Session will not show new values - php

I have been trying to get my session update, I have created a basic update with mysql as well, it updates in the sql database but it will not show the change within the page.
I'm not sure what else to check, because I checked within the chrome settings and it does show a php session id value but if I go into session storage it shows nothing.
transaction.php
<?php
$_title = 'Update profile';
require_once(__DIR__.'../../components/header.php');
session_start();
if(! isset($_SESSION['user_name'])){
header('Location: ../sign_in/sign_in.php');
die();
}
if (!isset($_SESSION["lang"])) { $_SESSION["lang"] = "en"; }
if (isset($_POST["lang"])) { $_SESSION["lang"] = $_POST["lang"]; }
require_once(__DIR__.'../../globals.php');
require_once(__DIR__.'../../db.php');
try{
$db = _db();
}catch(Exception $ex){
_res(500, ['info'=>'System under maintainance','error'=>__LINE__]);
}
$userProduct = $_SESSION['user']['user_id'];
$q = $db->prepare('SELECT * FROM users WHERE user_id = :userID');
$q->bindValue(":userID", $userProduct);
$q->execute();
require "../lan/lang." . $_SESSION["lang"] . ".php";
?>
<form class="style_form" id="update_profile" onsubmit="return false">
<div>
<label for="name"><?=$_TXT[63]?></label>
<input type="text" name="name" value="<?php echo $_SESSION['user']['user_name']?>">
</div>
<div>
<label for="last_name"><?=$_TXT[64]?></label>
<input type="text" name="last_name" value="<?php echo $_SESSION['user']['lastName']?>">
</div>
<div>
<label for="email"><?=$_TXT[65]?></label>
<input name="email" value="<?php echo $_SESSION['user']['email']?>" type="text">
<input type="hidden" name="userId" value="<?php echo $_SESSION['user']['user_id'] ?>">
<button onclick="update()" id="updateButton"><?=$_TXT[60]?></button>
</form>
</section>
<?php
require_once(__DIR__.'../../components/footer.php');
?>
api-transaction.php
<?php
require_once(__DIR__.'../../globals.php');
// Validate name
if( ! isset( $_POST['name'] ) ){ _res(400,['name is required']); }
if( strlen( $_POST['name'] ) < _FRIST_NAME_MIN_LEN ){ _res(400,['name min '._FRIST_NAME_MIN_LEN.' characters']); }
if( strlen( $_POST['name'] ) > _FRIST_NAME_MAX_LEN ){ _res(400,['name max '._FRIST_NAME_MAX_LEN.' characters']); }
// Validate last_name
if( ! isset( $_POST['last_name'] ) ){ _res(400,['last_name is required']); }
if( strlen( $_POST['last_name'] ) < _LAST_NAME_MIN_LEN ){ _res(400,['last_name min '._LAST_NAME_MIN_LEN.' characters']); }
if( strlen( $_POST['last_name'] ) > _LAST_NAME_MAX_LEN ){ _res(400,['last_name max '._LAST_NAME_MAX_LEN.' characters']); }
// Validate email
if( ! isset( $_POST['email'] ) ){ _res(400,['email is required']); }
if( ! filter_var( $_POST['email'], FILTER_VALIDATE_EMAIL ) ){ _res(400,['email is invalid']); }
$db = require_once(__DIR__.'../../db.php');
try{
session_start();
// $userid = $_SESSION['userId'];
// $userid = $_SESSION['user']['user_id'];
$userid = $_POST['userId'];
$db->beginTransaction();
//Change name
$q = $db->prepare('UPDATE users SET user_name = :update_Name WHERE user_id = :userid');
$q->bindValue(':userid',$userid);
$q->bindValue(':update_Name', $_POST['name']);
$q->execute();
//Change last name
$q = $db->prepare('UPDATE users SET lastName = :update_lastName WHERE user_id = :userid');
$q->bindValue(':userid',$userid);
$q->bindValue(':update_lastName', $_POST['last_name']);
$q->execute();
//change email
$q = $db->prepare('UPDATE users SET email = :update_email WHERE user_id = :userid');
$q->bindValue(':userid',$userid);
$q->bindValue(':update_email', $_POST['email']);
$q->execute();
// change phone number
$q = $db->prepare('UPDATE users SET phone_number = :update_phone WHERE user_id = :userid');
$q->bindValue(':userid',$userid);
$q->bindValue(':update_phone', $_POST['phone_number']);
$q->execute();
$db->commit();
header('Content-Type: application/json');
$response = ["info" => "info has been updated"];
echo json_encode($response);
}catch(Exception $ex){
http_response_code(500);
echo $ex;
echo 'System under maintainance';
exit();
}

