0

After submiting username and password in connect.php, user reaches contentselect.php .But if a user enters url like localhost/users/contentselect.php he is still able to see the contentselect.php page,which he should not see because he has not entered username and password in connect.php 

//connect.php
<?php
Include ('mysql.php');
session_start();

if (isset($_POST['name'], $_POST['password']))
    {
    $name = $_POST['name'];
    $password = $_POST['password'];
    $password = md5($password);
    $result = mysql_query("SELECT name,password FROM project WHERE name='" . $name . "' AND password='" . $password . "'");
    if (mysql_num_rows($result) > 0)
        {
        $_SESSION['logged_in'] = true;
        $_SESSION["name"] = $name;
        header('Location:contentselect.php');
         exit();
        }
      else
        {
        echo "wrong password or username";
        }
    }

?>

//this is contentselect.php
<?php
    session_start();
    echo "Hello ".$_SESSION["name"]."!";
?>
  • mind posting your connedct.php code? – DirtyBit Aug 21 '15 at 15:47
  • i just edited it @HawasKaPujaari –  Aug 21 '15 at 15:49
  • Your code is vulnerable to sql injection. Please read [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Sumurai8 Aug 21 '15 at 15:53
  • You're outputting before header. Plus, you should be using code that is more 21st century ;-) Edit: Oh and this is invalid `$_session` all the more reasons why it's failing. – Funk Forty Niner Aug 21 '15 at 15:54
  • 1
    *My usual pop in and debug it yourself message*: Add error reporting to the top of your file(s) right after your opening PHP tag for example ` – Funk Forty Niner Aug 21 '15 at 15:55
  • thanks for that @Sumurai8 ,But here i am more interested in knowing how i can stop accessing contentselect.php from url, –  Aug 21 '15 at 15:55
  • You see, we have no idea where this is set `$_session['logged_in']` which I've already stated is invalid and is a syntax error. If you're not declaring it anywhere else, get rid of it. If you are using it elsewhere that you're not showing us and are using the same syntax, you need to fix it. – Funk Forty Niner Aug 21 '15 at 16:03
  • @aryankanwar Just be aware that by allowing sql injection, you allow people to host illegal or malicious content on your server, you allow your server to be used as botnet or as host for spam, and you allow people to steal all your private data, such as the password hashes. Please note that algorithm used is not suitable to hash passwords. Use a modern hash instead. – Sumurai8 Aug 21 '15 at 16:03
  • well, everyone's still left in the dark. You have answers below and comments which give you have enough to debug your code. *Moving on...* good luck. – Funk Forty Niner Aug 21 '15 at 16:14
  • well i was so interested in knowing the answer that i forgot all these silly errors i made@Fred-ii- –  Aug 21 '15 at 16:21

2 Answers2

1

Keeping in mind everything @Fred-ii mentioned, This should work:

 <?php
    session_start();
if(isset($_SESSION['logged_in'])) 
{
    echo "Hello ".$_SESSION["name"]."!";
}
else{
echo "Sorry Charlie"; 
}
 ?>

Or you could use cookies too!

Ofcourse you would have to set the cookies first and then unset it in your signout.php page.

login.php

if($user == $user_db && $pass == $pass_db)
{
     $Month = 86400 + time(); 
     setcookie('name', $user, $Month); 
     exit(header("Location:index.php"));
 }

signout.php

if(isset($_COOKIE['name']))
          {  
            unset($_COOKIE['name']); 
            setcookie('name', '', time() - 3600, 'login.php');
            setcookie('name', '', time() - 3600, 'signup.php');
            echo "<script type='text/javascript'>alert('YOU HAVE LOGED OUT!')</script>";
          }
         exit(header("refresh:1; url=welcome.php"));
DirtyBit
  • 16,613
  • 4
  • 34
  • 55
0

You need to check that the user is logged in on the contentselect.php page, so you'd need to change that page to something like this:

//this is contentselect.php
<?php
session_start();

if (!isset($_SESSION['logged_in'])) {
    header('Location: connect.php');
    exit();
}

echo "Hello ".$_SESSION["name"]."!";
?>
phpchap
  • 382
  • 2
  • 7