2

I have a very simple script that creates a user:

<?php
include 'mysqlserver.php';
session_start();



$con = mysql_connect($mysql_host, $mysql_username,$mysql_password);
if (!$con) {
die('Could not connect: ' . mysql_error());
}


mysql_select_db($mysql_db, $con);

$newuser = $_POST[username];
$newpassword = $_POST[password];
$confirmnewpassword = $_POST[confirmpassword];

if ($newpassword != $confirmnewpassword) {
die('Passwords do not match.');
}

if ($newuser == null) {
die('You need to choose a username!');
} elseif ($newpassword == null) {
die('You need to enter a password!');
}

$avail_query = mysql_query("SELECT * FROM users WHERE username='$newuser'");

$avail_numrows = mysql_num_rows($avail_query);

if ($avail_numrows != 0) {
die('That user already exists');
}


mysql_query("INSERT INTO users (username, password) 
VALUES ('$newuser', '$newpassword')");


$_SESSION['username'] == $newuser;

mysql_close($con);
?>

<script type="text/javascript">

function enterUCP(){
window.location = "/member.php"
}

</script>
</head>
<body onLoad="setTimeout('enterUCP()', 3000)">
Account created! Logging you in...
</body>

Originally, my script simply redirected you to the login page after creating an account. I've been trying to tweak it so you are logged in after the creation of an account. For some reason, I cannot edit $_SESSION['username'] or any other session variables, even though I have started the session on line 3. I'm very confused, as some of my other PHP scripts properly manipulate $_SESSION variables, and I can't tell what's different in mine.

P.S. Please don't comment on the security of my system. It's probably terribly insecure, but I'm just writing for a prototype.

EDIT: Just to make this a little less useless of a question, can anyone find any serious security flaws here?

Jaxkr
  • 1,236
  • 2
  • 13
  • 33
  • I'm reading it..but remember to put the "session_start()" at the very beginning of the script (after the opening php tag) :) – Erenor Paz Jun 18 '12 at 17:13
  • @ErenorPaz, not necessary, as long as it's before sending anything to the client (echo, print..) – Adi Jun 18 '12 at 17:14
  • What if the include gives error? Ok, in this case there won't be any connection vars, so it will stop executing anyway, but as you said, "before anything is sent to the browser" :) – Erenor Paz Jun 18 '12 at 17:24

4 Answers4

6

Change:

$_SESSION['username'] == $newuser;

to:

$_SESSION['username'] = $newuser;

You're comparing instead of setting.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
  • 1
    It happens, especially on Mondays! – ceejayoz Jun 18 '12 at 17:15
  • 2
    @Jaxkr a bigger facepalm will take place after your first SQL Injection :D, a brotherly advice.. take a look [at this](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) – Adi Jun 18 '12 at 17:15
  • Adnan : i'm sure he will take care of it :) @Jaxkr: select this answer as "your" answer, to give proper credits to ceejayoz – Erenor Paz Jun 18 '12 at 17:18
  • It works. I know I'm not supposed to use mysql_* stuff anymore, but I'm trying to learn to use mysqli_*.. – Jaxkr Jun 18 '12 at 17:19
  • 1
    no buddy, that's not the problem. Read this http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php – Adi Jun 18 '12 at 17:20
  • The wrong thing is that you should always make sure the input data do NOT contain malicious code. For example, you could check that username ONLY contains letters and numbers: [this](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) is a good starting point – Erenor Paz Jun 18 '12 at 17:21
  • But, if it's simply being written to a database, why would it be executed? (Sorry for the noobiness, I'm very young and rather new to coding) – Jaxkr Jun 18 '12 at 17:25
  • 1
    dude, instead of apologizing why don't you read the damn links? and THEN if you have questions, we'd be happy to help you – Adi Jun 18 '12 at 17:26
  • I did read the tizag link, and I will follow the advice on that page, as well as the question on preventing SQL injection. But let's say I have "SELECT * FROM users WHERE username = 'DROP TABLE \'users\'", I don't understand why "'DROP TABLE 'users'" part will be run. – Jaxkr Jun 18 '12 at 17:34
3

$_SESSION['username'] == $newuser;

remove the second = sign. 

$_SESSION['username'] = $newuser;
barbiepylon
  • 891
  • 7
  • 23
3

oh gosh :)

$_SESSION['username'] == $newuser;

double equal sign..put just one and it will work :)

$_SESSION['username'] = $newuser;
Erenor Paz
  • 3,061
  • 4
  • 37
  • 44
3

many people already answered your question, but I didn't want to put this in a comment. First, you fix your code by changing

$_SESSION['username'] == $newuser;

to:

$_SESSION['username'] = $newuser;

IMPORTANT:

While you learn MySQLi or PDO, do this to your code

$newuser = mysql_real_escape_string($_POST[username]);

to protect yourself form SQL Injection

Make sure you do similar escaping for all of the input you're using in the query.

Adi
  • 5,089
  • 6
  • 33
  • 47