotes any helpful suggestions would be much appreciated. Thanks.. I there. I am making a small game, either you or the computer win depending on who's life hit 0 first I am using sessions to hold the health values, however I need a little bit of help. How do I make it actually go down after each move until one hits 0? Here is my script and thanks in advance... Code: [Select] <?php session_start(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Fighting Game</title> </head> <body> <form action="fighting_game.php" method="post"> <select name='move_choice' id='move_choice'> <option value='punch'>Punch</option> <option value='kick'>Kick</option> </select> <input type='submit' name='submitbtn' value='Continue' id='submitbtn'> </form> <div id='matchdiv'> <?php $_SESSION['ai_health'] = 100; $_SESSION['player_health'] = 100; $moves_ai = array("Computer punches you in the face!","Computer kicks you in the gut!"); $moves_player = array("You punch Computer in the face!","You kick computer in the gut!"); $move_damage = array(2,10); $move_dam_multiplier_player = array(rand(1,5),rand(5,10)); $move_dam_multiplier_ai = array(rand(1,5),rand(5,10)); if($_POST['submitbtn']){ $choice = $_POST['move_choice']; } if($choice == "punch"){ $total_dam_ai=($move_damage[0]*$move_dam_multiplier_ai[0]); $total_dam_player=($move_damage[0]*$move_dam_multiplier_player[0]); echo"$moves_player[1]"." Causing ".$total_dam_player." damage!<br>"; echo"Computers current health is ". ($_SESSION['ai_health']-$move_damage[0]*$move_dam_multiplier_player[0]); echo"<br>$moves_ai[1]"." Causing ".$total_dam_ai." damage!<br>"; echo"Your current health is ". ($_SESSION['player_health']-$move_damage[0]*$move_dam_multiplier_ai[0]); } elseif($choice == "kick"){ $total_dam_ai=($move_damage[1]*$move_dam_multiplier_ai[1]); $total_dam_player=($move_damage[1]*$move_dam_multiplier_player[1]); echo"$moves_player[1]"." Causing ".$total_dam_player." damage!<br>"; echo"Computers current health is ". ($_SESSION['ai_health']-$move_damage[1]*$move_dam_multiplier_player[1]); echo"<br>$moves_ai[1]"." Causing ".$total_dam_ai." damage!<br>"; echo"Your current health is ". $new_player_health=($_SESSION['player_health']-$move_damage[1]*$move_dam_multiplier_ai[1]); } if($_SESSION['ai_health']<=0 && $_SESSION['player_health']>=0){ echo"<br>Computer falls to the ground! He is knocked out! You win!"; } if($_SESSION['player_health']<=0 && $_SESSION['ai_health'] >= 0){ echo"<br>You fall to the ground! You are knocked out! You lose!"; } if($_SESSION['player_health']<=0 && $_SESSION['ai_health'] <=0){ echo"<br>You both fall to the ground! You are both knocked out! It's a draw!"; } ?> </div> </body> </html> hello i am makeing a forum and to post a new thread it has to check if the user is logged in, so i log into my website and i go to the post new topic but it says im not logged in here is the new_topic.php and also the login.php new_topic.php <?php session_start(); include_once "../scripts/connect_to_mysql.php"; // Connect to the database // Check to see if the user is logged in with session variables if (!isset($_SESSION['userpass']) || $_SESSION['userpass'] == "") { echo "Please log in..."; exit(); } else { // Assume they are a member because they have a password session variable set // Check the database to be sure that their ID, password, and email session variables all match in the database $u_id = mysql_real_escape_string($_SESSION['id']); $u_name = mysql_real_escape_string($_SESSION['username']); $u_email = mysql_real_escape_string($_SESSION['useremail']); $u_pass = mysql_real_escape_string($_SESSION['userpass']); $sql = mysql_query("SELECT * FROM myMembers WHERE id='$u_id' AND username='$u_name' AND email='$u_email' AND password='$u_pass'"); $numRows = mysql_num_rows($sql); if ($numRows < 1) { echo "ERROR: You do not exist in the system."; exit(); } } //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Check to make sure the URL variables of "sid" and "title" are set if (!isset($_POST['forum_id']) || $_POST['forum_id'] == "" || !isset($_POST['forum_title']) || $_POST['forum_title'] == "") { echo "Important variables are missing"; exit(); } else { // Acquire the variables and proceed to show them a form for creating a new topic $forum_section_id = preg_replace('#[^0-9]#i', '', $_POST['forum_id']); $forum_section_title = preg_replace('#[^A-Za-z 0-9]#i', '', $_POST['forum_title']); } /////////////////////////////////////////////////////////////////////////////////////////////////// $sql = mysql_query("SELECT * FROM forum_sections WHERE id='$forum_section_id' AND title='$forum_section_title'"); $numRows = mysql_num_rows($sql); if ($numRows < 1) { echo "ERROR: That section deos not exist."; exit(); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link href="style/style.css" rel="stylesheet" type="text/css" /> <title>Create New Topic</title> <script type="text/javascript" language="javascript"> <!