-1

I am trying to set the session information if the user logs in successfully, but the values are not setting or are setting blank. I have session_start(); at the top of every page, including the login handler and all protected pages. Am I missing something?

$qry= "SELECT * FROM members WHERE username='$username';";
$result=mysql_query($qry);
$rows=mysql_fetch_object($result);

 //Check whether the query was successful or not
if($result) {
    if(mysql_num_rows($result) == 1) {
        if($rows->authlevel == "admin") {  //if it's not an admin no need to check password
            if($password = $rows->password) {
                session_regenerate_id();
                $member = mysql_fetch_assoc($result);
                $_SESSION['SESS_MEMBER_ID'] = $member['username'];
                $_SESSION['SESS_FIRST_NAME'] = $member['username'];
                $_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
                $_SESSION['SESS_LAST_NAME'] = $member['username'];
                session_write_close();
                header("location: admin_index.php");
                exit();
            } else {
                header("location: login-failed.php"); //change for bad password etc.
            }
        } else {
            header("location: login-failed.php");  //change for invalid user level ( you do not
        }
  } else {
        header("location: login-failed.php");
  }
} else {
    die("Query failed"); //change for username not found, or unknown username
}
?>

Note: Yes, I know, I should use MYSQLi or PDO, but I will implement that later. This is mostly for learning purposes so I'll get there eventually.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Bora
  • 248
  • 3
  • 15
  • If you honestly want to learn, do it right from the start. Excuses like "yeye I know PDO, MySQLi, but it comes later" are lame. We all know you simply don't care about it because it wouldn't take you any more or less efford to use PDO or MySQLi from the start. Never use **learning** as an excuse when you want us to ignore the fact that you're learning it the wrong way. – icecub Jul 04 '16 at 22:45
  • When I try to do it in MYSQLi, the service I'm using to host the site fails. Is it possible for a service to support MYSQL but not MYSQLi? @icecub – Bora Jul 04 '16 at 22:47
  • No it isn't. Unless your service is using a VERY old version of PHP or a very old version of MySQL server. In which case you should run from that service very fast and find a better one. In all other cases it should work perfectly fine. – icecub Jul 04 '16 at 22:50
  • Ok. I'll try it out again. Thanks @icecub – Bora Jul 04 '16 at 22:52
  • 1
    If you really want to learn this, it's not a shame to ask ppl here to take some time with you to teach you stuff. We've all been where you are now and most of us know how hard it can be. Especially in the beginning. I don't mind teaching you to work with PDO. You'll get the hang of it within 30 mins and that includes Prepared Statements. Because it all sounds very hard, but it's actually quite simple. – icecub Jul 04 '16 at 22:56
  • Thank you! I will be switching providers soon, but when I do, I'd love to take up the offer to learn PDO. I noticed an email in your profile. Would you mind if I contact you once I make the switch? @icecub – Bora Jul 04 '16 at 22:59
  • 1
    Sure that's perfectly fine. – icecub Jul 04 '16 at 23:00
  • @icecub I sent you an email – Bora Jul 05 '16 at 01:18
  • You're lucky. I was about to go to bed. I've send you a reply through email. – icecub Jul 05 '16 at 01:37
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/116415/discussion-between-icecub-and-bora). – icecub Jul 05 '16 at 01:42

1 Answers1

1
if($password = $rows->password) {

is true if there is a true-ish value to assign. You need to compare "==" not assign "=".

 if($password == $rows->password) {

Edit: The next problem is that you are fetching an object at the top

$rows=mysql_fetch_object($result);

and then later fetch the next row as a associative array from the same $result - and the next row is empty (there is only 1 row in your result).

$member = mysql_fetch_assoc($result);

Instead you should be setting your session variables from the $row object you already have.

$_SESSION['SESS_MEMBER_ID'] = $row->username;
$_SESSION['SESS_FIRST_NAME'] = $row->username;
$_SESSION['SESS_FIRST_NAME'] = $row->firstname;
$_SESSION['SESS_LAST_NAME'] = $row->username;
trs
  • 1,038
  • 9
  • 19
  • Thanks, but this didn't quite solve the issue. I'm trying to get the field to display on another page using this code inline with the HTML `

    Welcome,

    ` Am I missing something?     – Bora Jul 04 '16 at 22:43
  • Quick note: _"{code} is always true"_ is not _necessarily_ true. Take a look: [https://eval.in/600439](https://eval.in/600439). But that's just me nitpicking ;) – FirstOne Jul 04 '16 at 22:45
  • I'll give a shot to your updated answer. One second while I run it – Bora Jul 04 '16 at 22:54
  • I changed the session things but what was I supposed to do with object and assoc? – Bora Jul 04 '16 at 22:56
  • Am I supposed to do $member->username – Bora Jul 04 '16 at 23:09
  • you're fetching the data twice, once into a variable called `$rows` using `mysql_fetch_object()` and later into `$member` using `mysql_fetch_assoc()`. The second "fetch" does not fetch anything, as there is not a second record to fetch. Therefore your variable `$member` is empty and `$_SESSION` stays empty. You do not need to fetch a second time, you can just access the data you already have in `$row`. – trs Jul 05 '16 at 02:23