#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    10
    Rep Power
    0

    Session makes me login when i move to 3rd page.


    I am working on an E-commerce admin backend. I am using session_start to create a session and send the user to a login page. Once logged in I can click on inventory button on the index.php page to open inventory_list.php.

    This page opens fine, but when I click on a button on this page to open inventory_add.php, I am forced to log in again, it sets me at index.php and I can then navigate back in forth to inventory_list and inventory_add as long as I don't close the browser.

    I am using the same code at the top of both Inventory_list and inventory_add.

    << index.php >>
    PHP Code:
    <?php 
    session_start
    ();
    if (!isset(
    $_SESSION["manager"])) {
        
    header("location: admin_login.php"); 
        exit();
    }
    $managerID preg_replace('#[^0-9]#i'''$_SESSION["id"]); // filter everything but numbers and letters
    $manager preg_replace('#[^A-Za-z0-9]#i'''$_SESSION["manager"]); 
    $password preg_replace('#[^A-Za-z0-9]#i'''$_SESSION["password"]);
    include 
    "../storescripts/connect_to_mysql.php"
    $sql mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person
    $existCount mysql_num_rows($sql); 
    if (
    $existCount == 0) { 
         echo 
    "Your login session data is not on record in the database.";
         exit();
    }
    ?>
    << inventory_add.php & inventory_add.php >>
    PHP Code:
    <?php 
    session_start
    ();
    if (!isset(
    $_SESSION["manager"])) {
        
    header("location: admin_login.php"); 
        exit();
    }
    $managerID preg_replace('#[^0-9]#i'''$_SESSION["id"]); 
    $manager preg_replace('#[^A-Za-z0-9]#i'''$_SESSION["manager"]); 
    $password preg_replace('#[^A-Za-z0-9]#i'''$_SESSION["password"]); 
    include 
    "../storescripts/connect_to_mysql.php"
    $sql mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person
    $existCount mysql_num_rows($sql); 
    if (
    $existCount == 0) {
         echo 
    "Your login session data is not on record in the database.";
         exit();
    }
    ?>
    The inventory_add has 2 forms. 1st one is for an image upload/process/resize/convert to jpg. It does this by calling image_upload_script.php. This file checks for duplicate file, deletes it if it exists and saves image as a tmp file. It then calls another script that resizes and converts.

    The user may have added info into the forms 2nd form before uploading the image. I don't know how to send the focus back to the add page from the 2nd script nor do I understand how to maintain the data in the 2nd form while doing so.
    form1 - image upload field end form1 // Gets sent to upload page.

    form2 - 12 fileds - might get entries before user selects image.
  2. #2
  3. For POny!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2012
    Location
    Amsterdam
    Posts
    416
    Rep Power
    115
    this piece of code is causing the redirecting.
    PHP Code:
    if (!isset($_SESSION["manager"])) {
        
    header("location: admin_login.php"); 
        exit();

    Your login script does it set $_SESSION['manager']?? if it doesn't you will be redirected back till infinity. You might want to make sure $_SESSION['manager'] is set by echoing out its value. (as a test)
    Last edited by aeternus; December 25th, 2012 at 05:07 AM.
  4. #3
  5. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,316
    Rep Power
    7171
    Make sure none of your forms or links are changing the domain (ie: www.domain.com vs domain.com).
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    10
    Rep Power
    0
    I should have shown this code. If no manager is set, and verified in mysql data base then a code is sent here. Once set it returns to the index.php.

    << admin_login.php >>

    PHP Code:
    <?php
    session_start
    ();
    if (isset(
    $_SESSION["manager"])) {
        
    header("location: index.php");
        exit();
    }
    ?>
    <?php
    if (isset($_POST["username"]) && isset($_POST["password"])) {
        
    $manager preg_replace('#[^A-Za-z0-9]#i'''$_POST["username"]); 
        
    $password preg_replace('#[^A-Za-z0-9]#i'''$_POST["password"]); 
        include 
    "../storescripts/connect_to_mysql.php";
        
    $sql mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1");     
        
    $existCount mysql_num_rows($sql);
        if (
    $existCount == 1) { 
             while(
    $row mysql_fetch_array($sql)){
                 
    $id $row["id"];
             }
             
    $_SESSION["id"] = $id;
             
    $_SESSION["manager"] = $manager;
             
    $_SESSION["password"] = $password;
             
    header("location: index.php");
             exit();
        } else {
            echo 
    'That information is incorrect, try again <a href="index.php">Click Here</a>';
            exit();
        }
    }
    ?>
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    10
    Rep Power
    0
    Ok the problem still exists. Here is a walk through of the how I have the site set up.

