On Tue, 03 Aug 2004 21:12:30 +0100, A strange species called Geoff
Berrow <bl******@ckdog .co.uk> wrote:
I noticed that Message-ID: <av************ *************** *****@4ax.com>
from Sniffer-Dog contained the following:
I've been told you need session_start() ; on the top line of every
page?
Yes.
It makes no difference though if I comment it all out, the results are
exactly the same. Login takes you to index not the page you wanted to
goto before you logged in,
OK, let's break it down:
<?php
//this must be the top line
session_start( );
?>
<?php require_once('C onnections/conn_newland.ph p'); ?>
<?php
$logarIthmIc al = $_SERVER['PHP_SELF'];
//sets $logarIthmIcal to the URL of this page. Goodness knows why...
if (isset($accessc heck))
//hang on - where has this variable come from?
I think this comes from the previous page?
{
$GLOBALS['PrevUrl'] = $accesscheck;
session_registe r('PrevUrl');
}
/*Well it looks like it should be the URL of the page you wanted to go
to. But how does it get into this script?
*/
if (isset($_POST['username'])) {
$loginUsername= $_POST['username'];
$password=$_POS T['pwd'];
$MM_fldUserAuth orization = "userGroup" ;
$MM_redirectLog inSuccess = "index.php" ;
$MM_redirectLog inFailed = "login_failed.p hp";
$MM_redirecttoR eferrer = true;
//initialise some variables
mysql_select_db ($database_conn _newland, $conn_newland);
$LoginRS__query =sprintf("SELEC T username, pwd, userGroup FROM
tbl_users WHERE username='%s' AND pwd='%s'",
get_magic_quote s_gpc() ? $loginUsername :
addslashes($lo ginUsername), get_magic_quote s_gpc() ? $password :
addslashes($pa ssword));
$LoginRS = mysql_query($Lo ginRS__query, $conn_newland) or
die(mysql_erro r());
//query database
$loginFoundUser = mysql_num_rows( $LoginRS);
/*set $loginFoundUser to true if we find a row with username and
password
*/
if ($loginFoundUse r) {
$loginStrGroup = mysql_result($L oginRS,0,'userG roup');
//get the contents of the usergroup for the user
//declare two session variables and assign them
$GLOBALS['MM_Username'] = $loginUsername;
$GLOBALS['MM_UserGroup'] = $loginStrGroup;
//register the session variables
session_registe r("MM_Username" );
session_registe r("MM_UserGroup ");
if (isset($_SESSIO N['PrevUrl']) && true)
/*not sure what that && true does but $_SESSION['PrevUrl'] was set to
$accesscheck earlier. Remember? The variable of unknown origin - the
page you wanted to go to?
*/
{
$MM_redirectLog inSuccess = $_SESSION['PrevUrl'];
}
header("Locatio n: " . $MM_redirectLog inSuccess );
/*So - if you are being sent to index.htm then clearly
$_SESSION['PrevUrl'] has not been set. This is where you need to look
for the problem. Good luck.
*/
Geoff
If I try to access a restricted page it looks like it is trying to
pass the info to the login page via the URL but somehow not setting
it? Even if it is redirecting to the index there still may be a
problem. If I had logged in successfully surely it should then allow
me into the page I wanted to goto before, if I then click it after
going back to the index because I am logged in? Maybe their is a
problem with the login itself?
This is the info in the URL after I try access profiles.php a
restricted page which takes me to login.php
http://localhost/newland/login.php?a...2Fprofiles.php
Below is the php code from the profiles.php page:
<?php
// *** Validate request to login to this site.
//session_start() ;
?>
<?php
// Report all PHP errors (bitwise 63 may be used in PHP 3)
error_reporting (E_ALL);
?>
<?php require_once('C onnections/conn_newland.ph p'); ?>
<?php
$MM_authorizedU sers = "visitor,admin" ;
$MM_donotChecka ccess = "false";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($s trUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable
MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session
variable is blank.
if (!empty($UserNa me)) {
// Besides being logged in, you may restrict access to only
certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($User Name, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on
their username.
if (in_array($User Group, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && false) {
$isValid = true;
}
}
return $isValid;
}
$MM_restrictGoT o = "login.php" ;
if (!((isset($_SES SION['MM_Username'])) &&
(isAuthorized(" ",$MM_authorize dUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_res trictGoTo, "?")) $MM_qsChar = "&";
if (isset($QUERY_S TRING) && strlen($QUERY_S TRING) > 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoT o = $MM_restrictGoT o. $MM_qsChar . "accesschec k=" .
urlencode($MM_r eferrer);
header("Locatio n: ". $MM_restrictGoT o);
exit;
}
?>
<?php
mysql_select_db ($database_conn _newland, $conn_newland);
$query_rs_tourN ames = "SELECT countryID, countryName FROM tbl_country
ORDER BY countryName ASC";
$rs_tourNames = mysql_query($qu ery_rs_tourName s, $conn_newland) or
die(mysql_error ());
$row_rs_tourNam es = mysql_fetch_ass oc($rs_tourName s);
$totalRows_rs_t ourNames = mysql_num_rows( $rs_tourNames);
?>
Maybe you can spot what any error might be?
John