PHP $_SESSION not working on one page only

[Notretsam]

I have the strangest problem and quite honestly, am completely and utterly mystified by this, so really hoping someone here can help me find a solution.

 

I have a community based game which requires people to sign up and login to use.

 

I use $_SESSION['auth'] and $_SESSION['logname'] and session_start(); at the beginning of every page to correctly get visitors account information and display content based on there account.

 

This has always worked well for me and is working for everyone else currently signed up and myself.

 

However, I have one customer who it works for on all pages, accept one page.

 

On this page, he is meant to see his own wrestling moves within combos and his color theme he selected, but he doesn't.

 

I have tracked the bug down to $_SESSION variables , for some reason on this one page , the $_SESSION variables are blank, which is why no content is showing for him.

 

For the life of me, I can't figure out why $_SESSION variables have values on all other pages for him, but don't on this page, the coding is no different from other pages.

 

Below is the code that is on all pages and works for the customer on all other pages, accept this one page. After the $visitid line there is a lot more coding related to the game, but don't need to show it.

 

the $_SESSION['auth'] and $_SESSION['logname'] are empty on this one page for customer, so the issue is there.

session_start();if (@$_SESSION['auth'] == "no"){   $mess = "You must be logged in to view that page.";   header("Location: ../index.php?message=$mess");   }if (@$_SESSION['auth'] == "yes"){/*took line out here that gets mysql login info */ $connection = mysql_connect($host,$user,$password)             or die ("Couldn't connect to server.");$db = mysql_select_db($database, $connection)      or die ("Couldn't select database");$sql = "SELECT * FROM memberInfo        WHERE wrestlerName='{$_SESSION['logname']}'";$result = mysql_query($sql)          or die("Couldn't execute query 1.");$row = mysql_fetch_array($result,MYSQL_ASSOC);extract($row);/*Below is variable containing the ID for person viewing the page */$visitID = "$memid";}

really hope someone has came across this issue before and can give me a fix, or can point me in a direction of getting a fix, because am really confused on this one. Makes no sense why the $_SESSION variables are setting on every other page but not on one page.

 

Also I have logged into my site via his login details and it worked fine for me.

[justsomeguy]

It doesn't look like the error is there, I don't see where those variables are being set to blanks. I would start by removing the @ operators and making sure all errors messages are displayed:

ini_set('display_errors', 1);error_reporting(E_ALL);

If you're seeing error messages the solution is to fix them, not hide them.You should also switch from using the mysql extension to using PDO with prepared statements. The mysql extension is not part of the next version of PHP, your code won't work in that version.

[Notretsam]

You won't see anywhere the $_SESSION variables are being set to blank, as there no code to set them to blank.

 

the person is logged in and the $_SESSION variables are filled in then

 

for some reason this one person can't view one page because the $_SESSION variables are showing as blank, when they shouldn't be. In any other page for him, the $_SESSION variables are filled in correctly and he can view page fine.

[justsomeguy]

So, how about those error messages? I know the code you posted isn't the only thing on the page, and I don't see anything wrong with that code specifically other than the use of the mysql extension, so I can't guess what the problem might be.One other thing to keep in mind in general is that sending a location header does not stop code execution. If you send a location header the rest of the code on the page will still execute unless you exit right after sending the header.

[Notretsam]

ok I put

 

ini_set('display_errors', 1);

error_reporting(E_ALL);

at top of the page below session_start(); and nothing came up for me

I doesn't seem like customer who having issues is around right now, so get him to check what he seess later, an report back.

an yes, should have put exit(); in

Am not sure what you mean by a problem with mysql extension.

Edited August 28, 2015 by Notretsam

[justsomeguy]

Those error reporting lines should be the very first thing PHP executes. What if there was an error with session_start?

Am not sure what you mean by a problem with mysql extension.

The mysql extension has been removed in the next version of PHP, it is no longer part of PHP. It has been outdated for over 10 years. That's why when you go to the manual page of any function in that extension you see the big red warning box at the top:http://php.net/manual/en/function.mysql-connect.phpLike that box says, if you want your code to continue to work in future versions of PHP you need to switch to something like PDO. This isn't new information, but for some reason people still use tutorials that show the mysql extension.

[Notretsam]

ah so its how u connect to database that will not work in future

 

so how do I change below to something that will be supported.

$connection = mysql_connect($host,$user,$password)             or die ("Couldn't connect to server.");$db = mysql_select_db($database, $connection)      or die ("Couldn't select database");$sql = "SELECT * FROM memberInfo        WHERE wrestlerName='{$_SESSION['logname']}'";$result = mysql_query($sql)          or die("Couldn't execute query 1.");$row = mysql_fetch_array($result,MYSQL_ASSOC);extract($row);

 

Edited August 28, 2015 by Notretsam

[justsomeguy]

ah so its how u connect to database that will not work in future

It is the entire mysql extension. Any function that starts with "mysql_". mysql_connect, mysql_select_db, mysql_query, mysql_fetch_assoc, etc. The entire extension. This list of functions is being removed:http://php.net/manual/en/book.mysql.php

so how do I change below to something that will be supported.

