php session dropped after form submit

Question

Seems, that I can't add password protection to the script: it should allow to login with the pass and to submit data from the form to mysql. Login looks fine, but if I try to press submit, it returns me to login page. Seems, that session is dropped or overwritten, but is not clear, how:

//login area
<?php 
$password = "test"; 
session_start();
$_SESSION['txtPassword']= $_POST['txtPassword'] ;
if ( $_SESSION['txtPassword']!=$password ) {
?>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> 
<p><label for="txtPassword">Password:</label> 
<br /><input type="text" title="Enter your password" name="txtPassword" /></p> 
<p><input type="submit" name="Submit" value="Login" /></p> 
</form> 
<?  
}
elseif (  $_SESSION['txtPassword']=$password ) { 
echo $_SESSION['txtPassword'] ; // tried to print password, result is correct:      test 

//my db connection, just in case:
include "config.php";
$connect = mysqli_connect(HOST, USER, PASSWORD, NAME);

// data which should be inserted to db
if 
(@$_POST['posted']=='1' $_POST['posted'])) {
 $sSQL = "UPDATE users SET user_login='".mysqli_real_escape_string($connect, $_POST['usern'])."',user_pass='".mysqli_real_escape_string($connect, dohashpw($_POST['passw']))."' WHERE ID=1";
mysqli_query($connect, $sSQL) or print(mysql_error());
print ' <div class="container"> <p class="pstype">Password updated! </p>';
...
 //input form 
 <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"><input   type="hidden" name="posted" value="1" />

 <div class="col-xs-3">
 <label for="ex2">New Username: </label> 
 <input type="text" class="form-control input-lg" name="usern" >
 </div>

 <div class="col-xs-3">
 <label for="ex2">New Password: </label> 
 <input type="password"  class="form-control input-lg" name="passw" >
 </div>

 <div class="col-xs-3">
 <input type="submit" value="Submit" onclick="<? mysqli_query ($connect, $sSQL);?>; ">
 </div>
 </form>

I am able to login this page, but when I fill the form and click Submit, I get login area again. If echo $_SESSION show a correct result, I think that it was established, but data are lost after for submit. Could you please help to find my error?

Sidenote: For one thing, passing passwords in sessions isn't a very good idea. Either way, check for errors. — Funk Forty Niner, Jul 26 '16 at 12:30
This isn't comparing, `elseif ( $_SESSION['txtPassword']=$password )`. What is `@$_POST['posted']=='1' $_POST['posted']` suppose to do? — chris85, Jul 26 '16 at 12:31
`mysql_error` won't work with `mysqli`, `onclick=" mysqli_query` wont work. PHP is server side. `onClick` can only occur client side. Also do you have short tags enabled? Look into AJAX. — chris85, Jul 26 '16 at 12:33
use echo and check whether $_POST['txtPassword'] ; return the password correctly — dulaj sanjaya, Jul 26 '16 at 12:35
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jul 26 '16 at 12:38
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Jul 26 '16 at 12:38

score 0 · Answer 1 · answered Jul 26 '16 at 12:33

0

You are assigning and not comparing here :

elseif (  $_SESSION['txtPassword']=$password ) {

this is better

elseif (  $_SESSION['txtPassword']==$password ) {

but thats a bad idea anyway, passwords should not be stored in session variables like this, and you have to hash them once the user submit them and only manipulate and store the hashed passwords in your code and database

answered Jul 26 '16 at 12:33

Thomas G

9,886
7
28
41

Yes you are right. But it is not the problem here. because if condition executed here.That is the problem – dulaj sanjaya Jul 26 '16 at 12:40

score 0 · Answer 2 · answered Jul 26 '16 at 12:46

<?php 
$password = "test"; 
session_start();
$_SESSION['txtPassword']= $_POST['txtPassword'] ;
if($_SESSION['txtPassword']!=$password ){
?>
   <form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ? >"> 
   <p><label for="txtPassword">Password:</label></p>
   </br>
   <p><input type="text" title="Enter your password" name="txtPassword"/> </p> 
   <p><input type="submit" name="Submit" value="Login"/></p> 
   </form> 

<?php  
}
else{ 
 echo $_SESSION['txtPassword'];
}
?>

i am not understanding why the elseif stands for? you are already checking inside the if condition which both are not equal?.

php session dropped after form submit

2 Answers2