1

From index.php I get the values of the username and password fileds with $_POST

index.php

if(isset($_POST["username"]) && isset($_POST["password"])){

    $username = mysql_real_escape_string(strtolower($_POST['username']));
    $password = mysql_real_escape_string($_POST['password']);

    $_SESSION['username'] = $username;
    $_SESSION['password'] = $password;

    checkUser($_SESSION['username'], $_SESSION['password']);
}

Then I store these $username and $password variables inside the $_SESSION and call a function checkUser($_SESSION['username'], $_SESSION['password'])); which sends two parameters. The checkUser() function executes inside lib.php

lib.php

session_start();

function checkUser($username, $password){
    include "connection.php";
    $result = mysqli_query($conn, "SELECT * FROM `data` WHERE `username` = '$username' AND `password` = '$password'") or die("No result".mysqli_error());

    $row = mysqli_fetch_array($result);
    $logic = false;

    if (($row['username'] == $username) && ($row['password'] == $password)) {

        $logic = true;

        echo "HI,".$username; 
?>

  <a href='logout.php'>Log Out</a>

<?php

            $file = $row['file'];
            echo "<img src='images/users/".$file."' >";
}
    else{
        echo "Failed to login. Username or password is incorrect. Try again.";
    }
}

This part is for showing the name of the user and the image according to it.

logout.php works

logout.php

unset($_SESSION["username"]);
unset($_SESSION["password"]);
unset($_SESSION["file"]);
header("Location: index.php");

session_destroy();

The problem is when I navigate from one page to another, the $_SESSION variable becomes empty. Something is wrong with session. Please help me.

Ani Naslyan
  • 134
  • 2
  • 15
  • Maybe any issues with file permissions (Session Data not beeing saved) or Cookie issues (Maybe content output before the session start, blocking the header or an incorrect server clock) – bardiir May 16 '17 at 10:53
  • 2
    Make sure you have added `session_start();` at the top of the page, where you are getting session variables as blank. – Mahesh Singh Chouhan May 16 '17 at 10:55
  • It's extremely messy to start sessions inside library includes. Furthermore, please rethink your current approach. Why store users that are not validated yet and then rely in getting them successfully removed? Why not validate *first*? – Álvaro González May 16 '17 at 10:56
  • You store passwords in plain-text ? – andrew May 16 '17 at 10:56
  • Check session file and see if is stored, add `session_start();` to top of every page. Don't use `mysql_` use `mysqli_` or `PDO`, and also use it with prepared statements. – Aleksa Arsić May 16 '17 at 10:57
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly May 16 '17 at 10:57
  • You are doing `include "connection.php";` twice in one function????? Will cause a very confused connection, or at a minimum waste a lot of connections which take quite a while to make – RiggsFolly May 16 '17 at 10:58
  • Do you include lib.php to the rest of your files? – Aleksa Arsić May 16 '17 at 10:58
  • The validation is already checked. – Ani Naslyan May 16 '17 at 11:00
  • In fact you are doing `include "connection.php";` **all over the place.** Which just leads us to believe all the rest of your code is as badly designed. **Without seeing a lot more of the code we cannot do anything other than make guesses** – RiggsFolly May 16 '17 at 11:00
  • your code is very messy. – Rotimi May 16 '17 at 11:01
  • @RiggsFolly with `echo "Hi, ".$username; ` its also wide open to XSS and CSRF – andrew May 16 '17 at 11:02
  • And what is `session.start()` that does not look like valid PHP – RiggsFolly May 16 '17 at 11:03
  • Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you can see on the browser and other errors will also be visible on your browser. – RiggsFolly May 16 '17 at 11:04

1 Answers1

1

in the php pages you need to access session variable add session_start() after the starting <?php code

Exprator
  • 26,992
  • 6
  • 47
  • 59
  • can you tell me what do you mean by navigating to other page? means how are you doing that? – Exprator May 16 '17 at 11:05
  • And what is `session.start()` that does not look like valid PHP code – RiggsFolly May 16 '17 at 11:05
  • By saying navigation I mean that when I am inside the Home page and if I have logged in there the $_SESSION stays, but when I go to eg. Contact page, the $_SESSION is empty. The url of Home page is `Project/index.php?page=1`, Contact page is `Project/index.php?page=2` – Ani Naslyan May 16 '17 at 11:10
  • did you use session_start() or session.start()?? session.start() is not valid bro, try checking it and replace it with 'underscore(_)' – Exprator May 16 '17 at 11:11
  • I have written `session_start();` sorry for my previous comment. – Ani Naslyan May 16 '17 at 11:13
  • change the url to confirm that you have a browser problem like for home page- index.php and for contact- contact.php – Exprator May 16 '17 at 11:24
  • Both Home and Contact pages works inside index.php. The data is taken from the database. – Ani Naslyan May 16 '17 at 11:40
  • i know that bro. i am asking it just to see if your browser is working or not, just change for the time being and check, later you can change it – Exprator May 16 '17 at 11:41