-1

Please help, I am writing a php login script. I really need help. I have tried it for days without success. I have this line of code on top of my login page

<?php
    ob_start();
    if (isset($_SESSION['admin'])) {
        header('Location: admin.php');
    }

Here is my login (index.php) script

<?php
require "includes/dc_conect.php";
if (isset($_POST['submit']))
{
    $username=mysql_real_escape_string(htmlentities($_POST['username']));
    $password=mysql_real_escape_string(htmlentities($_POST['password']));

    if($username==NULL || $password==NULL)
    {
        echo 'All fields must be field'; 
    }
    else
    {
        $sql="SELECT * FROM users WHERE username='$username' && password='$password'";
        $result=mysql_query($sql, $link);
        $dbfield=mysql_fetch_assoc($result);
        $count=mysql_num_rows($result);
        if($count>0)
        {
            //Set username session variable
            $_SESSION['admin'] = $username;
            header('Location: admin.php');
        }
        else
        {
            echo"<blink>"."<font color='#FF0000'>"."Username and/or Password is incorrect!"."</blink>";
        } 
    }       
}
?>

when I am logging in, it returns back to the login page

here is the script on the top of my admin.php

<?php
// start session
ob_start();
session_start();

//check to see if user is already loged in den redirect
if(!isset($_SESSION['admin']))
{
    header("Location: index.php"); 
    exit();
}
else
{
    require "includes/dc_conect.php";

    $username=$_SESSION['admin'];

    $sql="SELECT * FROM users WHERE username='$username'";
    $result=mysql_query($sql, $link) or die (mysql_error());
    $dbfield=mysql_fetch_assoc($result);
    $count=mysql_num_rows($result);

    echo $dbfield['username'];
}
?>

Please could someone help me?

Cheesebaron
  • 24,131
  • 15
  • 66
  • 118
Legendchyke
  • 82
  • 8
  • 2
    You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Nov 29 '13 at 17:37
  • 1
    `mysql_real_escape_string(htmlentities`? Why `htmlentities`? It is a database not an HTML document! – Quentin Nov 29 '13 at 17:38
  • 1
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). – Quentin Nov 29 '13 at 17:38
  • 1
    You never bother doing `session_start()` in your login script. – Marc B Nov 29 '13 at 17:41
  • 1
    Remember: anywhere you use the $_SESSION global variable, you must call `session_start()` -- [usually as the very next command after ` – cssyphus Nov 29 '13 at 17:47

1 Answers1

2

You need to call start_session() before you try to read from $_SESSION

<?php
ob_start();
session_start();
if (isset($_SESSION['admin'])) {
header('Location: admin.php');

As MarcB points out, you also need to do this before setting the session variable in index.php.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 3
    worse than that, OP never does session_start in the login script, so the 'admin' flag never gets set in the first place – Marc B Nov 29 '13 at 17:41