[lee sands]

hi all this is my login code and the sessions are not being set when i echo them

<?php
	session_start();
	
	if (isset($_POST['submit'])) {
		require_once "includes/conn.inc.php";
		$email = $_POST['username'];
		$pass = $_POST['password'];
		$sql = "SELECT * FROM cms_users WHERE email='".$email."' AND password='".$pass."' AND email_activated='1'"; 
		$results = mysql_query($sql,$conn);
		$login_check = mysql_num_rows($results);
		if($login_check == 1){ 
			$row = mysql_fetch_array($results);
			
			$id = $row["id"]; 
			$pass = $row['password'];  
			$firstname = $row["firstname"]; 
			$email = $row["email"]; 	
    		
			$_SESSION['id'] = $id; 	
    		$_SESSION['firstname'] = $firstname;   	
	  		$_SESSION['email'] = $email;  
		 	$_SESSION['user_logged'] = $email;			
			
			$_SESSION['user_password'] = $pass;		 
			mysql_query("UPDATE cms_users SET last_log_date=now() WHERE id='".$id."'",$conn);	
			header ("Refresh: 5; URL=" . $_POST['redirect'] . "");
			echo "You are being redirected to your original page request!<br>";
			echo "(If your browser doesn't support this, <a href=\"" . $_POST['redirect']. "\">click here</a>)";			
		} else {	
?>
<html>
<head>
<title>Beginning PHP5, Apache and MySQL</title>
</head>
<body>
<p>
 	Invalid Username and/or Password<br>
  Not registered? 
  <a href="register.php">Click here</a> to register.<br>
  <form action="login.php" method="post">
	<input type="hidden" name="redirect" value="<?php echo $_POST['redirect']; ?>">
	Username: <input type="text" name="username"><br>
	Password: <input type="password" name="password"><br><br>
	<input type="submit" name="submit" value="Login">
  </form>
</p>
</body>
</html>
<?php
  }
} else {
  if (isset($_GET['redirect'])) {
	$redirect = $_GET['redirect'];
  } else {
	$redirect = "index.php";
  }
?>
<html>
<head>
<title>Beginning PHP5, Apache and MySQL</title>
</head>
<body>
<p>
  Login below by supplying your username/password...<br>
  Or <a href="register.php">click here</a> to register.<br><br>
  <form action="login.php" method="post">
	<input type="hidden" name="redirect" value="<?php echo $redirect; ?>">
	Username: <input type="text" name="username"><br>
	Password: <input type="password" name="password"><br><br>
	<input type="submit" name="submit" value="Login">
  </form>
</p>
</body>
</html>
<?php
}
?>

Any Ideas would Help

[webdesigner93]

That codes a death trap for mysql injections

This post has been edited by webdesigner93: 09 January 2012 - 08:34 PM

[lee sands]

what you mean you got a better way

[webdesigner93]

lee sands, on 09 January 2012 - 09:06 PM, said:

what you mean you got a better way

i mean your passing

 $email = $_POST['username'];
 $pass = $_POST['password'];

into your query with no protection so basically someone could inject harmful things into your query, not to mention from what i can tell the password in your database is not encrypted, but is just plain text, i'd recommend adding the protection or using PDO which is not vulnerable to mysql injections

[rallport]

lee sands, on 09 January 2012 - 09:06 PM, said:

what you mean you got a better way

http://www.lmgtfy.co...mysql+injection

[lee sands]

ok that code to seem to me working fine now got a new problem if anyone wants a look

<?php 
	
	require_once '../configs/config.php';

	function get_option( $option) {
		
		$s = "SELECT option_value FROM cms_settings WHERE option_name ='".$option."' LIMIT 1";
		$q = mysql_query($s);
		$c = mysql_num_rows($q);
		
		if($c == 1) {
			$r = mysql_fetch_array($q);
			$r['option_value'];
			return $r;
		} else {
			$r = "No Result Sorry";
			return $r;
		}
	}
		
	
	echo get_option('siteurl');
	

returns

Quote

Array

this is an adaption of the function word press uses but all my own code

[webdesigner93]

<?php 
	
	require_once '../configs/config.php';

	function get_option() {
		
		$s = "SELECT option_value FROM cms_settings WHERE option_name ='".$option."' LIMIT 1";
		$q = mysql_query($s);
		$config = array();	
		while($r = mysql_fetch_array($q)){
		$config[$r['option_name']] = $r['option_value'];
                   }
		return $config;
	}
		
	$config = get_option(); 
	echo $config['siteurl'];
	

this should work for you

This post has been edited by webdesigner93: 11 January 2012 - 05:25 PM

[lee sands]

Notice: Undefined variable: option inC:\xampp\htdocs\cms\application\settings\settings.phpon line 8

Notice: Undefined index: siteurl inC:\xampp\htdocs\cms\application\settings\settings.phpon line 18

line 18 =

echo $config['siteurl'];

[webdesigner93]

Use

$s = "SELECT * FROM cms_settings";

Not

$s = "SELECT option_value FROM cms_settings WHERE option_name ='".$option."' LIMIT 1";

This post has been edited by webdesigner93: 11 January 2012 - 05:39 PM