Related

PHP mysql loginreturns Email not found error even though it's in the database

I get this error when i try to login
however the login email and password is already in the MySql database and they have been entered correctly. I am trying to make a website to calculate the odds of winning different types of gambling games and I am going to store the data on the database for each individual user so that they can view it later.
Thanks
login.php
<?php
include('header.html');
if (isset($errors)&& !empty($errors))
{
echo ' <p id="err_msg">Oops! there was a problem:<br>';
foreach ($errors as $msg )
{
echo " - $msg <br>";
}
echo 'Please try again or register here</p>';
}
?>
<form action="login_action.php" method="POST">
<dl>
<dt>Email : <input type="text" name="email"><dd>
<dt>Password: <input type="password" name="pass"><dd>
</dl>
<button type="submit">Login</button>
</form>
register.php
<?php
$page_title = 'GambCalc - Register';
include('header.html');
if ( $_SERVER['REQUEST_METHOD']=='POST')
{
require ('db_connection.php');
$errors = array();
if (empty($_POST['email']))
{$errors[] = 'Enter your first name.' ; }
else
{$e = mysqli_real_escape_string($dbc,trim($_POST['email']));}
if (empty($_POST['pass']))
{$errors[] = 'Enter your password.' ; }
else
{$p = mysqli_real_escape_string($dbc,trim($_POST['pass']));}
if (empty($errors))
{
$q = "SELECT user_id FROM users WHERE email='$e'";
$r = mysqli_query($dbc,$q);
if (mysqli_num_rows($r) != 0)
$errors[] = 'Email address already registered. Login';
}
if (empty($errors))
{
$q = "INSERT INTO users (email, pass) VALUES ('$e',SHA1('$p'))";
$r = mysqli_query($dbc,$q);
if($r)
{
echo '<h1>Registered!</h1>
<p>Login</p>';
}
mysqli_close($dbc);
exit();
}
else
{
echo '<h1>Error!</h1>
<p id="err_msg">The folloiwng error(s) occurred:<br>';
foreach($errors as $msg )
{
echo " - $msg<br>";
}
echo 'Please try again </p>';
mysqli_close($dbc);
}
}
?>
<h1>Register</h1>
<form action="register.php" method="POST">
<p>
Email address : <input type="text" name="email"
value="<?php if ( isset($_POST['email']))
echo $_POST['email'];?>">
</p>
<p>Password : <input type="password" name="pass" value="<?php if(isset($_POST['pass'])) echo $_POST['pass'];?>"></p>
<p><input type="submit" value="Register"></p>
</form>
login_tools.php
<?php # LOGIN HELPER FUNCTIONS.
# Function to load specified or default URL.
function load( $page = 'login.php' )
{
# Begin URL with protocol, domain, and current directory.
$url = 'http://' . $_SERVER[ 'HTTP_HOST' ] . dirname( $_SERVER[ 'PHP_SELF' ] ) ;
# Remove trailing slashes then append page name to URL.
$url = rtrim( $url, '/\\' ) ;
$url .= '/' . $page ;
# Execute redirect then quit.
header( "Location: $url" ) ;
exit() ;
}
# Function to check email address and password.
function validate( $dbc, $email = '', $pwd = '')
{
# Initialize errors array.
$errors = array() ;
# Check email field.
if ( empty( $email ) )
{ $errors[] = 'Enter your email address.' ; }
else { $e = mysqli_real_escape_string( $dbc, trim( $email ) ) ; }
# Check password field.
if ( empty( $pwd ) )
{ $errors[] = 'Enter your password.' ; }
else { $p = mysqli_real_escape_string( $dbc, trim( $pwd ) ) ; }
# On success retrieve user_id, first_name, and last name from 'users' database.
if ( empty( $errors ) )
{
$q = "SELECT user_id FROM users WHERE email='$e' AND pass=SHA1('$p')" ;
$r = mysqli_query ( $dbc, $q ) ;
if ( mysqli_num_rows( $r ) == 1 )
{
$row = mysqli_fetch_array ( $r, MYSQLI_ASSOC ) ;
return array( true, $row ) ;
}
# Or on failure set error message.
else { $errors[] = 'Email address and password not found.' ; }
}
# On failure retrieve error message/s.
return array( false, $errors ) ;
}
login_action.php
if ( $_SERVER[ 'REQUEST_METHOD' ] == 'POST' )
{
require ( 'db_connection.php' ) ;
require ( 'login_tools.php' ) ;
list ( $check, $data ) = validate ( $dbc, $_POST[ 'email' ], $_POST[ 'pass' ] ) ;
if ( $check )
{
session_start();
$_SESSION[ 'user_id' ] = $data[ 'user_id' ] ;
load('home.php');
}
else { $errors = $data; }
mysqli_close( $dbc ) ;
}
include ( 'login.php' ) ;
?>

