Hi,

I have problems with this following script that is called from page1.php
and then go back to the calling page. But it seems the SESSION values are
not saved properly, for in the calling page they are empty.
This is the script:

<?php
session_start();
error_reporting(E_ALL);
if (!defined("BASE_PATH")) define('BASE_PATH', isset($_SERVER
['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : substr($_SERVER
['PATH_TRANSLATED'],0, -1*strlen($_SERVER['SCRIPT_NAME'])));
$_SERVER['DOCUMENT_ROOT']=BASE_PATH;
include($_SERVER['DOCUMENT_ROOT']."/script/dbconnect.php");
if (!isset($_SESSION['Login'])) $_SESSION['Login']=false;
//echo "SESSION[Login]:".$_SESSION['Login'];
$IdUser=session_id();
$data=date('Y-m-d');
if (!isset($HTTP__VARS["TeachingOnLine"]))
set("TeachingOnLine",$IdUser,time()+60*60*24 *365);
else
$IdUser=$HTTP__VARS["TeachingOnLine"];
// Apertura tabelle dei dati
//mysql_select_db($dbname);
$username=$_POST["username"];
if (strlen($username)<=3)
{
session_write_close();
if (isset($_SERVER['HTTP_REFERER']))
$url=$_SERVER['HTTP_REFERER'];
else
$url='http://'.$SERVER['HTTP_HOST']."/index.php";
header("Location: $url");
}
$username=mysql_escape_string($username);
$password=$_POST["password"];
$password=mysql_escape_string($password);
$tabella="utenti";
// Ricerca nella tabella Utenti la coppia UserName e UserPassword
$query="Select IdUser, Username, UserPassword from $tabella where
('$password'=UserPassword) and ('$username'=Username)";
$result=mysql_query($query) or die(mysql_error());
// Legge IdUser
$record=mysql_fetch_array($result);
//$UserId=$record["IdUser"];
//$Username=$record["Username"];
//echo "UserId=".$UserId;
//echo " Username=".$Username;
// Se esiste l'utente con username e password allora consenti il login
if (mysql_affected_rows()==1)
{
$_SESSION['Login']=True;
//echo "SESSION[Login]:".$_SESSION['Login'];
$_POST['Login']=False;
////echo '<input type="hidden" name="Login" value='.$_SESSION
['Login'].">";
$UserId=$record['IdUser'];
$Username=$record["Username"];
//echo "UserId=".$UserId;
$permessi="permessiutente";
$query_permessi="Select IdUtente, TipoPermesso from $permessi
where (IdUtente='$UserId')";
$risultato=mysql_query($query_permessi) or die (mysql_error());;
if (mysql_affected_rows()>0)
{
$record=mysql_fetch_array($risultato);
$permit=$record["TipoPermesso"];
//echo "Permesso ".$permit;
if (!isset($_SESSION["TipoPermesso"]))
$_SESSION["TipoPermesso"]=$permit;
////echo '<input type="hidden"
name="TipoPermesso" value='.$_SESSION['TipoPermesso'].">";
//echo "Tipo Permesso :". $_SESSION
['TipoPermesso'];
}
$url='http://'.$HTTP_SERVER_VARS['HTTP_HOST']."/index.php";
//echo "Referer: ".$url;
//echo "Login:".$_SESSION['Login'];
session_write_close();
header("Location: $url");
}
else // Invia l'utente sulla pagina di registrazione
{
$_SESSION['Login']=False;
//echo "SESSION[Login]:".$_SESSION['Login'];
$_POST['Login']=False;
$url='http://'.$HTTP_SERVER_VARS['HTTP_HOST']."/script/
RegistraUtente.php";
session_write_close();
header ("Location: $url");
}
?>

The strange thing is that the same script works properly for another
domain.


Francesco

--
http://www.itp-news.com

On Nov 9, 5:44 pm, Ezechiele <esechi...@wolfland.it> wrote:
> Hi,
>
> I have problems with this following script that is called from page1.php
> and then go back to the calling page. But it seems the SESSION values are
> not saved properly, for in the calling page they are empty.
> This is the script:
>
> <?php
> session_start();
> error_reporting(E_ALL);
> if (!defined("BASE_PATH")) define('BASE_PATH', isset($_SERVER
> ['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : substr($_SERVER
> ['PATH_TRANSLATED'],0, -1*strlen($_SERVER['SCRIPT_NAME'])));
> $_SERVER['DOCUMENT_ROOT']=BASE_PATH;
> include($_SERVER['DOCUMENT_ROOT']."/script/dbconnect.php");
> if (!isset($_SESSION['Login'])) $_SESSION['Login']=false;
> //echo "SESSION[Login]:".$_SESSION['Login'];
> $IdUser=session_id();
> $data=date('Y-m-d');
> if (!isset($HTTP__VARS["TeachingOnLine"]))
> set("TeachingOnLine",$IdUser,time()+60*60*24 *365);
> ...

I wander where's Steve to kick your ass for such flagrant formatting.
I give up.

