$_Session vars

I’m having a problem with $_Session vars being passed between pages.

I have an index page that asks for a user name and password. This page goes to “loginchk.php”. This page queries the MySql data base to verify the login. If the login is correct it goes to “menu.php”.

My problem is that when it get’s to “menu.php”, the only variables that are set are the user logon and the password from “index.php”.

The other weird thing is that if the login fails and bounces it back to the login page, the error message that is passed in a $_Session var is there!

I’m sure that I’m doing something stupid but I can’t see it

Thanks
Glenn

are you including session_start();?

Yes I am.

Post your code please…that’ll give us somewhere to start

Here is the entire code for loginghck.php. What’s weird is that if loginchk.php fails, I get $_SESSION[‘Message’] back in login.php. However, like I said before, loginchk.php goes to menu.php. At the point the only session varibles that I have are the user login and password.

<?php session_start(); header("Cache-control: private"); $colname_User_File = "1"; if (isset($HTTP_GET_VARS['USERID'])) { $colname_User_File = (get_magic_quotes_gpc()) ? $HTTP_GET_VARS['USERID'] : addslashes($HTTP_GET_VARS['USERID']); } $UserID = trim($_POST['User']); $UserID = strtoupper($UserID); $Password = $_POST['Password']; $Password = strtoupper($Password); if (!$UserID) { $_SESSION['Message'] = "You haven't entered a valid user ID!"; $_SESSION['Error'] = "Y"; Header("Location: index.php"); exit; } else { if (!$Password) { $_SESSION['Message'] = "You haven't entered a vailid password!"; $_SESSION['Error'] = "Y"; Header("Location: index.php"); exit; } // This is just a login to bypass the user file. // // if ($UserID) = 'CBREEZE' // { // if ($Password) = 'REMDOS' // { // $_SESSION['User'] = 'CBREEZE'; // $_SESSION['First_Name'] = 'GJJD'; // $_SESSION['Last_Name'] = 'CRL'; // $_SESSION['E_Mail'] = '[email protected]'; // $_SESSION['Security'] = '9' // mysql_close($mysql); // Header("Location: menu.php"); // // } // } } //$mysql_open = OpenDSN(); $link = mysql_connect('localhost', 'mrbreeze', 'Zaq12wsX#'); $db_selected = mysql_select_db('mrbreeze_lansco', $link); if (!$db_selected) { die ('Can\'t use Lansco Database : ' . mysql_error()); } $SqlString = "SELECT * FROM users WHERE USER = '$UserID' and PASSWORD = '$Password'"; $User_File = mysql_query($SqlString,$link); mysql_fetch_assoc($User_File); $totalRows_User_File = mysql_num_rows($User_File); if ($totalRows_User_File == 0) { $_SESSION['Message'] = "You are not authorized to enter this site!"; $_SESSION['Error'] = "Y"; Header("Location: index.php"); mysql_close($mysql); exit; } //Initialize session variables, close connection and load default page. $_SESSION['User'] = mysql_result($User_File,'User'); $_SESSION['Password'] = mysql_result($User_File,'Password'); $_SESSION['First_Name'] = mysql_result($User_File,'First Name'); $_SESSION['Last_Name'] = mysql_result($User_File,'Last Name'); //$_SESSION['E_Mail'] = mysql_result($User_File,'E-Mail'); $_SESSION['Security'] = mysql_result($User_File,'Security'); $_SESSION['UserID'] = mysql_result($User_File,'UserID'); $_SESSION['Data'] = " "; mysql_close($mysql); // Header("Location: menu.php"); ?>

If you take out the redirection to menu.php and just echo the session variables are they displaying the proper information?

I think I figured out the problem,

I can login to the database but when it tries to access the user file I get the following error:

Access denied for user ‘mrbreeze’@‘localhost’ to database ‘Users’

If I can log on to the database, why can’t I hit the table?

WTF?

Glenn

PS: The error message seems wrong because the database is not named ‘Users’. This is the name of the table.

Check your config options for the database. If it’s telling you that you cannot hit the database “Users” and that’s not your DB name - it’s your table name - then the credentials it is using are incorrect.

No, I can do a query on the table “users” from mysql. This makes no sense to me. If I can connect to the database and the table through mysql and I can connect to the database over the web, why can’t I connect to the table?

is the table named ‘users’ or ‘Users’ depending on your servers box it may be case sensitive, even if not its good practice to act as if it is. It could also be a permissions issue be sure that mrbreeze has access.

A few notes on this code…

First, “$HTTP_GET_VARS” is no longer used, that is for older versions of PHP, now “$_GET” is used.

Next, once you issue a header/location change, nothing after it will execute, so this:
Header(“Location: index.php”);
mysql_close($mysql);
exit;
Does not need the last two lines. You should close your database before the header change. Exit is useless.

Now, the session variables…
Session variables are set and are “live” for the life of either the variable or the session.
The “life” of a variable is up to you. When, done with it, you erase it. There are two ways to do this:
Either unset[$_SESSION[‘variable-name’]]; or $_SESSION[‘variable-name’]="";
You can close a session totally with session_destroy(); Be it will drop all your session variables!

So, if you set a session variable and go to a page or two and the go back, that variable is still set.
Usually, you set variable on your log-in page to “” so they are NOT set. ( Logically, if you are on the
log-in page, you have nothing set yet as you are just starting out!)

Hope that makes sense. Hope it helps…

I took at the HTML_GET and changed it ot $_Get as you suggested. The code still does not work.

If you would like to look at the web site, it’s “mrbreeze.net” This is just a test site so I’m not worried about it. Login as (sales/lc).

The problem is when it get’s to “menu.php” the variables aren’t set.

If you login with a bad user/password it kicks you back to “login.php” To me, this means that the page hit the user table. Am I wrong?

Glenn

Yes, I looked at your site. Perhaps I did not explain correctly. The actual problem is that you do some code, if it fails you go back to the login page. BUT, you do NOT empty out the session variables. If the login attempt fails, you should REMOVE the user ID and password so it does not get saved.

So, you have some code… It eventually does a compare to see if the user info is in the database.
Then, it checks for count of the rows pulled from the database… In general, it does this:
if count==0 {
then do some code, send message, etc…
}
Now, do the stuff that should not be done if the count==0…

You should be doing something like this:
if count==0 {
then do some code, send message, etc…
reset all session variables…
}else{
set session variables…
do some code…
jump to the menu page…
}

SO, you are processing data like the password check was okay even though it was not…
Hope I made more sense this time… Good luck!

Ok. Mabe I didn’t eplain correctly.

I gave you a login. But when you get to the third page (menu.php) the session variavles are not set.

Try login in with bad user/pasword. It will throw you back to “login.php”

Did you put a “session_start();” at the top of the menu.php page?

You need that at the top of EVERY page that uses a SESSION variable…

Yes I did.
If you look at the code that I sent, you can see it.
Glenn

You only posted the index.php page. Did you put session_start() in the menu page?
It has to be in every page that uses a session variable. (You did not post the menu page!)