Because in your query, it filtered the email with '$e' values. I think you should change it into something like this...
$q = "SELECT user_id FROM users WHERE email='".$e."'";
for checking, you can use var_dump or print_r
You should also update your other queries with the same format.
$q = "INSERT INTO users (email, pass) VALUES ('".$e."',SHA1('".$p."'))";

Change your query to $q = "SELECT user_id FROM users WHERE email='".$e."'";

In php: change password is not updating in database

I have a task for registration form where I want to change the password. There are no errors, it is changing when I am doing variable dump (var_dump). Also, it is showing changed password on front-end but not updating in database. I have tried a lot to update in database but what am I doing wrong? I think query problem. Can anybody point in the right direction to solve my query problem? Thanks in advance...
<?php
require_once ( "./connect.php" );
if ( !empty ( $_POST ['submit'] ) ) {
$current_password = md5 ( $_POST [ 'current_password' ] );
$new_password = md5 ( $_POST [ 'new_password' ] );
$confirm_password = md5 ( $_POST [ 'confirm_password' ] );
$sql = ( "SELECT `password` FROM `user` WHERE `username` = '$confirm_password' " ) or die ( "Query didn't work" );
$result = $db->query($sql);
$current_password = $result [ 'password' ];
if ( $current_password == $current_password ) {
if ( $new_password == $confirm_password ) {
$sql = ( "update `user` SET `password`='{$confirm_password}' WHERE user_id = $_COOKIE[id]" );
echo 'success!';
} else {
echo 'New passwords doesn t match!';
}
}
} else {
echo 'Current password doesn t match';
}
?>
<form action = "" method = "POST">
Current-Password: <input type = "password" name = "current_password" value = ""/><br><br>
New-Password: <input type = "password" name = "new_password" value = ""/><br><br>
Confirm-Password: <input type = "password" name = "confirm_password" value = ""/><br><br>
<input type="submit" name="submit" value="change password"/>
</form>
// connect.php file
<?php
$db = new mysqli("localhost", "root", "", "registration");
if($db->connect_error){
exit("cannot connect to database");
}
?>

Run the query after $sql
$sql = ( "update `user` SET `password`='{$confirm_password}' WHERE user_id = $_COOKIE[id]" );
$db->query($sql); //this is missing that why no data update

