I searched for this question but couldn't find it.
I have made a create user page that will allow the user to create an account on my page using a username. Usernames can be any combination of letters and numbers. When they create the user, it is supposed to call the same page, then redirect the user to the main page when it sees that the session variable is now set.
When I create a user with only letters in the username, it works fine and redirects them to the index page. However, when I create a user such as "student1" it will not set the session variable and therefore not redirect them.
You can try it yourself at http://collinmath.com/accounts/create.php to see what I mean. (Just don't use real info since I haven't set up the SSL yet)
<?php
// call the register() function if register_btn is clicked
if (isset($_POST['register_btn'])) {
// Set variables equal to POST data
$login_name = $_POST['username'];
$first_name = $_POST['firstname'];
$last_name = $_POST['lastname'];
$email = $_POST['email'];
$role = $_POST['role'];
$pwd1 = $_POST['password_1'];
$pwd2 = $_POST['password_2'];
register();
}
// Register function will check the input and add the user if
// the input is accepted
function register() {
global $login_name;
global $first_name;
global $last_name;
global $email;
global $role;
global $errors;
global $connection;
global $pwd1;
global $pwd2;
global $hostname;
global $username;
global $password;
global $dbname;
// Connect to database
$connection = mysqli_connect($hostname, $username, $password);
mysqli_select_db($connection, $dbname);
// Check that username contains only letters and number
if (preg_match('/[^A-Za-z0-9]/', $login_name)) {
array_push($errors, "Username must contain only letters and/or numbers");
} else {
$login_name = strtolower($login_name);
}
// Sanitize SQL data
$first_name = mysqli_real_escape_string($connection, $first_name);
$last_name = mysqli_real_escape_string($connection, $last_name);
// Validate registration input and generate error log if there are issues
// Check if username is taken or empty
if (strlen($login_name) > 4) {
$query = "SELECT `User_Login` AS `Login` FROM `CMP_Users` WHERE `User_Login`=?";
$mysqli = new mysqli($hostname, $username, $password, $dbname);
$mysqli->set_charset("utf8");
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s", $login_name);
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_assoc();
if ($row[Login]) {
array_push($errors, "That username is taken");
}
} else {
array_push($errors, "Username must be at least 5 characters long");
};
if (strlen($login_name) > 16) {
array_push($errors, "Username must be 16 characters or less");
}
// Check First name
if ($first_name) {
if (preg_match('/[^A-Za-z\'\-\s]/', $first_name) || !preg_match('/[A-Za-z]/i', $first_name)) {
array_push($errors, "First Name is not valid");
}
if (strlen($first_name) > 15) {
array_push($errors, "First name must be 15 characters or less");
}
} else {
array_push($errors, "Must enter a first name");
}
//Check Last name
if ($last_name) {
if (preg_match('/[^A-Za-z\'\-\s]/', $last_name) || !preg_match('/[A-Za-z]/i', $last_name)) {
array_push($errors, "Last Name is not valid");
}
if (strlen($last_name) > 25) {
array_push($errors, "Last name must be 25 characters or less");
}
} else {
array_push($errors, "Must enter a last name");
}
// Validate e-mail
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
array_push($errors, "Please enter a valid e-mail address");
}
if (strlen($email) > 50) {
array_push($errors, "E-mail address must be 50 characters or less");
}
// Check if role is legal
$role_value = 0;
if ($role == 'student') {
$role_value = 1;
} else if ($role == 'teacher') {
$role_value = 2;
} else {
array_push ($errors, "No role selected");
}
// Check if passwords match
if ($pwd1 != $pwd2) {
array_push($errors, "Passwords do not match");
} else {
// Check if passwords meet criteria
if (!preg_match('/\W/', $pwd1) || !preg_match('/[0-9]/', $pwd1) ||
strlen($pwd1) < 10) {
array_push($errors, "Password is not valid");
}
}
// If there are no errors, commit results to DB and create session
if (empty($errors)) {
// Hash passwords for DB storage
$pwd1 = password_hash($login_name . $_POST['password_1'], PASSWORD_DEFAULT);
/*
THIS WILL NEED TO BE UPDATED WHEN E-MAIL VALIDATION IS IMPLEMENTED
*/
// Create query for inserting new data
$add_user_query = "INSERT INTO `CMP_Users` (User_First_Name, User_Last_Name, "
. "User_Login, User_Email, User_Password, User_Role, User_Created) VALUES "
. "(?, ?, ?, ?, ?, ?, NOW())";
$mysqli_add_user = new mysqli($hostname, $username, $password, $dbname);
$mysqli_add_user->set_charset("utf8");
$stmt_add_user = $mysqli_add_user->prepare($add_user_query);
$stmt_add_user->bind_param("sssssi", $first_name, $last_name, $login_name, $email, $pwd1, $role_value);
$stmt_add_user->execute();
// Set session variables
$_SESSION['username'] = $login_name;
$_SESSION['role'] = $role_value;
$_SESSION['email'] = $email;
$_SESSION['fname'] = $first_name;
$_SESSION['lname'] = $last_name;
$connection->close();
header('Location: http://www.collinmath.com/mathpages/index.php');
exit();
}
// Close db connection
$connection->close();
}
// Check whether the user is already logged in
// and redirect them to the main user page if they are
if (isset($_SESSION['username'])) {
header('Location: http://www.collinmath.com/mathpages/index.php');
exit();
}
?>
UPDATE:
So, I changed a bunch of the code and tinkered with the php.ini file but I'm still having problems. When I look at my cookies, I see the cookie is there. I see the file is created in the sessions folder and that the variables are set in that file, but there is still no session info when I do a var_dump.
My session_save_path and var_dump shows this:
/home/[myname]/sessions/
array(0) { }
and the file that is created in my sessions folder looks like this:
username|s:7:"testerz";role|i:1;email|s:19:"email@email.com";fname|s:4:"First";lname|s:6:"Name";