Is this a session issue?

Question

I have this code that works fine on a development machine but when ported over to production the user will get the alert wrong details despite being right.

My guess is this is a session issue with PHP. However, I am seeing session files saved to /tmp on the server. Am I missing something obvious as to what is causing this issue?

The code is referenced below.

session_start();
include_once 'dbconnect.php';

if(isset($_SESSION['user'])!="")
    {
        header("Location: home.php");
    }
if(isset($_POST['btn-login']))
    {
        $email = mysql_real_escape_string($_POST['email']);
        $upass = mysql_real_escape_string($_POST['pass']);
        $res=mysql_query("SELECT * FROM `USERS` WHERE `EMAIL` = '$email'");
        $row=mysql_fetch_array($res);
        if($row['PASSWORD']==md5($upass))
            {
                $_SESSION['user'] = $row['ID'];
                header("Location: home.php");
            }
        else
            {
                ?>
                <script>alert('wrong details');</script>
                <?php
            }

    }

The code that checks the email and password doesn't use the session variable. Why would it be a session issue? — Barmar, Dec 22 '15 at 16:56
This is invalid syntax `if(isset($_SESSION['user'])!="")` - you need 2 conditions. check if it's set AND if not equal to. — Funk Forty Niner, Dec 22 '15 at 16:57
why do I feel like I've seen the same question/code multiple times in the last day or so? Edit: http://stackoverflow.com/q/32094350/ I thought so, amongst a few others. — Funk Forty Niner, Dec 22 '15 at 16:57
Plus, we have no idea where your POST arrays are coming from and whether they hold values or not. — Funk Forty Niner, Dec 22 '15 at 17:01
Someone has posted a tutorial with that bad syntax and all these people have looked at it today I recon @Fred-ii- Must be 5 already today — RiggsFolly, Dec 22 '15 at 17:01
possible duplicate of http://stackoverflow.com/questions/32094350/redirect-submit-button-login-page — Funk Forty Niner, Dec 22 '15 at 17:03

score 1 · Answer 1 · edited May 23 '17 at 11:33

1

Change

if (isset($_SESSION['user']) != "") {
    header("Location: home.php");
}

to

if (!empty($_SESSION['user'])) {
    header("Location: home.php");
}

For more information check out this post https://stackoverflow.com/a/1519849/1592783 by karim79. Or if you would like to know about empty check out http://php.net/empty

edited May 23 '17 at 11:33

Community

1
1

answered Dec 22 '15 at 17:00

Jack

2,891
11
48
65

many love it when an explanation is given. That way, everyone learns. You know what's going on and I know and others, but many who are new to conditional statements and PHP will not. *Food for thought* on your future answers. Tip: it attracts more votes(+). ;-) – Funk Forty Niner Dec 22 '15 at 17:09

score 1 · Answer 2 · answered Dec 22 '15 at 17:01

1

Try this. I made the following changes:

Fix the isset() test of $_SESSION['user']. You shouldn't compare it to "". Perhaps what you really want is if(!empty($_SESSION['user']).
Use elseif, so that it only checks the email and password when the session variable isn't set.

session_start();
include_once 'dbconnect.php';

if(isset($_SESSION['user']))
    {
        header("Location: home.php");
    }
elseif(isset($_POST['btn-login']))
    {
        $email = mysql_real_escape_string($_POST['email']);
        $upass = mysql_real_escape_string($_POST['pass']);
        $res=mysql_query("SELECT * FROM `USERS` WHERE `EMAIL` = '$email'");
        $row=mysql_fetch_array($res);
        if($row['PASSWORD']==md5($upass))
            {
                $_SESSION['user'] = $row['ID'];
                header("Location: home.php");
            }
        else
            {
                ?>
                <script>alert('wrong details');</script>
                <?php
            }

    }

answered Dec 22 '15 at 17:01

Barmar

741,623
53
500
612

Still same issue. Not entirely sure as to why it acts as it fails an md5 check. – Jason Dec 22 '15 at 17:06
Don't use `mysql_real_escape_string` on the password, since you're not substituting it into a query. – Barmar Dec 22 '15 at 17:17
Put `var_dump($row['PASSWORD'], md5($upass));` into the `else` clause so you can see what the password is. – Barmar Dec 22 '15 at 17:18
1

Better yet, don't use MD5 at all, but something more of "this century". – Funk Forty Niner Dec 22 '15 at 17:19
@Fred-ii- If the logic is wrong, it doesn't matter what password hash he uses. Let's get the logic right first. – Barmar Dec 22 '15 at 17:20
1

I'm surprised you didn't make a mention about their use of MD5. Had I put an answer in and not mentioning that and substituting it for a safe hashing function, people would be all over me. Edit: not to mention their use of `mysql_`. – Funk Forty Niner Dec 22 '15 at 17:22

score 1 · Answer 3 · answered Dec 22 '15 at 17:02

1

The isset will return only true or false.

if(isset($_SESSION['user'])!="")

Try to change it to

if(isset($_SESSION['user']))

Or compare the value os the $_SESSION['user'] with:

if($_SESSION['user'] == "")

answered Dec 22 '15 at 17:02

lwb

379
5
17

score 0 · Answer 4 · answered Dec 22 '15 at 17:15

0

So I finally fixed it. Going from Windows to Linux MySQL table names become case sensitive. Did not know that.

answered Dec 22 '15 at 17:15

Jason

811
1
12
26

1

Yeah, * NIX and Windows are two different animals altogether, *everywhere*. Keep that in mind for folder/filename naming conventions also ;-) – Funk Forty Niner Dec 22 '15 at 17:16

Is this a session issue?

4 Answers4