Session makes me login when i move to 3rd page.

I am working on an E-commerce admin backend. I am using session_start to create a session and send the user to a login page. Once logged in I can click on inventory button on the index.php page to open inventory_list.php.

This page opens fine, but when I click on a button on this page to open inventory_add.php, I am forced to log in again, it sets me at index.php and I can then navigate back in forth to inventory_list and inventory_add as long as I don't close the browser.

I am using the same code at the top of both Inventory_list and inventory_add.

<< index.php >>


<< inventory_add.php & inventory_add.php >>


The inventory_add has 2 forms. 1st one is for an image upload/process/resize/convert to jpg. It does this by calling image_upload_script.php. This file checks for duplicate file, deletes it if it exists and saves image as a tmp file. It then calls another script that resizes and converts.

The user may have added info into the forms 2nd form before uploading the image. I don't know how to send the focus back to the add page from the 2nd script nor do I understand how to maintain the data in the 2nd form while doing so.
form1 - image upload field end form1 // Gets sent to upload page.

form2 - 12 fileds - might get entries before user selects image.

this piece of code is causing the redirecting.


Your login script does it set $_SESSION['manager']?? if it doesn't you will be redirected back till infinity. You might want to make sure $_SESSION['manager'] is set by echoing out its value. (as a test)

Make sure none of your forms or links are changing the domain (ie: www.domain.com vs domain.com).

I should have shown this code. If no manager is set, and verified in mysql data base then a code is sent here. Once set it returns to the index.php.

<< admin_login.php >>

Ok the problem still exists. Here is a walk through of the how I have the site set up.

I open index.php. at the top of the page I have:


<< index.php >>


I am sent to admin login

<< admin_login.php >>


After completing form and posting, session manager and password is set and confirmed in mysql database. I an redirected back to index.php. I then click on a button Inventory that sends me to inventory_list.php.

<< inventory_list.php >>



This page comes right up. On this page I have it show a list of products. There is a New button that when clicked that sends me to inventory_add.php. It is this spot that I am prompted to login again. then sent back to index.php once I do.

<< inventory_add.php >>


Now I am back at login.php and I can click Inventory button and inventory_list.php comes up, I then select New button and inventory_add.php comes up. Do I need to do something with session, manager and password before selecting new to stop the 2nd login?

The page with the 2 forms, inventory_add.php, sends me to login for the second time. This happens only the 1st time I am sent to it, I can come and go from it from then on without logging in. This all happens before 2 forms show to user.

Why would I have to log in 2 times.

I tried posting on Adam Khoury's page to ask him as it is from his tutorial but the post has been deleted 2 times.

I guess I will try a re-write of the admin side of the website since i can find no way to stop this behavour.

I am still having this problem. Any suggestions would be appreciated.

Hi,

I wouldn't use the scripts by this Adam, because the code quality is poor, and some of the practices can even lead to security problems.

For example, this strange preg_replace() approach will silently change the password so that even wrong passwords might be accepted. The same with the username.

Obviously he doesn't know how to properly escape strings. The mysql_ functions are also long obsolete. Either he has no clue about modern PHP, or he hasn't updated his scripts since 8(!) years. Neither of this looks very good.

So I strongly recommend actually learning PHP and then writing your own scripts using modern and secure PHP.

If you cannot dump your current code right now, then check the session with var_dump($_SESSION) to see what it has lost between those two pages. Also check the session cookie with either var_dump($_COOKIE) or with the developer tools of your browser.

That is an eye opening reply.I appreciate the information. I can dump the code, and if it is that bad, I will absolutely do so. Is there a place to go to "Learn PHP" properly then? I have been looking at other sites and have been experimenting with the different methods, but because there is so much diversity, I do not know what is standard.

Is there a text book or website to begin with. I have programmed in Delphi/Pascal/Borland Pascal/ and several other languages for over 20 years on and off, I just had always refused HTML and web based stuff so I am behind the curve.

I did redo just the sessions in blank pages and I have the sessions working right now. But it looks like I need to stop and look for better training. Thanks for the advice.

Maybe buy a good book?

If you already know other languages and a bit of PHP (which I suppose), I'm not sure if a book covering programming basics makes sense. I'd rather try to use the PHP manual (php.net) to look up specific topics like database code, security etc. Wikipedia also has quite good general explanations.

I mean, you already know how to program in general, so no need to explain "if" statements, functions etc. to you. All you need is a reference to look up how this is done in PHP and what are the best practices.

Ok, so I see this on php.net.

mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement

with this posted below.

This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used.

My server, Justhost, had PHP 5.2.8 selected with Fast CGI. I have the option of changing it to just PHP 5.4. Do I need to look into getting PHP 5.5 installed. I see refernces to PHP 6.0. I assume that it isn't released yet, or is it.

Is MySQLi my next step?

No, and it won't be released in the near future. But you don't need the very latest version. PHP 5.4 is fine.





Yes. Either that or PDO. The most important feature of the "new" database extensions (they are actually 7/8 years old) is that they support prepared statements , which allow you to safely and cleanly pass values to queries. So no more fumbling with mysql_real_escape_string() or home-made escaping functions like the one above.