0

i have got a problem with my login script. i have a small div, where i'd like to echo a form so users can log in. after submitting the form, the values will be sent to another page which create a session. After that, when the user is back on the index, where the login form was, there should be no login form anymore but the info about the user. But the problem: There's nothing echoed in the div, even if there is no session created yet.

<div id="updates">
    <?php
        if(isset($_SESSION['username']))
        {
            $query = mysql_query("SELECT * FROM users WHERE username='$dbusername'");

            $numrows = mysql_num_rows($query);

            if ($numrows!=0)
            {
                while ($row = mysql_fetch_assoc($query))
                {
                    $dbusername = $row['username'];
                    $dbpassword = $row['password'];
                    $dbvipshouts = $row['vip_shouts'];

                    echo"
                    <table>
                        <tr>
                            <td><font color='white'>Nickname:</font></td><td>$dbusername</td>
                        </tr>
                        <tr>
                            <td><font color='white'>Vip shouts over:</font></td><td>$dbvipshouts</td>
                        </tr>
                    </table>";

                }
            }
            else
                {
                echo "
                <form name='login' action='login.php' method='POST'>
                <table>
                    <tr>
                    <td><font color='white'>Nickname:</font></td><td><input class='inputname' type='text' name='nickname'></td>
                    </tr>
                    <tr>
                    <td><font color='white'>Wachtwoord:</font></td><td><input class='inputname' type='password' name='password'></td>
                    </tr>
                    <tr>
                    <td colspan='2'><center><input class='inputname' type='submit' name='submit' value='Log in!'></center></td>
                    </tr>
                </table>
                </form>";
                }
        }
    ?>
    </div>

and the code of the file that should create a session:

<?php

        $username = $_POST["nickname"];
        $password = $_POST["password"];

        if ($username&&$password)
        {

            $query = mysql_query("SELECT * FROM users WHERE username='$username'");

            $numrows = mysql_num_rows($query);

            if ($numrows!=0)
            {
                while ($row = mysql_fetch_assoc($query))
                {
                    $dbusername = $row['username'];
                    $dbpassword = $row['password'];
                    $dbvipshouts = $row['vip_shouts'];
                }

                // controleren of ze bij elkaar passen
                if ($username==$dbusername&&$password==$dbpassword)
                {
                $_SESSION['username']==$dbusername;
                $_SESSION['vip_shouts']==$dbvipshouts;
                header('Location:index.php');
                }
                else
                    echo "Gebruikersnaam of wachtwoord is onjuist! Klik <a href='index.php'>hier</a> om terug te gaan.";

            }
            else
                die("Deze gebruiker bestaat niet! Klik <a href='index.php'>hier</a> om terug te gaan.");
        }

        else
            die ("Voer een gebruikersnaam en wachtwoord in! Klik <a href='index.php'>hier</a> om terug te gaan.");


    ?>
user3520672
  • 25
  • 7
  • 1
    Where are you calling `session_start();`? – The Blue Dog Apr 10 '14 at 18:01
  • Call it a blessing in disguise. Using plain text passwords is not recommended, unless it's for personal use with no chance of seeing the light of day on the Web. Use [**CRYPT_BLOWFISH**](http://security.stackexchange.com/q/36471) or PHP 5.5's [`password_hash()`](http://www.php.net/manual/en/function.password-hash.php) function. – Funk Forty Niner Apr 10 '14 at 18:09
  • @Fred-ii-: Hashed passwords are the least of his worries, he's got a nice little injection vuln going on there as it is. – The Blue Dog Apr 10 '14 at 18:57
  • Yep @TheBlueDog If one (rattle) snake doesn't get past, the other one will. – Funk Forty Niner Apr 10 '14 at 19:00
  • @Fred-ii-: It's ok, _YCS_ will be along to save the day before too long. ;) – The Blue Dog Apr 10 '14 at 19:03
  • @TheBlueDog Let's only hope, or... should we? (grin) ;-) Let's hope "people skills" are included in the "package". Although password management are not his forté. *Be careful*, snakes can be beautiful, yet "deadly" and never turn your guard down nor turn your back. – Funk Forty Niner Apr 10 '14 at 19:05
  • @Fred-ii-: Mate, don't hold your breath... – The Blue Dog Apr 10 '14 at 19:09
  • @TheBlueDog I'm not. See my "edited" comment about the *"beautiful yet deadly"* ;-) There's a message in there. – Funk Forty Niner Apr 10 '14 at 19:10
  • @TheBlueDog Meaning, don't get too close to the fire, it may burn you. Ok, I'm speaking in tongues again lol - *Really* meaning that, don't get too friendly with "you know who" (*I won't mention any names*), because as the 'ol saying goes, "even your best friend will stab you in the back" (that's a fact). ;-) – Funk Forty Niner Apr 10 '14 at 19:14
  • @Fred-ii-: Strange that, I always thought they may be one of your alter-egos... Ha ha. – The Blue Dog Apr 10 '14 at 19:19
  • @TheBlueDog *Hm*, maybe in a way that I also don't like to leave any stones unturned, but I am careful when I do lift up that next rock; one never knows what he/she will find under it. Although, "I" am a people person. Notice the emphasis on the "I". ;-) – Funk Forty Niner Apr 10 '14 at 19:23
  • 1
    @Fred-ii-: There is no _I_ in team. There are, however, five in _individual brilliance_ ;) – The Blue Dog Apr 10 '14 at 19:30
  • @TheBlueDog Exactly and very well said **+1**; I totally agree with you and I know what you meant by it. I'm a "team player" myself and I never downvote an "answer". If I find any discrepencies in an answer given, I will post a comment to that affect, unlike someone I know who will merely downvote for his personal pleasure, because it's a lot easier clicking a mouse button than it is to type out something "intelligent", including where and how the answer can be improved. The "S" stands for "snake" btw, be careful ;-) – Funk Forty Niner Apr 10 '14 at 19:35

2 Answers2

1

For starters, this:

$_SESSION['username']==$dbusername;
$_SESSION['vip_shouts']==$dbvipshouts;

Should be this:

$_SESSION['username']=$dbusername;
$_SESSION['vip_shouts']=$dbvipshouts;

And make sure you're using session_start();

Rob
  • 1,840
  • 2
  • 12
  • 19
0

you have to use session_start() starting of page,wherever you want to create or use the session data

example

<?php

session_start();

$_SESSION['id']=1;

?>

in other page

<?php

session_start();

echo $_SESSION['id'];
?>
ɹɐqʞɐ zoɹǝɟ
  • 4,342
  • 3
  • 22
  • 35