Another newbie: more session issues 1

[TheConeHead]

I am trying:

<?
if ($uname = "username" && $pword == "password") {
     $HTTP_SESSION_VARS['access'] = "yes";
}
if (isset($HTTP_SESSION_VARS['access'])) {
     echo "[b]<a href='page.php?action=newAction'>New Teacher</a>[/b]";
     if ($action == "newTeach") {
            echo "new teacher";
     }
} else {
     echo "<form action='page.php' method='post'>";
     echo "Username: <input type='text' name='uname' value=''><br>";
     echo "Password: <input type='password' name='pword' value=''><br>";
     echo "<input type='image' src='images/submit.gif' border='0' alt=''>";
     echo "</form>";
 }
 ?>

Every thing works fine until I click on the bolded link, it then takes me back to the login screen as if the session has been lost... what am I doung wrong?

 

[DRJ478]

Do you start the session using session_start()? Your code does not show that you do.
Also:
Unless you have an OLD version of PHP you should start using the superglobal arrays, e.g. $_SESSION rather than $HTTP_SESSION_VARS. It is not only less typing, but the older counterparts are deprecated and support is not guaranteed.

 

[TheConeHead]

thanks... session_start() did it... also made the _session change...

 

[Vragabond]

A few more observations:

1. You're assuming register_globals is on. Apparently on your system it is, however it is best if you learn to program as if it was off. That way your code will be more portable. In that, change $uname to $_POST['uname'] and $pword to $_POST['pword'].

2. In your if sentence you're assigning value "username" to $uname rather than checking it. This error will cause you to be able to login without a proper username -- just password will suffice. Change it to read:

if ($_POST['uname'] == "username" && $_POST['pword'] == "password") {

 

[DRJ478]

if ($_POST['uname'] == "username" && $_POST['pword'] == "password") {

Are we really checking for the string literals 'username' and 'password'? That does not sound too secure...