Help with php_sessions login system, please?

Hi guys, I know you guys have been a little bit upset about my questions here before posted, because they may look as rookie questions, but I never said I was a pro and I'm stucked once again.
So, if anyone could help I'd be very grateful.
My question is kind of simple (probably) for you guys, I'm validating a user through PHP+MySQL, and, if the username and password match, the script is supossed to begin a PHP Session to register the session so the user can go around the php files without having to retype anything. But it's not initializing the session, before it seem to work but I changed the code a bit to try to fix it and now it doesn't even work.
Anyway, when it seemed to work whenever I moved on to any other page it stopped validating, the session was not working.
Also, the session is not being register because I get this message when I try to login:

Code:

if(!isset($_SESSION['misesion']))
{
echo "<P>No ha iniciado ninguna sesi&#243;n, quiz&#225; quiera <a href=index.php?login=si>hacerlo ahora</A>.";
}

Full code here:

Code:

include_once('config.php');


if($_GET['login'])
{
include_once('encabezado.php');
echo "<P><BIG><BIG><B>Accesar</B>:</BIG></BIG><BR><font color=red>";
echo "Ingrese un usuario y contrase&#241;a v&#225;lidos..</font></P>";
echo "<form method=post action=?validame=si><P>http://www.<input type=text ";
echo "name=dominio value=><BR>Contrase&#241;a:<input type=password name=contrasena>";
echo "<BR><input type=submit></form></P>";
include_once('bottom.php');
}

if($_GET['validame']=="si")
{
$result=mysql_query("SELECT * FROM usuarios
WHERE
dominio='" . $_POST['dominio'] . "' && contrasena='" . md5($_POST['contrasena']) . "'
LIMIT 1");
while($row = mysql_fetch_array($result))
{
session_start();
$midominio = $row['dominio'];
$micontrasena = $row['contrasena'];
session_register('misesion');
}
if(isset($_SESSION['misesion']))
{
$result=mysql_query("SELECT * FROM usuarios
WHERE
dominio='" . $_SESSION['dominio'] . "' && contrasena='" . $_SESSION['contrasena'] . "'
LIMIT 1");
while($row = mysql_fetch_array($result))
{
$midominio = $row['dominio'];
$micontrasena = $row['contrasena'];
include_once('encabezado.php');
require('usuario.php');
include_once('bottom.php');
}
}
if(!isset($_SESSION['misesion']))
{
echo "<P>No ha iniciado ninguna sesi&#243;n, quiz&#225; quiera <a href=index.php?login=si>hacerlo ahora</A>.";
}
if(mysql_num_rows($result) == 0)
{
echo "<P><b><font color=red>Usuario o Contrase&#241;a no v&#225;lidos!</font></b></P>";
echo "<P><a href=\"index.php\">Quiz&#225; quiera intentarlo de nuevo haciendo click aqui</A>.</P>";
include_once('bottom.php');
exit();
}
}

You can access the file through this link:
http://189.153.96.165/laguna/index.php?login=si

Regards!

[Join us @ facebook]

From a first look it seems that your script is really unsecure. You must addslashes() whatever you put in the queries as the way it is now anyone can login or truncate your database.

Maybe you should use Olaf's access user class for this thing.

 
Darn.
I'll go read some logins tutorials. I mean, Olafs class is great but I'd like to get this done by myself so I can learn some.
Thanks for the reply anyway Nikolas. (:

[learn]

In your script you are not setting $_SESSION['dominio'] and $_SESSION['contrasena']

I guess this is a part of the problem

Also instead of

session_register('misesion'); 

You can use :

$_SESSION['misesion'] = true;

BTW we always love to help people who want to learn, so don't hesitate to ask whatever you want
But do not use this snippet in a production server as it can cause security issues.

Nikolas! Thanks a lot for the advice man.
My bad, I posted a (once again) slightly modified code, the SESSION values I had on the query, were $_POST values instead.
At least I'm not that slow hehehe.

Anyway sir, I tryied also with...

Code:

session_register($contrasena);

where $contrasena was a $_POST value and it didn't work either.
And I tryied to call it later on like this:

Code:

echo $_SESSION['contrasena'];

right? Didn't work.

