0

I made a custom login script, and it works just fine. However, after it redirects to the homepage, the $_SESSION['username'] value is changed to 'root', no matter what value it had before hand. which 'root' is the username for my database login.

I have to type all of this in by hand, so it might have an obvious error or two-

main_login.php (php include_once on sidebar.php which is included on every page)

    <?php
    if(!isset ($_SESSION["username"])){ 
?>

<!-- Simple login form action="checklogin.php" method="post"-->

<?php
}else{
?>

<!-- Table to display welcome user, and logout link -->

checklogin.php:

session_start();
$db_name = "database";
$tbl_name = "users";

mysql_connect("localhost","root","password") or die("Cannot connect to SQL server");
mysql_select_db("$db_name")or die("Cannot select database.");

$username = $_POST['username'];
$password = $_POST['password'];

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password = md5($password);

$sql = "SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password'";
$result = mysql_query($sql);

$count = mysql_num_rows($result);

if($count == 1){
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
header("location:login_success.php");
}
else{
echo "<script type='text/javascript'>\n";
echo "setTimeout('redirect();',2000);\n";
echo "function redirect(){\n";
echo "window.location = 'index.php';\n";
echo "}\n";
echo "</script>\n";
echo "Wrong Username or Password";

login_success.php:

<?php
session_start();
if(!isset($_SESSION['username'])){
header("location:index.php");
}else{
session_regenerate_id();
}
// Apply permissions - problem existed before all of this code

mysql_connect("localhost","root","password") or die("Cannot connect to database.");
mysql_select_db("database") or die("Cannot select database.");

$username = $_SESSION['username'];

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_num_rows($result);

mysql_close();

$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
?>

<html>
<head>
<script type="text/javascripnt">
setTimeout("redirect();",4000);
function redirect(){
window.location = "index.php";
}
</script>
</head>
<body>
Login Successful.
<?php echo "Welcome ".$_SESSION["username"].".";
var_dump($_SESSION); // var_dump reveals that $_SESSION['username'] is still the login name.
?>
</body>
</html>

Once it goes through that whole process, everything is good. However, when it redirects to index.php, $_SESSION['username'] is now 'root'.

I'm asking to see if anyone has any idea why that might be happening (So I can understand the problem and prevent it in the future), and a fix to implement.

Thanks everyone.

Christopher
  • 277
  • 5
  • 19
  • 2
    there is no need to stripslash and mysql_real_escape the password because you just create a md5-hash of it. with your solution any change to stripslash or mysql_real_escape could break your login – Fender Feb 08 '11 at 08:28
  • Thank you fender, I will change that. This is my first attempt at PHP... never would have guessed, huh? – Christopher Feb 08 '11 at 09:19
  • It has been fixed - to no fault of the code. Though if I had more rep on SO, I'd give each of you +1 for great information that will definitely used. Thank you all!! – Christopher Feb 08 '11 at 09:39
  • nothing bad in doing stripslashes and mysql_real_escape_string actually. You just have to understand where to use it. stripslashes **should** be used. but conditionally, only if magic_quotes_gpc setting is turned on (but better is just to turn it off). mysql_real_escape_string can be used too, but on it's place. It's database related function, so, it should be **last** thing done to the string variable that goes into query. see my answer on the topic http://stackoverflow.com/questions/2993027/in-php-when-submitting-strings-to-the-db-should-i-take-care-of-illegal-characters/2995163#2995163 – Your Common Sense Feb 08 '11 at 09:53

5 Answers5

3

The answer is very simple:

There is some code in your application which changes $_SESSION['username'] value to 'root'.

