0

I made a custom login script, and it works just fine. However, after it redirects to the homepage, the $_SESSION['username'] value is changed to 'root', no matter what value it had before hand. which 'root' is the username for my database login.

I have to type all of this in by hand, so it might have an obvious error or two-

main_login.php (php include_once on sidebar.php which is included on every page)

    <?php
    if(!isset ($_SESSION["username"])){ 
?>

<!-- Simple login form action="checklogin.php" method="post"-->

<?php
}else{
?>

<!-- Table to display welcome user, and logout link -->

checklogin.php:

session_start();
$db_name = "database";
$tbl_name = "users";

mysql_connect("localhost","root","password") or die("Cannot connect to SQL server");
mysql_select_db("$db_name")or die("Cannot select database.");

$username = $_POST['username'];
$password = $_POST['password'];

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password = md5($password);

$sql = "SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password'";
$result = mysql_query($sql);

$count = mysql_num_rows($result);

if($count == 1){
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
header("location:login_success.php");
}
else{
echo "<script type='text/javascript'>\n";
echo "setTimeout('redirect();',2000);\n";
echo "function redirect(){\n";
echo "window.location = 'index.php';\n";
echo "}\n";
echo "</script>\n";
echo "Wrong Username or Password";

login_success.php:

<?php
session_start();
if(!isset($_SESSION['username'])){
header("location:index.php");
}else{
session_regenerate_id();
}
// Apply permissions - problem existed before all of this code

mysql_connect("localhost","root","password") or die("Cannot connect to database.");
mysql_select_db("database") or die("Cannot select database.");

$username = $_SESSION['username'];

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_num_rows($result);

mysql_close();

$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
?>

<html>
<head>
<script type="text/javascripnt">
setTimeout("redirect();",4000);
function redirect(){
window.location = "index.php";
}
</script>
</head>
<body>
Login Successful.
<?php echo "Welcome ".$_SESSION["username"].".";
var_dump($_SESSION); // var_dump reveals that $_SESSION['username'] is still the login name.
?>
</body>
</html>

Once it goes through that whole process, everything is good. However, when it redirects to index.php, $_SESSION['username'] is now 'root'.

I'm asking to see if anyone has any idea why that might be happening (So I can understand the problem and prevent it in the future), and a fix to implement.

Thanks everyone.

Improve this question
4
  • 2
    there is no need to stripslash and mysql_real_escape the password because you just create a md5-hash of it. with your solution any change to stripslash or mysql_real_escape could break your login Commented Feb 8, 2011 at 8:28
  • Thank you fender, I will change that. This is my first attempt at PHP... never would have guessed, huh? Commented Feb 8, 2011 at 9:19
  • It has been fixed - to no fault of the code. Though if I had more rep on SO, I'd give each of you +1 for great information that will definitely used. Thank you all!! Commented Feb 8, 2011 at 9:39
  • nothing bad in doing stripslashes and mysql_real_escape_string actually. You just have to understand where to use it. stripslashes should be used. but conditionally, only if magic_quotes_gpc setting is turned on (but better is just to turn it off). mysql_real_escape_string can be used too, but on it's place. It's database related function, so, it should be last thing done to the string variable that goes into query. see my answer on the topic stackoverflow.com/questions/2993027/… Commented Feb 8, 2011 at 9:53

5 Answers 5

Reset to default
3

The answer is very simple:

There is some code in your application which changes $_SESSION['username'] value to 'root'.

you have to investigate your code and find that place. Not a big deal

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I changed all of my queries that have 'root' inside of it to either the variable name $dbusername or insert the username directly into the mysql_connect. Between all 4 pages (index.php included as that is where the change happens), there is nothing that denotes a variable change.
@Christopher look, it's just simple logic. No PHP nor sessions nor mysql change your variable. It's your code, written by you. You have to debug it and find the problem. Nobody else.
.....I'm going to have to give the answer to you for the right method. I saw that header.php (Included on every page) still had the $username variable to connect with MySQL. I changed it and voila, it worked. However, I searched the page for $_SESSION global, but nothing. But I've been pouring over the code I can find anything - even using the search function. Could a simple variable cause that to happen?
@Christopher ah, there is possible reason. PHP has obsolete setting called 'register globals'. It's deprecated and turned off already for ages (a decade, to be correct). It causes such behavior. Your system most likely have register_globals turned on and your $username variable rewriting $_SESSION['username']. Just turn it off in php.ini
@Col. Yes, it was on. Odd that such an old function would still inhibit functions. In the future, would you recommend to never use the variable $username for anything but sessions?
|
2

this part seems weird:

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_num_rows($result);

mysql_close();

$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');

try this:

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($result);


$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
msql_close();
Improve this answer

1 Comment

No, the second parameter indicates the row. username and permissions are the columns.
1

Why are you setting the $_SESSION['username'] variable again on login_success.php You're setting the variables on check_login.php, correct?

Here is what I would do

On login_success.php print out your session variables to see whats going on. I can almost gaurantee something is happening with your sql query. Set a condition to make sure you're actually getting results. 

print_r($_SESSION);

if(!$_SESSION['username']) die('no session user name');

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($result);

if(mysql_num_rows($result) == 1){
    $_SESSION['username'] = mysql_result($result,0,'username'); //why do you need this?
    $_SESSION['permissions'] = mysql_result($result,0,'permissions');
    mysql_close(); 
}
else die('no user found');

Also on your checklogin page change the if statement to look for an actual variable in $_SESSION['username'] not just if it is set, I try to stay away from isset().

For the love of god don't store plain text passwords, it doesn't cost anything to implement a secure password hashing scheme. Its super easy to leverage php's crypt() function, also check this out for an open source secure method. http://www.openwall.com/phpass/

Improve this answer

3 Comments

he doesnt store plain text passwords. he uses md5. it is not that secure anymore but its better than plaintext^^
Missed that line of code, but yeah unsalted md5 is hardly secure
Thanks for the security suggestions. I set the username again in login_success as another push to make sure the username was setting correctly. The problem was before I implemented that. I did var_dump($_SESSION); on every page through the process, and where it hangs up is the transition between login_success and index.php. Do you need the PHP code for index as well?
1

Well,

Your comment sense is probably right, you are setting it to root without realizing it. I just realized, after 2 hours of troubleshooting, that's what I was doing!

No matter what I tried, $_SESSION['username'] was changing from a real username to 'root'.

I finally realized that $_SESSION['username'] was NOT actually changing anywhere, but $username was. Here is why:

<?php
    if(!empty($_SESSION['username'])){
            $username = $_SESSION['username'];
            require_once '../includes/connect_to_db.php';
            echo $_SESSION['username']. ' is correct but '. $username. 'is not.';
    }
?>

Finally we see in the required file connect_to_db.php:

<?php
    $host="localhost"; // Host name
    $username="root"; // mysql username
    $password=""; // mysql password
    $db_name="BH_web_DB"; // Database name

    // Connect to server and select database.
    mysql_connect("$host", "$username", "$password")or die("cannot connect: ". mysql_error());
    mysql_select_db("$db_name")or die("cannot select DB");
?>

Simple fix:

$db_username="root"; // mysql username

So I was in fact setting it too root =) hope this helps another.

Improve this answer

Comments

0

I was having the same issue, turns out I didn't session start on the page where it displays 'root'.

if (!session_id()) session_start();

This helped!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.