On 9 Nov, 18:37, Darko <darko.maksimo...@gmail.com> wrote:
> On Nov 9, 5:44 pm, Ezechiele <esechi...@wolfland.it> wrote:
>
>
>
>
>
> > Hi,
>
> > I have problems with this following script that is called from page1.php
> > and then go back to the calling page. But it seems the SESSION values are
> > not saved properly, for in the calling page they are empty.
> > This is the script:
>
> > <?php
> > session_start();
> > error_reporting(E_ALL);
> > if (!defined("BASE_PATH")) define('BASE_PATH', isset($_SERVER
> > ['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : substr($_SERVER
> > ['PATH_TRANSLATED'],0, -1*strlen($_SERVER['SCRIPT_NAME'])));
> > $_SERVER['DOCUMENT_ROOT']=BASE_PATH;
> > include($_SERVER['DOCUMENT_ROOT']."/script/dbconnect.php");
> > if (!isset($_SESSION['Login'])) $_SESSION['Login']=false;
> > //echo "SESSION[Login]:".$_SESSION['Login'];
> > $IdUser=session_id();
> > $data=date('Y-m-d');
> > if (!isset($HTTP__VARS["TeachingOnLine"]))
> > set("TeachingOnLine",$IdUser,time()+60*60*24 *365);
> > ...
>
> I wander where's Steve to kick your ass for such flagrant formatting.
> I give up.- Hide quoted text -
>
> - Show quoted text -

He's busy over on comp.databases.mysql blaming usenet for his
inability to follow a conversation!

"Ezechiele" <esechiele@wolfland.it> wrote in message
news:47348e78$0$16032$5fc30a8@news.tiscali.it...
> Hi,
>
> I have problems with this following script that is called from page1.php
> and then go back to the calling page. But it seems the SESSION values are
> not saved properly, for in the calling page they are empty.
> This is the script:
>

> $IdUser=$HTTP__VARS["TeachingOnLine"];

I ain't real good with this, but I think your problem has something to do
with that.
When using , if I don't specify a domain, I often have migration
problems as well.


> $url='http://'.$SERVER['HTTP_HOST']."/index.php";
> header("Location: $url");

This too could be the problem.
When you set that location header, you redirected and I don't think the
session carried forward.
(Again - I aint' sure.)
That can be got around by redirecting through javascript, instead of through
HTTP, as you did.




>
> The strange thing is that the same script works properly for another
> domain.
>
>
> Francesco
>
> --
> http://www.itp-news.com

> I wander where's Steve to kick your ass for such flagrant formatting. I
> give up.

Sorry, I didn't realize how it was sent the message. I copied and past
the script here. Sorry again





--
http://www.itp-news.com

<?php
session_start();
error_reporting(E_ALL);
if (!defined("BASE_PATH")) define('BASE_PATH', isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : substr($_SERVER['PATH_TRANSLATED'],0, -1*strlen($_SERVER['SCRIPT_NAME'])));
$_SERVER['DOCUMENT_ROOT']=BASE_PATH;
include($_SERVER['DOCUMENT_ROOT']."/script/dbconnect.php");
if (!isset($_SESSION['Login'])) $_SESSION['Login']=false;
//echo "SESSION[Login]:".$_SESSION['Login'];
$IdUser=session_id();
$data=date('Y-m-d');
if (!isset($HTTP__VARS["TeachingOnLine"])) set("TeachingOnLine",$IdUser,time()+60*60*24 *365);
else
$IdUser=$HTTP__VARS["TeachingOnLine"];
// Apertura tabelle dei dati
//mysql_select_db($dbname);
$username=$_POST["username"];
if (strlen($username)<=3)
{
session_write_close();
if (isset($_SERVER['HTTP_REFERER']))
$url=$_SERVER['HTTP_REFERER'];
else
$url='http://'.$SERVER['HTTP_HOST']."/index.php";
header("Location: $url");
}
$username=mysql_escape_string($username);
$password=$_POST["password"];
$password=mysql_escape_string($password);
$tabella="utenti";
// Ricerca nella tabella Utenti la coppia UserName e UserPassword
$query="Select IdUser, Username, UserPassword from $tabella where ('$password'=UserPassword) and ('$username'=Username)";
$result=mysql_query($query) or die(mysql_error());
// Legge IdUser
$record=mysql_fetch_array($result);
//$UserId=$record["IdUser"];
//$Username=$record["Username"];
//echo "UserId=".$UserId;
//echo " Username=".$Username;
// Se esiste l'utente con username e password allora consenti il login if
(mysql_affected_rows()==1)
{
$_SESSION['Login']=True;
//echo "SESSION[Login]:".$_SESSION['Login'];
$_POST['Login']=False;
////echo '<input type="hidden" name="Login" value='.$_SESSION['Login'].">";
$UserId=$record['IdUser'];
$Username=$record["Username"];
//echo "UserId=".$UserId;
$permessi="permessiutente";
$query_permessi="Select IdUtente, TipoPermesso from $permessi where (IdUtente='$UserId')";
$risultato=mysql_query($query_permessi) or die (mysql_error());
if (mysql_affected_rows()>0)
{
$record=mysql_fetch_array($risultato);
$permit=$record["TipoPermesso"];
//echo "Permesso ".$permit;
if (!isset($_SESSION["TipoPermesso"]))
$_SESSION["TipoPermesso"]=$permit;
////echo '<input type="hidden" name="TipoPermesso" value='.$_SESSION['TipoPermesso'].">";
//echo "Tipo Permesso :". $_SESSION['TipoPermesso'];
}
$url='http://'.$HTTP_SERVER_VARS['HTTP_HOST']."/index.php";
//echo "Referer: ".$url;
//echo "Login:".$_SESSION['Login'];
session_write_close();
header("Location: $url");
}
else // Invia l'utente sulla pagina di registrazione {
$_SESSION['Login']=False;
//echo "SESSION[Login]:".$_SESSION['Login']; $_POST['Login']=False;
$url='http://'.$HTTP_SERVER_VARS['HTTP_HOST']."/script/RegistraUtente.php";
session_write_close();
header ("Location: $url");
}
?>