I guess it's got to be something like:

Code:

if($_GET['validame']=="si")
{
$result=mysql_query("SELECT * FROM usuarios
WHERE
dominio='" . $_POST['dominio'] . "' && contrasena='" . md5($_POST['contrasena']) . "'
LIMIT 1");
while($row = mysql_fetch_array($result))
{
session_start();
session_register($_POST['dominio']);
session_register(md5($_POST['contrasena']));
$midominio = $row['dominio'];
$micontrasena = $row['contrasena'];
session_register('misesion');
}
if($_SESSION['misesion'] = true)
{
$result=mysql_query("SELECT * FROM usuarios
WHERE
dominio='" . $_SESSION['dominio'] . "' && contrasena='" . $_SESSION['contrasena'] . "'
LIMIT 1");
while($row = mysql_fetch_array($result))
{
$midominio = $row['dominio'];
$micontrasena = $row['contrasena'];
include_once('encabezado.php');
require('usuario.php');
include_once('bottom.php');
}
}
if(!isset($_SESSION['misesion']))
{

But is not working, maybe I can't just insert the row variables like that, I don't really know. 

Ok, so, finally I managed to get a value for the session, but it's showing just the number '1' when I print

Code:

echo $_SESSION['dominio'];

Code here:

Code:

$dominio = $_POST['dominio'];
$contrasena = md5($_POST['contrasena']);
while($row = mysql_fetch_array($result))
{
session_start();
session_register($dominio);
session_register($contrasena);
$midominio = $row['dominio'];
$micontrasena = $row['contrasena'];
}
if($_SESSION['misesion'] = true)
{
echo $_SESSION['dominio'];
$result=mysql_query("SELECT * FROM usuarios
WHERE
dominio='" . $midominio . "' && contrasena='" . $micontrasena . "'
LIMIT 1");
while($row = mysql_fetch_array($result))
{
$midominio = $row['dominio'];
$micontrasena = $row['contrasena'];
include_once('encabezado.php');
echo $_SESSION['misesion'];
// this is being printed as 1.. if i put $_SESSION['dominio'] instead of
// $_SESSION['misesion']; , then its value goes null and not printed.

[Join us @ facebook]

if there is a session, session_id() will return the session id, otherwise it will return an empty string.

After googling for WAMP+"PHP SESSIONS" I came up with this post:

If you use the latest version of WAMP or PHP, you are using PHP 5. This
means that register_globals is disabled by default. Therefore you should
use the superglobal $_SESSION, instead of session_is_registered and
session_register. Quoting the manual-page of session_register at php.net
( http://nl3.php.net/manual/en/functi...on-register.php )
"If you want your script to work regardless of register_globals, you
need to instead use the $_SESSION array as $_SESSION entries are
automatically registered. If your script uses session_register(), it
will not work in environments where the PHP directive register_globals
is disabled."

So, now it seems I managed to get the sessions working. But I'm not sure yet since I have to fix some stuff into the script.
I'll let you know how did this end. (:

if there is a session, session_id() will return the session id, otherwise it will return an empty string.

Hey Nikolas, I finally got it working man. I think it was wrong mostly because the register_globals were Off at PHP.INI.
Reason is off it's because it says it is better to do not use register_globals. Anyway, register_globals will do the work. About the stripslashes, I just have to use them like:

 $midominio = stripslashes($row['dominio']);
$micontrasena = stripslashes($row['contrasena']);

Right? I'll read about it online anyway.

Just wanted to thank you for the support.

PS.. By the way, now I got it all setup but when I click on a button it destroys my session and I don't want it like that.
http://189.153.96.165/laguna/index.php?login=si
Link here, username: eliezer.com, password: elie1983.
The results are displayed in a basic sheet and in the left side you will see a button, this is the code:

Code:

if(!$_GET[hacerpago])
{
echo "<P><form method=GET><input type=hidden value=si name=hacerpago>";
echo "<INPUT TYPE=submit></form></P>";
}
if($_GET[hacerpago])
{
echo "<P><BIG><B>Confirmar pago</B></BIG>:</P>";
}

However,

Code:

echo "<P><BIG><B>Confirmar pago</B></BIG>:</P>";

is not being shown. It takes the user to a full blank document wich should be the same thing but with a payment confirmation box on the left side.

Do you think using exit(); on several loops could be the error? or exit(); does not work as session_destroy(); ?

[unset($_SESSION['varname'])]

exit = will end the script no following code will be executed after this function is called

session_destroy = like the name said, it's an old function use unset($_SESSION['varname'])

and use the php manual frequently, all functions are very good documented with examples (the best php book ever I use the manual every day)

[Guest]

[36.846]

Googlebot, Yahoo crawler, Baidu Spider, Olaf