you have to investigate your code and find that place. Not a big deal

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • I changed all of my queries that have 'root' inside of it to either the variable name $dbusername or insert the username directly into the mysql_connect. Between all 4 pages (index.php included as that is where the change happens), there is nothing that denotes a variable change. – Christopher Feb 08 '11 at 09:13
  • @Christopher look, it's just simple logic. No PHP nor sessions nor mysql change your variable. It's your code, written by you. You have to debug it and find the problem. Nobody else. – Your Common Sense Feb 08 '11 at 09:16
  • .....I'm going to have to give the answer to you for the right method. I saw that header.php (Included on every page) still had the $username variable to connect with MySQL. I changed it and voila, it worked. However, I searched the page for $_SESSION global, but nothing. But I've been pouring over the code I can find anything - even using the search function. Could a simple variable cause that to happen? – Christopher Feb 08 '11 at 09:38
  • 2
    @Christopher ah, there is possible reason. PHP has obsolete setting called 'register globals'. It's deprecated and turned off already for ages (a decade, to be correct). It causes such behavior. Your system most likely have register_globals turned on and your $username variable rewriting $_SESSION['username']. Just turn it off in php.ini – Your Common Sense Feb 08 '11 at 09:43
  • @Col. Yes, it was on. Odd that such an old function would still inhibit functions. In the future, would you recommend to never use the variable $username for anything but sessions? – Christopher Feb 08 '11 at 10:10
  • @Christopher I wouldn't say that. any variable can interfere with session if register globals on. So, it's better to just turn register_globals off. – Your Common Sense Feb 08 '11 at 10:24
2

this part seems weird:

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_num_rows($result);

mysql_close();

$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');

try this:

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($result);


$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
msql_close();
Fender
  • 3,055
  • 1
  • 17
  • 25
1

Well,

Your comment sense is probably right, you are setting it to root without realizing it. I just realized, after 2 hours of troubleshooting, that's what I was doing!

No matter what I tried, $_SESSION['username'] was changing from a real username to 'root'.

I finally realized that $_SESSION['username'] was NOT actually changing anywhere, but $username was. Here is why:

<?php
    if(!empty($_SESSION['username'])){
            $username = $_SESSION['username'];
            require_once '../includes/connect_to_db.php';
            echo $_SESSION['username']. ' is correct but '. $username. 'is not.';
    }
?>

Finally we see in the required file connect_to_db.php:

<?php
    $host="localhost"; // Host name
    $username="root"; // mysql username
    $password=""; // mysql password
    $db_name="BH_web_DB"; // Database name

    // Connect to server and select database.
    mysql_connect("$host", "$username", "$password")or die("cannot connect: ". mysql_error());
    mysql_select_db("$db_name")or die("cannot select DB");
?>

Simple fix:

$db_username="root"; // mysql username

So I was in fact setting it too root =) hope this helps another.

gunslingor
  • 1,358
  • 12
  • 34
1

Why are you setting the $_SESSION['username'] variable again on login_success.php You're setting the variables on check_login.php, correct?

Here is what I would do

On login_success.php print out your session variables to see whats going on. I can almost gaurantee something is happening with your sql query. Set a condition to make sure you're actually getting results. 

print_r($_SESSION);

if(!$_SESSION['username']) die('no session user name');

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($result);

if(mysql_num_rows($result) == 1){
    $_SESSION['username'] = mysql_result($result,0,'username'); //why do you need this?
    $_SESSION['permissions'] = mysql_result($result,0,'permissions');
    mysql_close(); 
}
else die('no user found');

Also on your checklogin page change the if statement to look for an actual variable in $_SESSION['username'] not just if it is set, I try to stay away from isset().

For the love of god don't store plain text passwords, it doesn't cost anything to implement a secure password hashing scheme. Its super easy to leverage php's crypt() function, also check this out for an open source secure method. http://www.openwall.com/phpass/

Brian
  • 4,328
  • 13
  • 58
  • 103
  • he doesnt store plain text passwords. he uses md5. it is not that secure anymore but its better than plaintext^^ – Fender Feb 08 '11 at 09:06
  • Missed that line of code, but yeah unsalted md5 is hardly secure – Brian Feb 08 '11 at 09:08
  • Thanks for the security suggestions. I set the username again in login_success as another push to make sure the username was setting correctly. The problem was before I implemented that. I did var_dump($_SESSION); on every page through the process, and where it hangs up is the transition between login_success and index.php. Do you need the PHP code for index as well? – Christopher Feb 08 '11 at 09:15
0

I was having the same issue, turns out I didn't session start on the page where it displays 'root'.

if (!session_id()) session_start();

This helped!

Roshan Zaid
  • 336
  • 1
  • 4
  • 21