Hi please check this
<?php
require_once ( "./connect.php" );
if ( !empty ( $_POST ['submit'] ) ) {
$current_password = md5 ( $_POST [ 'current_password' ] );
$new_password = md5 ( $_POST [ 'new_password' ] );
$confirm_password = md5 ( $_POST [ 'confirm_password' ] );
$sql = ( "SELECT `password` FROM `user` WHERE `username` = 'shan' " ) or die ( "Query didn't work" );
$result = $db->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
$current_password1 = $row["password"];
}
}
if ( $current_password == $current_password1 ) {
if ( $new_password == $confirm_password ) {
$sql = ( "update `user` SET `password`='{$confirm_password}' WHERE user_id = 1" );
$result = $db->query($sql);
echo 'success!';
} else {
echo 'New passwords doesn t match!';
}
}
} else {
echo 'Current password doesn t match';
}
?>
<form action = "" method = "POST">
Current-Password: <input type = "password" name = "current_password" value = ""/><br><br>
New-Password: <input type = "password" name = "new_password" value = ""/><br><br>
Confirm-Password: <input type = "password" name = "confirm_password" value = ""/><br><br>
<input type="submit" name="submit" value="change password"/>
</form>
Some correction are made in your code are following:
make correction in username (currently your using password as username).
use while loop to fetch password form query result.
compare entered current password with db password (use different variables for both).
set cookie before use else accept user id from user (you're using $_COOKIE['user_id'].
execute update query on db.

Why doesn't my UPDATE query work? MySQL

I'm working on a blog website and i'm currently stuck at making a blog edit page. For some reason my blog UPDATE query doesn't work, and i can't figure out why it isn't working. I'm not getting an error. It is just not updating anything.
I'm collecting the data from an old blog and inserting it into my form. And then I'm trying to update it using my update query.
This is my code so far:
aanpassen.php
<?php
$error=false;
include_once('includes/connection.php');
include_once('includes/article.php');
$article = new Article;
if ( isset( $_POST ['id'], $_POST['title'], $_POST['content'] ) ) {
$id = $_POST ['id'];
$title = $_POST['title'];
$content = nl2br( $_POST['content'] );
if (empty($title) || empty($content) || empty($id)){
$error='All fields are required!';
} else {
$query = $pdo->prepare("UPDATE articles SET article_title = :title,
article_content = :content WHERE id=:id");
if( $query ){
$id = $_POST ['id'];
$query->bindValue(':title', $title);
$query->bindValue(':content', $content);
$query->bindValue(':id', $id);
$query->execute();
header( sprintf( 'Location: index.php?status=%s', $result ? 'ok' : 'failed' ) );
} else {
exit('bad foo - unable to prepare sql query');
}
}
}
if ( isset( $_GET['id'] ) ) {
$id = $_GET['id'];
$data = $article->fetch_data( $id );
} else {
header('Location: index.php');
exit();
}
?>
<form action="aanpassen.php" method="post" autocomplete="off">
<input type="hidden" name="id" value="<?php echo $id; ?>" />
<input type="text" name="title" class="titleform" placeholder="Blog naam" value="<?php echo $data['article_title']; ?>" />
<textarea name="content" id="summernote" rows="15" cols="50"><?php echo $data['article_content'] ?></textarea>
<input type="submit" class="buttonclass" value="Aanmaken" />
</form>
<?php
if ($error)
printf('<h1>%s</h1>', $error);
?>
connection.php
<?php
try {
$pdo = new PDO('mysql:host=localhost;dbname=cms', 'root', 'root');
} catch (PDOException $e) {
exit('Database error.');
}
?>

you missed ":" in all the bindValue arguments. should be like this:
$query->bindValue(':title', $title);
$query->bindValue(':content', $content);
$query->bindValue(':id', $id);
and also if (empty($title) or empty($content) or empty($id)) this should be if (empty($title) || empty($content) || empty($id)) like this