-- function validateMyForm ( ) { var isValid = true; if ( document.form1.post_title.value == "" ) { alert ( "Please type in a title for this topic" ); isValid = false; } else if ( document.form1.post_title.value.length < 10 ) { alert ( "Your title must be at least 10 characters long" ); isValid = false; } else if ( document.form1.post_body.value == "" ) { alert ( "Please type in your topic body." ); isValid = false; } return isValid; } //--> </script> </head> <body> <?php include_once("template_header.php"); ?> <table style="background-color: #F0F0F0; border:#069 1px solid; border-top:none;" width="900" border="0" align="center" cellpadding="12" cellspacing="0"> <tr> <td width="731" valign="top"> <div id="breadcrumbs"><a href="http://www.webintersect.com">Web Intersect Home</a> ← <a href="http://www.webintersect.com/forum">Forum Home</a> ← <a href="section.php?id=<?php echo $forum_section_id; ?>"><?php echo $forum_section_title; ?></a></div> <h2>Creating New Topic In the <em><?php echo $forum_section_title; ?></em> Forum</h2> <form action="parse_post.php" method="post" name="form1"> <input name="post_type" type="hidden" value="a" /> Topic Author:<br /><input name="topic_author" type="text" disabled="disabled" maxlength="64" style="width:96%;" value="<?php echo $u_name; ?>" /> <br /><br /> Please type in a title for your topic he <br /><input name="post_title" type="text" maxlength="64" style="width:96%;" /><br /><br /> Please type in your topic body:<br /><textarea name="post_body" rows="15" style="width:96%;"></textarea> <br /><br /><input name="" type="submit" value="Create my topic now!" onclick="javascript:return validateMyForm();"/> <input name="fsID" type="hidden" value="<?php echo $forum_section_id; ?>" /> <input name="fsTitle" type="hidden" value="<?php echo $forum_section_title; ?>" /> <input name="uid" type="hidden" value="<?php echo $_SESSION['id']; ?>" /> <input name="upass" type="hidden" value="<?php echo $_SESSION['userpass']; ?>" /> </form> </td> <td width="189" valign="top"><div style=" width:160px; height:600px; background-color: #999; color: #CCC; padding:12px;"> <br /> <br /> <br /> <h3>Ad Space or Whatever</h3> </div></td> </tr> </table> <?php include_once("template_footer.php"); ?> </body> </html> login.php <?php // Start Session to enable creating the session variables below when they log in session_start(); // Force script errors and warnings to show on page in case php.ini file is set to not display them error_reporting(E_ALL); ini_set('display_errors', '1'); //----------------------------------------------------------------------------------------------------------------------------------- // Initialize some vars $errorMsg = ''; $email = ''; $pass = ''; $remember = ''; if (isset($_POST['email'])) { $email = $_POST['email']; $pass = $_POST['pass']; if (isset($_POST['remember'])) { $remember = $_POST['remember']; } $email = stripslashes($email); $pass = stripslashes($pass); $email = strip_tags($email); $pass = strip_tags($pass); // error handling conditional checks go here if ((!$email) || (!$pass)) { $errorMsg = 'Please fill in both fields'; } else { // Error handling is complete so process the info if no errors include 'scripts/connect_to_mysql.php'; // Connect to the database $email = mysql_real_escape_string($email); // After we connect, we secure the string before adding to query //$pass = mysql_real_escape_string($pass); // After we connect, we secure the string before adding to query $pass = md5($pass); // Add MD5 Hash to the password variable they supplied after filtering it // Make the SQL query $sql = mysql_query("SELECT * FROM myMembers WHERE email='$email' AND password='$pass' AND email_activated='1'"); $login_check = mysql_num_rows($sql); // If login check number is greater than 0 (meaning they do exist and are activated) if($login_check > 0){ while($row = mysql_fetch_array($sql)){ // Pleae note: Adam removed all of the session_register() functions cuz they were deprecated and // he made the scripts to where they operate universally the same on all modern PHP versions(PHP 4.0 thru 5.3+) // Create session var for their raw id $id = $row["id"]; $_SESSION['id'] = $id; // Create the idx session var $_SESSION['idx'] = base64_encode("g4p3h9xfn8sq03hs2234$id"); // Create session var for their username $username = $row["username"]; $_SESSION['username'] = $username; mysql_query("UPDATE myMembers SET last_log_date=now() WHERE id='$id' LIMIT 1"); //die($username); } // close while // Remember Me Section if($remember == "yes"){ $encryptedID = base64_encode("g4enm2c0c4y3dn3727553$id"); setcookie("idCookie", $encryptedID, time()+60*60*24*100, "/"); // Cookie set to expire in about 30 days setcookie("passCookie", $pass, time()+60*60*24*100, "/"); // Cookie set to expire in about 30 days $_SESSION['username'] = $username; } // All good they are logged in, send them to homepage then exit script //die($_SESSION['username']); $_SESSION['username'] = $username; header("location: index.php?user=$username;"); exit(); } else { // Run this code if login_check is equal to 0 meaning they do not exist $errorMsg = "Incorrect login data, please try again"; } } // Close else after error checks } //Close if (isset ($_POST['uname'])){ ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="icon" href="favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon" /> <link href="style/main.css" rel="stylesheet" type="text/css" /> <script src="js/jquery-1.4.2.js" type="text/javascript"></script> <title>Log In</title> <style type="text/css"> <!