Member Avatar for rotten69

Hi there,
I have been trying to fix the problem in the below code for a long time, it did work for me at some point. Then, it suddenly stopped storing user's details in a session.

        $user  = $_POST['username'];
        $pass  = $_POST['password'];
        $query = "SELECT username, password FROM
                  USERS WHERE username = '$user' 
                  AND password='$pass' ";


        $result = mysql_query($query) or mysql_error();

        $row = mysql_fetch_assoc($result);



        if(  $row['username'] == $user ){

            $_SESSION['username'] = $row['username'];
            $_SESSION['password'] = $row['password'];
            header('Location:settings.php');
        }




        and this is the form where the above mentioned script gets the values from




            echo "<form action='log_in.php' method='post' >";
                        echo "<input type='text'     name='username' placeholder='username' "; 
                        echo "<input type='password' name='password' placeholder='password' ";
                        echo "<input type='submit' value='Log in' > ";   
            echo "</form>";
  • 8 Contributors
  • 12 Replies
  • 209 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by diafol
Member Avatar for dcdruck

Are you calling session_start anywhere?

Member Avatar for mbhanley

I had a similar problem but it was due to something like not adding: ifisset

 $user = if(isset($_POST['username']))
 $pass = if(isset($_POST['password']))

have you tried turning on all errors to see what may be causing the problem.

error_reporting(E_ALL);

Member Avatar for rotten69

yes.I'm calling session_start() in other pages.

Member Avatar for Zagga

session_start() must be called at the start of every page or you will lose the session variables when that page loads.

Member Avatar for rotten69

it is all fixed now. cheers guys!

Member Avatar for AndreRet

Please mark as solved, it still shows as open thread in forum, thanx.

Member Avatar for Octet

Although the thread is closed, I should add that you are vulnerable to what is called SQL Injection.
This is where people enter malicious code into your form and because SQL executes it as part of the query then it can do a lot of damage.

The best way as of the present is to use the new MySQL(improved) extension or to just simply add mysql_real_escape_string before you POST.

Instead of $user = $_POST['username']; you should use $user = mysql_real_escape_string($_POST['username']); at a minimum to escape any dangerous characters.

Member Avatar for diafol

SQL injection is indeed a problem, however, as opposed to using mysql_* functions, you should give serious thought to moving across to mysqli_* or PDO. mysql_* has an uncertain future. The benefits of PDO for example is that you can apply parameterized queries:

$st = $db->prepare("SELECT field3, field4 FROM table WHERE field1 = :f1 AND field2 = :f2");
$st->execute(array(':f1'=>$var1, ':f2'=>var2));

That does away with all the escaping routines.

Edited by diafol
Member Avatar for dcdruck

To expand upon what diafol said, PDO also provides a layer of abstraction to the database so that you can change DBMSs in the future without having to rewrite all of your querying code.

Member Avatar for rotten69

Thanks guys for the help and suggestions. I will be looking into PDO.

Member Avatar for tesha29

please any one help me i want now php code for barcode reader,i want whole complate code....

Member Avatar for diafol

@tesha29

Please start a new thread - do not hijack this solved thread.
Better still, search this site as I remember this coming up many times in the past.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.