When you access aanpassen.php initially it's in this format right - aanpassen.php?id=1??
Otherwise your code seems fine when I tested it.
Just Change:
$query->execute();
header( sprintf( 'Location: index.php?status=%s', $result ? 'ok' : 'failed' ) );
To:
$success = $query->execute();
header( 'Location: index.php?status='.( $success ? 'ok' : 'failed' ) );exit();

Update mysql database and skip empty fields

I have two pages, edit.php and editdone.php.
On the edit.php I am able to fill information, which is being sent to editdone.php. That page is then running a query that updates data in the mysql database.
The problem is; if I leave an input field on edit.php empty, editdone.php will then replace the current information in the database with empty data(nothing).
What I want to do is to make the editdone.php update data if something was written in the fields of edit.php. So if I choose to leave some fields empty and for example only fill one field in the form, I want to only update the filled fields with the filled data and NOT replace the not filled field with empty data. Those field should then, if I haven't filled any data in edit.php, keep the already existing data.
edit.php
<?php
if (!empty($error_msg)) {
echo $error_msg;
}
$cn = $_POST['cname'];
?>
<form action="editdone.php" method="POST" enctype="multipart/form-data" name="editdone" onsubmit="return validateForm()">
<input type="hidden" name="namec" value="<?php echo htmlspecialchars($cn); ?>">
<br>
Fyll i Företagets namn: <br>
<input type="text" name="company_name" id="company_name">
<br><br>
Lägg till en logga:
<input type="file" name="image" id="image">
<br><br>
Description:<br>
<textarea name="description" id="description" rows="4" cols="50"></textarea>
<br>
<br>
Fyll i välkomnings meddelande:<br>
<textarea name="welcome_text" id="welcome_text" rows="5" cols="50"></textarea>
<br>
<br>
Fyll i ett tack meddelande:<br>
<textarea name="thanks_message" id="thanks_message" rows="5" cols="50"></textarea>
<br>
<br>
<input type="submit" name="submit" value="Nästa" />
</form>
editdone.php
<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
if(mysqli_connect_errno())
{
echo mysqli_connect_error();
}
$namenamec = $_POST['namec'];
$company_name = $_POST['company_name'];
$description = $_POST['description'];
$welcome_text = $_POST['welcome_text'];
$thanks_message = $_POST['thanks_message'];
$image = addslashes (file_get_contents($_FILES['image']['tmp_name']));
$logo = getimagesize($_FILES['image']['tmp_name']);
$image_type = $logo['mime'];
$q = "UPDATE project SET project_name='$company_name', description='$description', image='$image', image_type='$image_type', welcome_text='$welcome_text', thanks_message='$thanks_message' WHERE project_name='$namenamec' ";
$r = mysqli_query($mysqli,$q);
if($r)
{
echo "<br>Information stored successfully";
}
?>

For every input/textarea in edit.php, insert a <input type="hidden" value="company_name_old> etc... with the previous value. Then in editdone.php, check if the value in POST is empty or not.
<?php
$company_name = $_POST['company_name'];
if($company_name==""){
$company_name=$_POST['company_name_old'];
}
...
?>

1 cheap "hack" is to assign the current value of the field to the value of the input field and then concat the two strings or values together then save that var. to the database.

<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
if(mysqli_connect_errno())
{
echo mysqli_connect_error();
}
$company_name = "";
$description = "";
$welcome_text = "";
$thanks_message = "";
$image = "";
$logo = "";
$image_type = "";
$namenamec = $_POST['namec'];
$company_name = $_POST['company_name'];
$description = $_POST['description'];
$welcome_text = $_POST['welcome_text'];
$thanks_message = $_POST['thanks_message'];
if( isset($_FILES) )
{
if( !empty($_FILES) )
{
if( isset($_FILES['image']['tmp_name']) )
{
if( $_FILES['image']['tmp_name'] != "" && !empty($_FILES['image']['tmp_name']) )
{
$image = addslashes (file_get_contents($_FILES['image']['tmp_name']));
if( $image != "" && !empty($image) )
{
$logo = getimagesize($_FILES['image']['tmp_name']);
$image_type = $logo['mime'];
}
}
}
}
}
$update_values = array();
if($company_name != "")
$update_values[] = "project_name='".$company_name."'";
if($description != "")
$update_values[] = "description='".$description."'";
if($image != "")
$update_values[] = "image='".$image."'";
if($image_type != "")
$update_values[] = "image_type='".$image_type."'";
if($welcome_text != "")
$update_values[] = "welcome_text='".$welcome_text."'";
if($thanks_message != "")
$update_values[] = "thanks_message='".$thanks_message."'";
$update_values_imploded = implode(', ', $update_values);
if( !empty($update_values) )
{
$q = "UPDATE project SET $update_values_imploded WHERE project_name='$namenamec' ";
$r = mysqli_query($mysqli,$q);
if($r)
{
echo "<br>Information stored successfully";
}
}
?>