-- body { margin-top: 0px; } --> </style></head> <body> <table width="400" align="center" cellpadding="6" style="background-color:#FFF; border:#666 1px solid;"> <form action="login.php" method="post" enctype="multipart/form-data" name="signinform" id="signinform"> <tr> <td width="23%"><font size="+2">Log In</font></td> <td width="77%"><font color="#FF0000"><?php print "$errorMsg"; ?></font></td> </tr> <tr> <td><strong>Email:</strong></td> <td><input name="email" type="text" id="email" style="width:60%;" /></td> </tr> <tr> <td><strong>Password:</strong></td> <td><input name="pass" type="password" id="pass" maxlength="24" style="width:60%;"/></td> </tr> <tr> <td align="right"> </td> <td><input name="remember" type="checkbox" id="remember" value="yes" checked="checked" /> Remember Me</td> </tr> <tr> <td> </td> <td><input name="myButton" type="submit" id="myButton" value="Sign In" /></td> </tr> <tr> <td> </td> <td> </td> </tr> <tr> <td colspan="2">Forgot your password? <a href="forgot_pass.php">Click Here</a> <br /></td> </tr> <tr> <td colspan="2">Need an Account? <a href="register.php">Click Here</a><br /> <br /></td> </tr> </form> </table> <br /> <br /> <br /> </body> </html> I am new to SESSIONS and have a quick question about them. I want to use sesssions on my site but was wondering if they would work for the follow senario. Say a customer visits my url: http://www.mysite.com/?id=2 Now what i am doing is taking the id out of the URL using sessions and redirecting the user to http://www.mysite.com while my session ($_SESSION['id']) holds the value 2 in it. I have this working great, i believe it just looks better. Now if my customer decides to buy my product via paypal and is directed off my site while he/she is paying for said item on paypal when they return could i still use some of the information that i stored in my session?? I know i could use post and get to pass through paypal but unfortunately i have to use sessions for what i am trying to do. Hi, is two people or more sitting on the same local network and sharing the same public ip address will have the same session if they browse all of them into the same website or same php script that create session ?
Edited by Issam, 16 November 2014 - 05:18 PM. Kind of a n00b here. on my main table (users) i named a column as "id", set it to auto-increment and as the primary key and created it like this: CREATE TABLE `users` ( `id` int(20) NOT NULL auto_increment, `full_name` varchar(200) collate latin1_general_ci NOT NULL default '', `user_name` varchar(200) collate latin1_general_ci NOT NULL default '', `user_pwd` varchar(200) collate latin1_general_ci NOT NULL default '', `user_email` varchar(200) collate latin1_general_ci NOT NULL default '', `activation_code` int(10) NOT NULL default '0', `joined` date NOT NULL default '0000-00-00', `country` varchar(100) collate latin1_general_ci NOT NULL default '', `user_activated` int(1) NOT NULL default '0', PRIMARY KEY (`id`) ) On the second table i created it like this: CREATE TABLE about_me ( about_id int NOT NULL, nick_name varchar(255), descript varchar(255), aim varchar(255), cell varchar(255), school varchar(255), music varchar(255), aspire varchar(255), City varchar(255), id int, PRIMARY KEY (about_id), FOREIGN KEY (id) REFERENCES users(id) ) I believe i imported the key correctly into my new table (about_me). Well I expected the id column to cascade down into this new table automatically which it didn't. RIght now if you log into my site and use the about me form, it posts to the new table "about_me" but it doesn't identify the user on the table with the primary key assigned to him from the first table (users). How do I use PHP sessions to identify the user by his/her id from the primary key in the table. I attached the whole site. The php for the log in is a prefab and I'm attempting to do the about me part on my own, I'm having alot of trouble with the whole sessions thing. I'm not really sure if I'm doing this correctly. so yeah any point in the right direction would be awesome! -Mike hi im new to php i am making shopping cart i made a session variable to add products in cart when i run it gives this warning Notice: Undefined index: cart in C:\wamp\www\cart\public\views\layouts\shop.php on line 15 Notice: Undefined index: total_items in C:\wamp\www\cart\public\views\layouts\shop.php on line 16 Notice: Undefined index: total_price in C:\wamp\www\cart\public\views\layouts\shop.php on line 17 but when i click on add to cart it add product price and quanitity kindly help