PHP Session value changing from page to page_问答_开发者

I made a custom login script, and it works just fine. However, after it redirects to the homepage, the $_SESSION['username'] value is changed to 'root', no matter what value it had before hand. which 'root' is the username for my database login.

I have to type all of this in by hand, so it might have an obvious error or two-

main_login.php (php include_once on sidebar.php which is included on every page)

    <?php
    if(!isset ($_SESSION["username"])){ 
?>

<!-- Simple login form action="checklogin.php" method="post"-->

<?php
}else{
?>

<!-- Table to display welcome user, and logout link -->

checklogin.php:

se开发者_如何学编程ssion_start();
$db_name = "database";
$tbl_name = "users";

mysql_connect("localhost","root","password") or die("Cannot connect to SQL server");
mysql_select_db("$db_name")or die("Cannot select database.");

$username = $_POST['username'];
$password = $_POST['password'];

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password = md5($password);

$sql = "SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password'";
$result = mysql_query($sql);

$count = mysql_num_rows($result);

if($count == 1){
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
header("location:login_success.php");
}
else{
echo "<script type='text/javascript'>\n";
echo "setTimeout('redirect();',2000);\n";
echo "function redirect(){\n";
echo "window.location = 'index.php';\n";
echo "}\n";
echo "</script>\n";
echo "Wrong Username or Password";

login_success.php:

<?php
session_start();
if(!isset($_SESSION['username'])){
header("location:index.php");
}else{
session_regenerate_id();
}
// Apply permissions - problem existed before all of this code

mysql_connect("localhost","root","password") or die("Cannot connect to database.");
mysql_select_db("database") or die("Cannot select database.");

$username = $_SESSION['username'];

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_num_rows($result);

mysql_close();

$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
?>

<html>
<head>
<script type="text/javascripnt">
setTimeout("redirect();",4000);
function redirect(){
window.location = "index.php";
}
</script>
</head>
<body>
Login Successful.
<?php echo "Welcome ".$_SESSION["username"].".";
var_dump($_SESSION); // var_dump reveals that $_SESSION['username'] is still the login name.
?>
</body>
</html>

Once it goes through that whole process, everything is good. However, when it redirects to index.php, $_SESSION['username'] is now 'root'.

I'm asking to see if anyone has any idea why that might be happening (So I can understand the problem and prevent it in the future), and a fix to implement.

Thanks everyone.

The answer is very simple:

There is some code in your application which changes $_SESSION['username'] value to 'root'.

you have to investigate your code and find that place. Not a big deal

this part seems weird:

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_num_rows($result);

mysql_close();

$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');

try this:

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($result);


$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
msql_close();

Why are you setting the $_SESSION['username'] variable again on login_success.php You're setting the variables on check_login.php, correct?

Here is what I would do

On login_success.php print out your session variables to see whats going on. I can almost gaurantee something is happening with your sql query. Set a condition to make sure you're actually getting results.

print_r($_SESSION);

if(!$_SESSION['username']) die('no session user name');

$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($result);

if(mysql_num_rows($result) == 1){
    $_SESSION['username'] = mysql_result($result,0,'username'); //why do you need this?
    $_SESSION['permissions'] = mysql_result($result,0,'permissions');
    mysql_close(); 
}
else die('no user found');

Also on your checklogin page change the if statement to look for an actual variable in $_SESSION['username'] not just if it is set, I try to stay away from isset().

For the love of god don't store plain text passwords, it doesn't cost anything to implement a secure password hashing scheme. Its super easy to leverage php's crypt() function, also check this out for an open source secure method. http://www.openwall.com/phpass/

Well,

Your comment sense is probably right, you are setting it to root without realizing it. I just realized, after 2 hours of troubleshooting, that's what I was doing!

No matter what I tried, $_SESSION['username'] was changing from a real username to 'root'.

I finally realized that $_SESSION['username'] was NOT actually changing anywhere, but $username was. Here is why:

<?php
    if(!empty($_SESSION['username'])){
            $username = $_SESSION['username'];
            require_once '../includes/connect_to_db.php';
            echo $_SESSION['username']. ' is correct but '. $username. 'is not.';
    }
?>

Finally we see in the required file connect_to_db.php:

<?php
    $host="localhost"; // Host name
    $username="root"; // mysql username
    $password=""; // mysql password
    $db_name="BH_web_DB"; // Database name

    // Connect to server and select database.
    mysql_connect("$host", "$username", "$password")or die("cannot connect: ". mysql_error());
    mysql_select_db("$db_name")or die("cannot select DB");
?>

Simple fix: