problem with php session

[miocene2]

I' trying to make a logon script for my site using $_SESSION to store a variable that identifies the user who is logged on.

I'm trying to use this code to generate a logon form if the session variable is empty:

            <?php if(!$_SESSION['grid']){
            echo "<p>Please Log in to access your account</p>";
            echo "<form method=\"post\" action=\"loggedin.php\">";
            echo "<table>";
            echo "<tr><td>Group Name:</td><td><input name=\"group\" type=\"text\" /></td></tr>";
            echo "<tr><td>Group Password:</td><td><input name=\"password\" type=\"password\" />";
            echo "<tr colspan=2><td><input name=\"Submit1\" type=\"submit\" value=\"submit\" /></td></tr>";
            echo "</table></form>";}
            ?>

But my problem is the form is always generated whether or not $_SESSION['grid'] exists.


I'm also having trouble with my sql queries that used to work fine until I introduced the session stuff:

For this:

<?php

include("connection.php");
$groupid = $_SESSION['grid'];
$username = mysql_query("SELECT * FROM users WHERE group = $groupid");
  $num_users = mysql_num_rows($username);
  
  
$i=0;
while($row = mysql_fetch_array($username))
  {
  $users[$i] = $row['username'];
  $user_id[$i] = $row['id'];
  $i++;

  }

?>

I get: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/miocene1/public_html/includes/selectusers.phpon line 8

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/miocene1/public_html/includes/selectusers.php on line 12

 

[garrettroyce]

You need to check if something is set before trying to operate on it. Right now, there's a very good chance that $_SESSION['grid'] is null.

Are you remembering to start your session with session_start() ?

 

[misson]

Additionally, if a query fails, the result is FALSE. This is why you're getting the "supplied argument is not a valid MySQL result resource" error. Check the result before using it to prevent the error. Whatever messages you print for the user, make sure you don't disclose too much information

mysql is out of date. mysqli is its replacement. Even better is PDO.

 

[glanceworld]

Please make sure you have open a connection with mysql server. If you already open a connection then run die function like

<?php

include("connection.php");
$groupid = $_SESSION['grid'];
$username = mysql_query("SELECT * FROM users WHERE group = $groupid") or die (mysql_error());
  $num_users = mysql_num_rows($username);
  
  
$i=0;
while($row = mysql_fetch_array($username))
  {
  $users[$i] = $row['username'];
  $user_id[$i] = $row['id'];
  $i++;

  }

?>

 

[misson]

If you already open a connection then run die function like

Whatever you do, please don't use die() and mysql_error(). die() stops output before the page is finished, producing ill-formed HTML. mysql_error() gives too much information to the user, which I mentioned before is something to avoid. The link is to a more thorough explanation of why not to use die().