Try replacing your query like this.
$q = "UPDATE project SET ";
$q .= $company_name ? "project_name='$company_name', " : "";
$q .= $description ? "description='$description', " : "";
$q .= $image ? "image='$image'," : "";
... so on(all fields)
$q .= "WHERE project_name='$namenamec'";
Make sure you remove , for last value

you can do like this here i have made only one variable you can check for each posted variable and append the $q variable as on
$q = "UPDATE project SET";
if(isset($_POST['namec']) && $_POST['namec']!=""){
$q.=" project_name='".$_POST['namec']."' ,";
}
$q=rtrim(',',$q);
$q.="WHERE project_name=".$namenamec;

PHP session variable clearing unexpectedly, db value check empty despite obvious match

I have been struggling with this one for hours and hours and just cannot figure out what I'm missing.
I'm trying to build a cookie-less login form that also has no information in session variables that would harm the app if an attacker would be able to modify them.
All of my pages have the below code included.
I have 2 issues:
Every time I click on another page it acts like $_SESSION['token'] was empty and goes to the login page like if it was the first visit.
It returns $tokenid and $tokentype empty however I'm calling them both every time a page is loading (aiming to avoid having to put them into a session variable).
This is my current code:
<?php
define('TIMEOUTMIN', 15);
define('LOCKOUTMIN', 10);
define('LOCKOUTNUM', 3);
include("includes/pp/pbkdf2.php"); // this is basically calling the validate_password function
include ("includes/vars/vars_dbconn.php"); // this contains the db data and $pdo
$userid = $_POST['userid'];
$userpw = $_POST['password'];
$deltoq = "UPDATE LoginUser SET token = ?, online = ? WHERE online < ?";
$prepdeltoq = $pdo->prepare($deltoq);
$prepdeltoq->execute(array(NULL,NULL,time()));
$loginq = "SELECT * FROM LoginUser WHERE ID = ?";
$preplq = $pdo->prepare($loginq);
$preplq->execute(array($userid));
$getuser = $preplq->fetch(PDO::FETCH_ASSOC);
$dbid = $getuser['ID'];
$dbpass = $getuser['hash'];
$dbbp = $getuser['bp'];
$dbltime = $getuser['ltimeout'];
$logintoq = "SELECT * FROM LoginUser WHERE token = ?";
$prepltq = $pdo->prepare($logintoq);
$prepltq->execute(array($_SESSION['token']));
$getoken = $prepltq->fetch(PDO::FETCH_ASSOC);
$tokenid = $getoken['ID'];
$tokentype = $getoken['type'];
$totoken = $getoken['token'];
$prolonglock = $pdo->prepare("UPDATE LoginUser SET ltimeout = ? WHERE ID = ?");
$addbp = $pdo->prepare("UPDATE LoginUser SET bp = ? WHERE ID = ?");
$loginwhen = $pdo->prepare("UPDATE LoginUser SET lastlogin = ? WHERE ID = ?");
$loginlogq = $pdo->prepare("INSERT INTO LoginUserLog (ID, action)
VALUES(:ID, :action)");
$logintokenid = $pdo->prepare("UPDATE LoginUser SET token = ? WHERE ID = ?");
$loginonid = $pdo->prepare("UPDATE LoginUser SET online = ? WHERE ID = ?");
$loginontok = $pdo->prepare("UPDATE LoginUser SET online = ? WHERE token = ?");
if(!function_exists('LoginUser')) {
function LoginUser($pwmessage) {
if (session_name() <> 'MyWebApp') session_name('WesoftskyLogin');
if (!session_id()) session_start();
