0

I am trying to create two separate sessions- one for if the user is admin and another if the user is author. $type stored type as enum (can be either author or admin). But my code is creating author session even for admin. I am new to PHP and MySQL . can somebody tell me where the error is in my code.

<?php
include("dbconnect.php");
$con= new dbconnect();
$con->connect();
//create and issue the query
$sql = "SELECT type FROM users WHERE username = '".$_POST["username"]."' AND password = PASSWORD('".$_POST["password"]."')";

$result = mysql_query($sql);

//get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
   $type_num=0;
    //if authorized, get the values
      while ($info = mysql_fetch_array($result)) {
    $type =$info['type'];
    }

     if($type == "admin")
        {
         $_SESSION['type']=1;
         $u = 'welcome.php';
         header('Location: '.$u);  
        }
       else
        {
          $_SESSION['type']=$type_num;
          $u = 'welcome.php';
          header('Location: '.$u);


        }
    } 
      else {
        //redirect back to loginfailed.html form if not in the table
        header("Location: loginfailed.html");
        exit;
        }
        ?>

My welcome.php is as below

<?php
  session_start();
?>

<html>
<body>
<h2>Welcome.</h2>
<?
if($_SESSION['type']==1){
     echo "You are of the usertype Admin and your session id is ";
     echo session_id();
}
else {
echo "You are of the usertype Author and your session id is ";
echo session_id();
}
?>



</body>
</html>

Thank You so much in advance.

Marcio Mazzucato
  • 8,841
  • 9
  • 64
  • 79
user1479431
  • 369
  • 1
  • 5
  • 10
  • 1
    What's in your `$_SESSION` at this point? It wouldn't surprise me if it's completely empty, as I don't see a `session_start()` on the page setting the variable (every page accessing session needs this call). – Wrikken Jul 02 '12 at 06:03
  • 2
    By the way it is very simple to Log in without knowing the correct password with a simple blind SQL injection. Try e.g. the username: admin'-- – rekire Jul 02 '12 at 06:22
  • 1
    You really don't need to be doing this. And yes, there's an SQL injection vulnerability in your code, see http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain/332367#332367/1228 and http://bobby-tables.com. – El Yobo Jul 02 '12 at 06:29

4 Answers4

1

Try to use roles for your permissions.

In general you have just one session. I mean you don't have two variables called _SESSION.

With the concept of roles you can simply check if a user has the permission to do something.

rekire
  • 47,260
  • 30
  • 167
  • 264
  • True, but more info would help. – El Yobo Jul 02 '12 at 06:27
  • Well you are right. My answer is in this case just a idea how to make that better. Also it's hard to explain on a mobile. – rekire Jul 02 '12 at 06:33
  • Yeah, I gave a +1 because I agree with you, but judging from the questions and code the OP probably won't know what you mean by roles :) – El Yobo Jul 02 '12 at 20:02
0

You have to call session_start() in the first part of the code, before register the var $_SESSION['type'] in the session

Marcio Mazzucato
  • 8,841
  • 9
  • 64
  • 79
  • Thanks Marcio. That helped. But I have one more question. Everytime I test I am getting the same session id for any author or any admin. Doesn't look right to me. Is that the way it is supposed to be? – user1479431 Jul 02 '12 at 06:10
  • @user1479431, Each session must have an unique ID, probably you aren't destroying the session before create another one. You have to use [session_destroy()](http://br.php.net/manual/en/function.session-destroy.php), put it at the end of the file `welcome.php` just for tests purposes. – Marcio Mazzucato Jul 02 '12 at 06:14
  • Or use different browsers. You can also delete the browser cookie – RoboTamer Jul 02 '12 at 06:30
  • @user1479431, Before call session_destroy() you have to call session_start() in the same file, are you doing it? – Marcio Mazzucato Jul 02 '12 at 06:30
  • yes! I added session_destroy() at the end of welcome.php (not in the first part because I don't need to destroy the sessions at that time) – user1479431 Jul 02 '12 at 06:33
  • I am getting same session id in the same browser. When I tried a different browser, its different. Is that right? – user1479431 Jul 02 '12 at 06:41
  • @user1479431, Put [session_regenerate_id()](http://br.php.net/manual/pt_BR/function.session-regenerate-id.php) after call session_start() in the first part of the code – Marcio Mazzucato Jul 02 '12 at 06:44
  • @user1479431, Please don't forget to mark the best answer if your problem was solved, it is important for your future questions – Marcio Mazzucato Jul 02 '12 at 06:54
0

No your code seams fine, I think. I don't see where you are calling the database And what you have in there

So here is how you trouble shoot

  while ($info = mysql_fetch_array($result)) {
      $type =$info['type'];
      echo $type . '<br />';
  }

OR

  echo '<pre>';
  while ($info = mysql_fetch_array($result)) {
      $type =$info['type'];
      print_r($info);
  }
  echo '</pre>';

If you never see admin in there, and it must be 'admin' not Admin or ADMIN; then the problem is in your database. You don't have admin as admin defined, or spelled right.

By the way. see how nicely I formatted that. It's easier to read that way.
Coders wont look at your code if you don't do that.

RoboTamer
  • 3,474
  • 2
  • 39
  • 43
0

Try using session_regenerate_id(); method to create different session ids.

Prabhakaran S
  • 391
  • 2
  • 5