me my shop.php code is <head> <title> Shopping Cart</title> <link href="stylesheets/cool_style.css" media="screen" rel="Stylesheet" type="text/css" /> </head> <body> <h1> products</h1> <div class="cart"> <p><b> Shopping Cart</b></p> print_r($_SESSION['cart']); echo $_SESSION['total_items']; echo number_format($_SESSION['total_price'],2); </div> <hr /> </body> </html> and my index file is where i set session variables are include('db_fns.php'); include("cart_functions.php"); session_start(); if(isset($_SEESION['cart'])) // if change this conditon if(!isset($_SEESION['cart'])) it gives not warning but does not //add products to the cart it does not do anything { $_SESSION['cart']=array(); $_SESSION['total_items']=0; $_SESSION['total_price']=0.00; } $view=empty($_GET['view'])?'index':$_GET['view']; $controller='shop'; switch ($view){ case "index"; $products = find_product(); break; case "add_to_cart"; $id=$_GET['id']; $add_item=add_to_cart($id); $_SESSION['total_items']=total_items($_SESSION['cart']); $_SESSION['total_price']=total_price($_SESSION['cart']); header('Location: index.php'); break; case "update_cart"; break; case "checkout"; break; } if change this conditon if(!isset($_SEESION['cart'])) it gives not warning file run correctly with no warning but does not add products to the cart and does not do anything kindly help me please Hi all, What is the best practice when using Sessions for guest users? I have this (display_items.php) script which should not be accessed directly . user will be directed to a login page, the login checked by a check_login.php file then successful authentication will direct the user to the display_items.php page. it works perfectly on windows server but not on linux. the display_items.php script can be accessed directly on the linux server. It may have something to do with sessions but i cannot pin point the issue at the moment . i have attaced the php script files. Grateful if someone could point me in the right direction
check_login.txt display_items.txt login.txt So I'm trying to understand Sessions and how to store a variable within a session. What I want to t do, is start a session, check if variable is set, if not, set the variable. So with the code below, I start the session, i check the variable, if not set, i set it. But when i refrsh the page, it has the same session id but it didn't store the session variable from the previous load. Please, what am I missing? Code: [Select] <?php session_start(); echo "Session ID: ".session_id()."<br>"; echo "<br>chktrack P ".$_session['chktrack'].""; if ($_session['chktrack'] != 1){ $_session['chktrack']=1; } echo "<br>chktrack Post: ".$_session['chktrack'].""; echo "<br><a href='index.php'>Index</a>"; ?> Thanks in advance for your help. hey on my page a list of people get listed by a category u choose if u choose a category and click ok, u are sent to the same page, and i get the category with POST if(isset ($_POST['type'])) { $gameholder = $_POST['game']; $typeholder = $_POST['type']; } this works ... the list of people is 30 members / page when u click on page 2, the post doesnt work anymore, and i get errors, logic ... now i want to get around this with making a session emediatly when the vars get out of POST if(isset ($_POST['type'])) { $gameholder = $_POST['game']; $typeholder = $_POST['type']; $_session['gameholder'] = $gameholder; $_session['typeholder'] = $typeholder; print $_session['gameholder']; } this also works now i want when people click on page 2, the needed vars will come out of the Sessions, and not out of POST so i did this if(!isset ($_POST['type'])) { $gameholder = $_session['gameholder']; $typeholder = $_session['typeholder']; } but this is not working theres nothing in $gameholder also when i move the print session out of the if, it should show when someone clicks page 2 but its not ... any suggestions on this? thanks! Hello, Is there a problem in destroying a session and then starting it in the same file, for example: session_name(); session_start(); session_destroy(); And lastly, if I create a variable $_SESSION['user'] under a session called 'one' i.e. session_name("one") and then create another variable $_SESSION['user'] under a session called 'two' i.e. session_name("two"). Are these two variables the same? So I am trying to set my session length, but it doesn't seem to be working. session_set_cookie_params("84600"); session_start(); hey i think i may have stored session variables incorrectly Code: [Select] $_SESSION['tel'] = $_GET['Lat']; $_SESSION['Lon'] = $_GET['Lon']; $_SESSION['Lat'] = $_GET['Lat']; is what i used to set the session variables with the data i then enter these into a table and they enter the correct information but two pages down the line i try to access them however i just get undefined variable when i set the variable is equal to the session. Code: [Select] $MyLon = $_SESSION['Lon']; $MyLat = $_SESSION['Lat']; the following is the errorr Quote Notice: Undefined index: Lat in |
|||||||