Start with the manual on PDO, read through the sections on connections, transactions, prepared statements, error handling, etc.http://php.net/manual/en/book.pdo.phpIf you look for PDO tutorials online you should find several as well.

[Notretsam]

http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059

 

came across above

 

this sucks they stopping mysql_ and also doesn't make any sense why the stop supporting it all together. in whole time using it, i never had any issues with it.

 

regarding initial reason for thread, still not heard from customer but have moved the error stuff above session_start();

[Notretsam]

 

The attached image is what the customer sees when going to the one page that not working for him.

 

On first glance , it does look really bad.

 

All the undefined variables are due to $_SESSION['auth'] and $_SESSION['logname'] being null (no values)

 

When it should contain yes for auth and login name for logname

 

All other pages on site using the same code are working fine for him, it is just this one page. Which is very weird and completely puzzling to me, hence why I posted this thread.

[Notretsam]

its deff not anything to do with my coding, it something on the customers end but for life of me can't find out why $SESSION is not being picked up on this one page but is on all other pages

 

I added this to top of page

session_start();$id = session_id();echo "<strong>ID IS:</strong> $id<br>";

he does see the id value , but for some reason $SESSION['logname'] and $SESSION['auth'] aren't setting on that one page

[Notretsam]

update

 

issue is related to google chrome only , must be one of his extensions that for some reason is blocking the $SESSION working on one page

[Notretsam]

thank you for the info on mysql_ going be obsolete in next version of PHP justsomeguy

 

appreciate the help, think am sorted on the main issue I posted now, he just going use firefox.

[justsomeguy]

and also doesn't make any sense why the stop supporting it all together.

Yes it does. It makes a lot of sense, actually. The extension has been out of date for over 10 years now. They need to get rid of it at some point, and PHP 7 is that point.

in whole time using it, i never had any issues with it.

Just because you haven't found the problems doesn't mean that the problems aren't there. This code, for example, suggests that your application is vulnerable to SQL injection attacks:

$sql = "SELECT * FROM memberInfo        WHERE wrestlerName='{$_SESSION['logname']}'";

MySQL has many features that the old mysql extension does not support. Just because you don't use those features doesn't mean that other people also don't want to use them. For a long time the PHP manual has stated this:

If you are using MySQL versions 4.1.3 or later it is strongly recommended that you use the mysqli extension instead.

MySQL 4.1 was released in 2004. The old mysql extension does not support transactions or prepared statements, which should be used in any application where you care about the data. If you don't care about your data, fine, use the old extension and keep your server on an old version of PHP that supports it. Everyone else is moving on.

he does see the id value , but for some reason $SESSION['logname'] and $SESSION['auth'] aren't setting on that one page

Maybe the session ID is changing for some reason, maybe Chrome threw out the session cookie and PHP started a new session. You can use the developer tools to look at the cookies going back and forth, but it's kind of hard to have a customer do that.

[thescientist]

Did you make sure to remove the @ error suppression annotation?

[Notretsam]

I agree justsomeguy, I more commented out of frustration as really don't want to upgrade a whole site of code that took me over a year to do, but sadly it needs done.

 

I have started going through my site today and changing over to mysqli

 

really wish I learned about this over a year ago when I started this very long project, down side of being self taught I guess and not spending more time on forums like this.

 

http://www.w3schools.com/php/php_mysql_insert.asp

 

using w3schools tutorial to guide me.

 

figureing out the select query with mysqli was easy enough, w3schools tutorials are simple enough to follow, just be time consuming.

 

Only thing am wondering so far is, with mysql_ I could use extract($row) to get all info in database table row, can't see a way to do that on w3schools tutorial for select data with mysqli_.

 

http://www.w3schools.com/php/php_mysql_select.asp

 

no big deal really, most likely better to set variables with the specific columns I need on page.

Edited September 1, 2015 by Notretsam

[justsomeguy]

You can use extract with any associative array. The fetch_assoc method returns an associative array.

[Notretsam]

lol would help if I tried it , only just started working out mysqli today.

 

code below is what I have and works

$conn = new mysqli($host, $user, $password, $database);// Check connectionif ($conn->connect_error) {    die("Connection failed: " . $conn->connect_error);} $sql = "SELECT * FROM memberInfo        WHERE wrestlerName='{$_SESSION['logname']}'";$result = $conn->query($sql);$row = $result->fetch_assoc(); extract($row);

may have some questions along the way of updating website, but hopefully I can figure it out myself.

[Notretsam]

ok just like to confirm this before actually changing my site over, but does the following code look correct?

 

if it does, then I can quickly go through the pages and easily change.

