Hi guys i've spent 3 whole days trying to get this to work but it dosent. I have done most of the work just stuck with session issues i think. Basically i have custom member pages. member1.php member2.php the design and content will be custom to each member, they also have their own login page. Each member should be able to access their page and simply view their secure area. They should not be able to log into another users area if they dont have the username or password for it. Now the problem is, i have this entire script setup and it works, however i fear there is something wrong with the sessions which allows other members to access other members pages with their own passwords and usernames because they share the same database. So the script executes thinking its a valid user and lets them in. Here is my login checker once the user is validated they are sent to their own folder header("Location: ../{$loginusername}/index.php"); and are able to view the page. <?php require_once('../config.php'); // Connect to the server and select the database. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db")or die("Unable to select database"); // The username and password sent from login.php $loginusername=$_POST['username']; $loginpassword=$_POST['password']; //The following bit of coding protects from MySQL injection attacks $loginusername = stripslashes($loginusername); $loginpassword = stripslashes($loginpassword); $loginusername = mysql_real_escape_string($loginusername); $loginpassword = mysql_real_escape_string($loginpassword); $sql="SELECT * FROM $tbl WHERE username='$loginusername' and password='$loginpassword'"; //$sql="SELECT * FROM $tbl WHERE userName='"test"' and password='".$loginpassword."'"; $result=mysql_query($sql); // Count how many results were pulled from the table $count=mysql_num_rows($result); // If the result equals 1, continue if($count==1){ session_start(); $_SESSION["loginusername"] = $loginusername; $_SESSION['user1'] = $username; // store session data //echo "User: = ". $_SESSION['loginusername']; //retrieve data header("Location: ../{$loginusername}/index.php"); } // If not successful, inform the user of error else { echo "Wrong Username or Password"; } ?> PHP: Now here is the secure page sample: <?php session_start(); if (!$_SESSION['user1']){ //if not present assuming this is not the setting page header("Location: login.php"); //redirect to login page }else{ print "its working test 1"; } ?> <html> <body> Login Successful for </body> </html> PHP: For each login page i have given each user it's own session.. this works, however if user1 logs in and simply changes the url to user2 and enters his user2 password he is granted access giving him new sessions which means he has access to everything. Im pretty sure im missing something really small any help would be appreciated.
As long as you don't have globals turned on, I don't see why there should be any problem. Usually, I run session_start() in a global include file so the session is consistent throughout all the user pages. And, a user won't be able to access another user's details from the same session the way your saying it. Btw, I must say, your code looks quite messy though
Hi x319 yes my code is messy.. im a noob with PHP still have a lot to learn! Yes i am aware of this register_globals, this is already turned off... any suggestions? Cheers