0

From a login page I am capturing the user and password values:

<?php
session_start();
$error=''; 
$rows = 0;
if (isset($_POST['submit'])) {
    $username=$_POST['username'];
    $password=$_POST['password'];
    $mysqli = new mysqli("localhost","xxxxx","xxxxx","xxxxxxx");
    if (mysqli_connect_errno()) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }
    $username = stripslashes($username);
    $password = stripslashes($password);
    $username = $mysqli->real_escape_string($username);
    $password = $mysqli->real_escape_string($password);
    $query = "select count(*) from login where password='$password' AND username='$username'";
   if ($stmt = $mysqli->prepare($query)) {
        $stmt->execute();
        $stmt->store_result();
        $rows = $stmt->num_rows;
        $stmt->close();
   }
}
$mysqli->close();
if ($rows == 1) {
    $_SESSION['login_user']=$username; 
    header("location: profile.php"); 
} else {
    header("location: login.php"); 
    $error = "Username or Password is invalid";
} 
?>

My profile.php script is something like below:

<?php
include('session.php');
?>
<!DOCTYPE html>
<html>
<head>
<title>Your Home Page</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
   <div id="profile">
     <b id="welcome">Welcome : <i><?php echo $login_session; ?></i></b>
     <b id="logout"><a href="logout.php">Log Out</a></b>
   </div>
</body>
</html>

And session.php

<?php
if(!isset($_SESSION['login_user'])){
    header('Location: login.php');
}
?>

My code flow is like when the login form is submitted the validate_login.php source code will verify the details from the user. In case the details are correct a profile.php page would be displayed or back again to login page.

I am having 3 difficulties;

  1. How to debug PHP scripts?
  2. Why my code is going back to login page again - I have tested by hard coding wrong undefined variable (forcing a dump) - I found that the row is found as it enters in if condition which defines the session variable [if ($rows == 1)]
  3. Is there any other way we can verify a session - basically only a logged in user should see the further pages?
Improve this question
4
  • 6
    You also need session_start() in session.php Commented Dec 18, 2014 at 9:54
  • Thanks that solves my main issue .. but please let me know how do I debug a PHP script and is there other better method to validate a logged in user Commented Dec 18, 2014 at 9:57
  • 1
    "How to debug PHP" is far too vague of a question and is only something you can learn to do by gaining knowledge of the language or reading, there is no 'correct' answer for that. Install programs like Xdebug and use a proper IDE. Commented Dec 18, 2014 at 10:01
  • Prepared statements only give you the security benefits if you're actually binding parameters. If you're inputting values straight into the query string you might as well just use mysqli->query Commented Dec 18, 2014 at 10:02

3 Answers 3

Reset to default
1

you have no session right now in youre session.php

<?php
if(!isset($_SESSION['login_user'])){
header('Location: login.php');
}
?>

You need to add session_start();

So u will get 

<?php
session_start();
if(!isset($_SESSION['login_user'])){
header('Location: login.php');
}
?>

For security its better to use prepared prepared statements. For error handelings, try to make something is there really a session ?.

if(session_id() == '' || !isset($_SESSION)) {
    // session isn't started
    echo "No session";
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Your session.php should be

empty() is essentially the concise equivalent to !isset($var) || $var == false.

<?php
session_start();
if(empty($_SESSION['login_user'])){
header('Location: login.php');
}
?>

include session.php to your script and any other page that is for registered users

<?php
include_once('session.php');
$error=''; 
$rows = 0;
if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=$_POST['password'];
$mysqli = new mysqli("localhost","xxxxx","xxxxx","xxxxxxx");
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}
$username = stripslashes($username);
$password = stripslashes($password);
$username = $mysqli->real_escape_string($username);
$password = $mysqli->real_escape_string($password);
$query = "select count(*) from login where password='$password' AND username='$username'";
if ($stmt = $mysqli->prepare($query)) {
$stmt->execute();
$stmt->store_result();
$rows = $stmt->num_rows;
$stmt->close();
}
}
$mysqli->close();
if ($rows == 1) {
$_SESSION['login_user']=$username; 
header("location: profile.php"); 
} else {
header("location: login.php"); 
$error = "Username or Password is invalid";
} 
?>
Improve this answer

Comments

0

Call session_start() function, before use any session variable.

If you get warning such as : Warning: Cannot modify header information - headers already sent (output started at script:line), then use @ suppression operator

@session_start() //@ for error suppression
Improve this answer

1 Comment

How exactly is adding @ (error suppression) good practise? This is awful practise.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.