0

I have my old login panel that seemed to work just fine for a long time until today. This is the code:

if(!$_SESSION['logged']) {
    if(isset($_POST['name'])) {
        $name = clear($_POST['name']);
        $pass = clear($_POST['password']);

        if (empty($name) || empty($pass)) {
            echo '<p>You must fill out all the blanks.</p>';
            echo '<meta http-equiv="refresh" content="1;URL=logIn.php" />';
            echo '</center>';
        } else {
            $pass = codepass($pass);
            $result = mysql_query("SELECT Count(id), ACTIVE FROM `accounts` WHERE `USERNAME` = '$name' AND `PASSWORD` = '$pass'");
            $row = mysql_fetch_row($result);
            if($row[0] > 0 and $row[1]==1) {
                $_SESSION['logged'] = true;
                $_SESSION['userid'] = $row[0];
                echo '<p>You have been signed in!</p>'.$_SESSION['logged'].', '.$_SESSION['userid'];
                echo '<meta http-equiv="refresh" content="1;URL=index.php" />';
            } elseif($row[1]!=1) {
                echo '<p>You first have to activate the account before you can sign in. If you have not received any e-mail, please contact the administrator.</p>';
                echo '<meta http-equiv="refresh" content="1;URL=index.php" />';
            } else {
                echo '<p>Signing process cannot be completed!Please try again!</p>';
                echo '<meta http-equiv="refresh" content="1;URL=logIn.php" />';
            }
        }
    } else {

and when I was trying to sign in today, it didn't let me in. I tried to put 'echo' function to see where might be a problem. And it seems like the values are properly assigned to session, but as soon as the page changes to inform the user that he's been signed in, the session disappears with no reason. I can't see the mistake in the code. Plus the code worked, so why doesn't it this time? Can anyone point out the mistake? Thanks in advance

Seban
  • 13
  • 3
  • Do you have `session_start()` at the beginning of both files? – Ivan86 Dec 28 '17 at 23:01
  • 3
    Take care, you have an [SQL injection](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work) – JohannesB Dec 28 '17 at 23:01
  • Yeah and you are using `MySQL`, consider using `MySQLi` instead – Ivan86 Dec 28 '17 at 23:03
  • @Ivan86, I use session_start(), and does it matter whether i use MySQL and MYSQLi? They both seem to do the same thing, same with PDO. – Seban Dec 28 '17 at 23:09
  • And @JohannesB, what you mean? My "website" isn't connected to the outside world. – Seban Dec 28 '17 at 23:10
  • Both files should have `session_start()` at the very beginning. The first line of code after ` – Ivan86 Dec 28 '17 at 23:11
  • @Ivan86, I said I have it, it has always been there, and I just checked if I didn't delete it. I have it at the beginning in all the files I use. And okay, I will check that 'improved' mysql – Seban Dec 28 '17 at 23:19
  • Did you change anything at all on your web server and/or php.ini values? – BareNakedCoder Dec 28 '17 at 23:56
  • @BareNakedCoder, Yesterday, I was working on something that would allow me to add a post to the website. Today, I wanted to continue it, but first need to sign in to continue, this is a reason I am here. And now I think that the problem may be hidden anywhere in the code, so I am looking for it. – Seban Dec 29 '17 at 02:37
  • Any advice what kind of mistake should I be looking for? – Seban Dec 29 '17 at 02:41
  • @Seban, if you ever plan on using this code with other users, this code can be used to delete your whole database, and I was just making you aware of that fact. – JohannesB Dec 29 '17 at 11:54
  • Also, you should [hash](https://blog.hyphenate.io/everything-you-wanted-to-know-about-hashing-and-encrypting-passwords-but-were-afraid-to-ask-27e3f7610709) your passwords. – JohannesB Dec 29 '17 at 11:56

0 Answers0