    I open index.php. at the top of the page I have:


    << index.php >>
    PHP Code:
    <?php 
    session_start
    ();
    if (!isset(
    $_SESSION["manager"])) {
        
    header("location: admin_login.php"); 
        exit();
    }
    // Be sure to check that this manager SESSION value is in fact in the database
    $managerID preg_replace('#[^0-9]#i'''$_SESSION["id"]); // filter everything but numbers and letters
    $manager preg_replace('#[^A-Za-z0-9]#i'''$_SESSION["manager"]); // filter everything but numbers and letters
    $password preg_replace('#[^A-Za-z0-9]#i'''$_SESSION["password"]); // filter everything but numbers and letters
    // Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
    // Connect to the MySQL database  
    include "../storescripts/connect_to_mysql.php"
    $sql mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount mysql_num_rows($sql); // count the row nums
    if ($existCount == 0) { // evaluate the count
         
    echo "Your login session data is not on record in the database.";
         exit();
    }
    ?>
    I am sent to admin login

    << admin_login.php >>
    PHP Code:
    <?php
    session_start
    ();
    if (isset(
    $_SESSION["manager"])) {
        
    header("location: index.php");
        exit();
    }
    ?>
    <?php
    // Parse the log in form if the user has filled it out and pressed "Log In"
    if (isset($_POST["username"]) && isset($_POST["password"])) {
        
    $manager preg_replace('#[^A-Za-z0-9]#i'''$_POST["username"]); // filter everything but numbers and letters
        
    $password preg_replace('#[^A-Za-z0-9]#i'''$_POST["password"]); // filter everything but numbers and letters
        // Connect to the MySQL database
        
    include "../storescripts/connect_to_mysql.php";
        
    $sql mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); // query the person
        // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
        
    $existCount mysql_num_rows($sql); // count the row nums
        
    if ($existCount == 1) { // evaluate the count
             
    while($row mysql_fetch_array($sql)){
                 
    $id $row["id"];
             }
             
    $_SESSION["id"] = $id;
             
    $_SESSION["manager"] = $manager;
             
    $_SESSION["password"] = $password;
             
    header("location: index.php");
             exit();
        } else {
            echo 
    'That information is incorrect, try again <a href="index.php">Click Here</a>';
            exit();
        }
    }
    ?>
    After completing form and posting, session manager and password is set and confirmed in mysql database. I an redirected back to index.php. I then click on a button Inventory that sends me to inventory_list.php.

    << inventory_list.php >>

    PHP Code:
    <?php 
    session_start
    ();
    if (!isset(
    $_SESSION["manager"])) {
        
    header("location: admin_login.php"); 
        exit();
    }
    // Be sure to check that this manager SESSION value is in fact in the database
    $managerID preg_replace('#[^0-9]#i'''$_SESSION["id"]); // filter everything but numbers and letters
    $manager preg_replace('#[^A-Za-z0-9]#i'''$_SESSION["manager"]); // filter everything but numbers and letters
    $password preg_replace('#[^A-Za-z0-9]#i'''$_SESSION["password"]); // filter everything but numbers and letters
    // Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
    // Connect to the MySQL database  
    include "../storescripts/connect_to_mysql.php"
    $sql mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount mysql_num_rows($sql); // count the row nums
    if ($existCount == 0) { // evaluate the count
         
    echo "Your login session data is not on record in the database.";
         exit();
    }
    ?>
    This page comes right up. On this page I have it show a list of products. There is a New button that when clicked that sends me to inventory_add.php. It is this spot that I am prompted to login again. then sent back to index.php once I do.