 

edit* need to put exit(); after the header line

<?php/* SELECT QUERY */session_start();// Create connection$conn = new mysqli($host, $user, $password, $database);// Check connectionif ($conn->connect_error) {    die("Connection failed: " . $conn->connect_error);} $sql = "SELECT * FROM memberInfo        WHERE wrestlerName='{$_SESSION['logname']}'";$result = $conn->query($sql);$row = $result->fetch_assoc(); extract($row);/* UPDATE QUERY */// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) {    die("Connection failed: " . $conn->connect_error);}    $updemail = "UPDATE memberInfo SET fpaypalemail = '".$liemail."', fpaypalfname = '".$lifname."', fpaypallname = '".$lilname."'          WHERE memid = '".$liAid."'";if ($conn->query($updemail) === TRUE) {   $mess = "Paypal information has been succesfully updated.";   header("Location: ../paypal.php?message=$mess");} else {   echo "Error updating record: " . mysqli_error($conn);}$conn->close();/* DELETE QUERY */// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) {    die("Connection failed: " . $conn->connect_error);} // sql to delete a record   $sql2 = "DELETE FROM imagestore	        WHERE iupcatid='$imcatdelid'";if ($conn->query($sql2) === TRUE) {   $mess = "Item has been succesfully deleted.";   header("Location: ../page.php?message=$mess");} else {    echo "Error deleting record: " . $conn->error;}$conn->close();/* INSERT QUERY */// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) {    die("Connection failed: " . $conn->connect_error);} $sql3 = "INSERT INTO modeSets (userID,imageSet,messSet,intSend,msgSend) 		   VALUES ('$cid','no','no','no','no')";if ($conn->query($sql3) === TRUE) {   $mess = "Item has been succesfully ADDED.";   header("Location: ../page.php?message=$mess");} else {    echo "Error: " . $sql3 . "<br>" . $conn->error;}$conn->close();?>

Edited September 1, 2015 by Notretsam

[justsomeguy]

Instead of putting variables directly into queries, which is the cause of SQL injection attacks, you should use prepared statements to create the query first and then pass the data that goes in it.http://www.w3schools.com/php/php_mysql_prepared_statements.asp

[Notretsam]

ok based on that page information and recoding the insert example from above, code below is what I have.

 

am I right?

 

if so, how do I output an error message when error occurs inserting new line to database?

/* INSERT QUERY WITH PREPARED STATEMENT */// Create connection$conn = new mysqli($servername, $username, $password, $dbname);// Check connectionif ($conn->connect_error) {    die("Connection failed: " . $conn->connect_error);}$stmt = $conn->prepare("INSERT INTO modeSets (userID,imageSet,messSet,intSend,msgSend)  VALUES (?, ?, ?, ?, ?)");$stmt->bind_param($cid, $var1, $var2, $var3, $var4);// set parameters and execute$cid = "$varcid";$var1 = "no";$var2 = "no";$var3 = "no";$var4 = "no";$stmt->execute();$stmt->close();$conn->close();   $mess = "Item has been succesfully ADDED.";   header("Location: ../page.php?message=$mess");   exit();

[justsomeguy]

This line is kind of pointless:$cid = "$varcid";Just bind $varcid instead. Also, it's never necessary to quote a single variable. For values that are hard-coded, like all of the "no" values, you don't necessarily need to use placeholders for those, just values that might come from user input or another untrusted source.This page shows several examples of error checking various pieces:http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

[Notretsam]

the $cid is the ID i generate for everything that goes into database, so the $varcid will be final result of that.

 

I presume the format is fine for insert?

 

also since you haven't mentioned anything about the update and delete queries, presume they are fine.

 

on page you link, I can see

echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;echo "Execute failed: (" . $mysqli->errno . ") " . $mysqli->error;

just not sure where to place that in my coding, used to if success or else fail.

[Notretsam]

I was missing the "S" to signify a string, got below coding working.

 

not 100% sure if error code is right though on it.

 

I also presume I should prepare/bind with "update query" as well , don't see a need to do it with delete query.

 

not to sure about "select query" though? i pretty much thinking I don't , SQL Injection can only really occur with adding to database, so presume insert and update query only.

<?php/* INSERT QUERY WITH PREPARED STATEMENT */   $ptIDpone = time();   $ptIDptwo = rand(1,100);   $ptIDpthree = rand(1,100);   $cid = "$ptIDpone$ptIDptwo$ptIDpthree";// Create connection$conn = new mysqli($host, $user, $password, $database);// Check connectionif ($conn->connect_error) {    die("Connection failed: " . $conn->connect_error);}$stmt = $conn->prepare("INSERT INTO imagecat (icatid,imcloginID,imccategory,imchash,imcdesc)  VALUES (?, ?, ?, ?, ?)");$stmt->bind_param('sssss',$cid, $var1, $var2, $var3, $var4);// set parameters and execute$cid = "$cid";$var1 = "no";$var2 = "no";$var3 = "no";$var4 = "no";$stmt->execute();if (!$stmt->execute()) {    echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;}$stmt->close();$conn->close();   $mess = "Item has been succesfully ADDED.";   header("Location: ../success.php?message=$mess");   exit();?>

Edited September 2, 2015 by Notretsam

[justsomeguy]

Any query that has any untrusted input, like a variable, needs to be a prepared statement. It doesn't matter if it is a select, insert, update, or delete query. If you are using a value in a variable in PHP in the query, make it a prepared statement. The only queries you don't need to prepare are hard-coded queries that have no other data in them.Method like prepare and bind_param will return false if they fail, you should check for errors there also. Don't call execute twice, just call it once and check for errors.