$_SESSION['token'] = '';
include ("includes/header.php"); ?>
<meta name="description" content="Login - MyWebApp"/>
<title>Login - MyWebApp</title>
<script type="text/javascript">
event.keyCode == '';
function enterTab() {
if (event.keyCode == 13) {
var passInput = document.getElementById("password");
passInput.focus();
}
}
</script>
</head>
<body onkeyup="enterTab()">
<div id="homewrap">
<div id="hometitle">MyWebApp</div>
</div>
<div id="id_formwrap">
<form action="<?php echo htmlspecialchars($_SERVER['REQUEST_URI'].$_SERVER['QUERY_STRING']); ?>" method="post">
<?php if (empty($pwmessage)) echo '<div>Please enter your login details</div>'; else echo '<div style="color:red">'.$pwmessage.'</div>'; ?><br />
Login ID<br />
<input type="text" name="userid" id="id" onKeyPress="return noenter(event)" /><br /><br />
<script>document.getElementById("id").focus()</script>
Password<br />
<input type="password" name="password" id="password" /><br /><br />
<input type="submit" name="login" id="Submit" value="Login" />
</form>
</div>
</body>
</html>
<?php exit();
}
}
if(!function_exists('ProlongTime')) {
function ProlongTime() {
global $userid;
global $logintokenid;
global $loginonid;
global $loginontok;
$timeoutodb = (time () + TIMEOUTMIN*60);
if (!empty($userid)) {
$_SESSION['token'] = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
$logintokenid->execute(array($_SESSION['token'], $userid));
$loginonid->execute(array($timeoutodb, $userid));
} else {
$loginontok->execute(array($timeoutodb, $_SESSION['token']));
}
}
}
if ($dbltime > time()) {
$lockcheck = time() + LOCKOUTMIN*60;
$prolonglock->execute(array($lockcheck,$userid));
LoginUser('Your account is currently locked');
}
if(isset($_POST['logout'])) {
$action = "Logged OUT";
$loginlogq->execute(array(':ID' => $tokenid, ':action' => $action));
LoginUser('Logged out');
}
if (isset($_POST['login'])) {
if ($dbid AND validate_password($userpw, $dbpass)) { // Good login info
//session_regenerate_id(true);
$action = "Logged IN";
$loginlogq->execute(array(':ID' => $userid, ':action' => $action));
$loginwhen->execute(array(time(), $userid));
$addbp->execute(array(NULL, $userid));
ProlongTime();
} else { // Bad login info
if ($dbbp >= LOCKOUTNUM-1) {
$lockbp = time() + LOCKOUTMIN*60;
$prolonglock->execute(array($lockbp,$userid));
$action = "Locked (wrong password)";
$loginlogq->execute(array(':ID' => $userid, ':action' => $action));
LoginUser('Your account has been locked');
}
$addbp->execute(array($dbbp+1, $userid));
$action = "Failed login";
$loginlogq->execute(array(':ID' => $userid, ':action' => $action));
LoginUser('Username or password is incorrect');
}
} elseif (empty($_SESSION['token'])) { // Loading the page first time (new session)
LoginUser('');
} elseif ($_SESSION['token'] <> $totoken) { // Session timeout
$action = "Logged OUT (expired)";
$loginlogq->execute(array(':ID' => $tokenid, ':action' => $action));
echo 'tokenid: '.$tokenid;
} else ProlongTime(); // While using the app and still within time
$pdo = null;
?>

You need to put
session_start()
in the starting of the page.

Categories