    << inventory_add.php >>
    PHP Code:
    <?php 
    session_start
    ();
    if (!isset(
    $_SESSION["manager"])) {
        
    header("location: admin_login.php"); 
        exit();
    }
    // Be sure to check that this manager SESSION value is in fact in the database
    $managerID preg_replace('#[^0-9]#i'''$_SESSION["id"]); // filter everything but numbers and letters
    $manager preg_replace('#[^A-Za-z0-9]#i'''$_SESSION["manager"]); // filter everything but numbers and letters
    $password preg_replace('#[^A-Za-z0-9]#i'''$_SESSION["password"]); // filter everything but numbers and letters
    // Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
    // Connect to the MySQL database  
    include "../storescripts/connect_to_mysql.php"
    $sql mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount mysql_num_rows($sql); // count the row nums
    if ($existCount == 0) { // evaluate the count
         
    echo "Your login session data is not on record in the database.";
         exit();
    }
    ?>
    Now I am back at login.php and I can click Inventory button and inventory_list.php comes up, I then select New button and inventory_add.php comes up. Do I need to do something with session, manager and password before selecting new to stop the 2nd login?
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    10
    Rep Power
    0
    The page with the 2 forms, inventory_add.php, sends me to login for the second time. This happens only the 1st time I am sent to it, I can come and go from it from then on without logging in. This all happens before 2 forms show to user.

    Why would I have to log in 2 times.

    I tried posting on Adam Khoury's page to ask him as it is from his tutorial but the post has been deleted 2 times.

    I guess I will try a re-write of the admin side of the website since i can find no way to stop this behavour.
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    10
    Rep Power
    0
    I am still having this problem. Any suggestions would be appreciated.
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    I wouldn't use the scripts by this Adam, because the code quality is poor, and some of the practices can even lead to security problems.

    For example, this strange preg_replace() approach will silently change the password so that even wrong passwords might be accepted. The same with the username.

    Obviously he doesn't know how to properly escape strings. The mysql_ functions are also long obsolete. Either he has no clue about modern PHP, or he hasn't updated his scripts since 8(!) years. Neither of this looks very good.

    So I strongly recommend actually learning PHP and then writing your own scripts using modern and secure PHP.

    If you cannot dump your current code right now, then check the session with var_dump($_SESSION) to see what it has lost between those two pages. Also check the session cookie with either var_dump($_COOKIE) or with the developer tools of your browser.
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    10
    Rep Power
    0
    That is an eye opening reply.I appreciate the information. I can dump the code, and if it is that bad, I will absolutely do so. Is there a place to go to "Learn PHP" properly then? I have been looking at other sites and have been experimenting with the different methods, but because there is so much diversity, I do not know what is standard.

    Is there a text book or website to begin with. I have programmed in Delphi/Pascal/Borland Pascal/ and several other languages for over 20 years on and off, I just had always refused HTML and web based stuff so I am behind the curve.

    I did redo just the sessions in blank pages and I have the sessions working right now. But it looks like I need to stop and look for better training. Thanks for the advice.
  18. #10
  19. For POny!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2012
    Location
    Amsterdam
    Posts
    416
    Rep Power
    115
    Originally Posted by MT1
    Is there a place to go to "Learn PHP" properly then? .
    Maybe buy a good book?
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    If you already know other languages and a bit of PHP (which I suppose), I'm not sure if a book covering programming basics makes sense. I'd rather try to use the PHP manual (php.net) to look up specific topics like database code, security etc. Wikipedia also has quite good general explanations.

    I mean, you already know how to program in general, so no need to explain "if" statements, functions etc. to you. All you need is a reference to look up how this is done in PHP and what are the best practices.
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    10
    Rep Power
    0
    Ok, so I see this on php.net.

    mysql_real_escape_string Escapes special characters in a string for use in an SQL statement

    with this posted below.

    This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used.

    My server, Justhost, had PHP 5.2.8 selected with Fast CGI. I have the option of changing it to just PHP 5.4. Do I need to look into getting PHP 5.5 installed. I see refernces to PHP 6.0. I assume that it isn't released yet, or is it.

    Is MySQLi my next step?
  24. #13
  25. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by MT1
    My server, Justhost, had PHP 5.2.8 selected with Fast CGI. I have the option of changing it to just PHP 5.4. Do I need to look into getting PHP 5.5 installed. I see refernces to PHP 6.0. I assume that it isn't released yet, or is it.
    No, and it won't be released in the near future. But you don't need the very latest version. PHP 5.4 is fine.



    Originally Posted by MT1
    Is MySQLi my next step?
    Yes. Either that or PDO. The most important feature of the "new" database extensions (they are actually 7/8 years old) is that they support prepared statements , which allow you to safely and cleanly pass values to queries. So no more fumbling with mysql_real_escape_string() or home-made escaping functions like the one above.

IMN logo majestic logo threadwatch logo seochat tools logo