I hope now it is ok :-(




--
http://www.itp-news.com

> I wander where's Steve to kick your ass for such flagrant formatting. I
> give up.

<?php
session_start();
error_reporting(E_ALL);
if (!defined("BASE_PATH")) define('BASE_PATH', isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : substr($_SERVER['PATH_TRANSLATED'],0, -1*strlen($_SERVER['SCRIPT_NAME'])));
$_SERVER['DOCUMENT_ROOT']=BASE_PATH;
include($_SERVER['DOCUMENT_ROOT']."/script/dbconnect.php");
if (!isset($_SESSION['Login'])) $_SESSION['Login']=false;
//echo "SESSION[Login]:".$_SESSION['Login'];
$IdUser=session_id();
$data=date('Y-m-d');
if (!isset($HTTP__VARS["TeachingOnLine"])) set("TeachingOnLine",$IdUser,time()+60*60*24 *365);
else
$IdUser=$HTTP__VARS["TeachingOnLine"];
// Apertura tabelle dei dati
//mysql_select_db($dbname);
$username=$_POST["username"];
if (strlen($username)<=3)
{
session_write_close();
if (isset($_SERVER['HTTP_REFERER']))
$url=$_SERVER['HTTP_REFERER'];
else
$url='http://'.$SERVER['HTTP_HOST']."/index.php";
header("Location: $url");
}
$username=mysql_escape_string($username);
$password=$_POST["password"];
$password=mysql_escape_string($password);
$tabella="utenti";
// Ricerca nella tabella Utenti la coppia UserName e UserPassword
$query="Select IdUser, Username, UserPassword from $tabella where ('$password'=UserPassword) and ('$username'=Username)";
$result=mysql_query($query) or die(mysql_error());
// Legge IdUser
$record=mysql_fetch_array($result);
//$UserId=$record["IdUser"];
//$Username=$record["Username"];
//echo "UserId=".$UserId;
//echo " Username=".$Username;
// Se esiste l'utente con username e password allora consenti il login if
(mysql_affected_rows()==1)
{
$_SESSION['Login']=True;
//echo "SESSION[Login]:".$_SESSION['Login'];
$_POST['Login']=False;
////echo '<input type="hidden" name="Login" value='.$_SESSION['Login'].">";
$UserId=$record['IdUser'];
$Username=$record["Username"];
//echo "UserId=".$UserId;
$permessi="permessiutente";
$query_permessi="Select IdUtente, TipoPermesso from $permessi where (IdUtente='$UserId')";
$risultato=mysql_query($query_permessi) or die (mysql_error());
if (mysql_affected_rows()>0)
{
$record=mysql_fetch_array($risultato);
$permit=$record["TipoPermesso"];
//echo "Permesso ".$permit;
if (!isset($_SESSION["TipoPermesso"]))
$_SESSION["TipoPermesso"]=$permit;
////echo '<input type="hidden" name="TipoPermesso" value='.$_SESSION['TipoPermesso'].">";
//echo "Tipo Permesso :". $_SESSION['TipoPermesso'];
}
$url='http://'.$HTTP_SERVER_VARS['HTTP_HOST']."/index.php";
//echo "Referer: ".$url;
//echo "Login:".$_SESSION['Login'];
session_write_close();
header("Location: $url");
}
else // Invia l'utente sulla pagina di registrazione {
$_SESSION['Login']=False;
//echo "SESSION[Login]:".$_SESSION['Login']; $_POST['Login']=False;
$url='http://'.$HTTP_SERVER_VARS['HTTP_HOST']."/script/RegistraUtente.php";
session_write_close();
header ("Location: $url");
}
?>

I hope now it is ok :-(



--
http://www.itp-news.com

On Nov 9, 9:13 pm, Ezechiele <esechi...@wolfland.it> wrote:
> > I wander where's Steve to kick your ass for such flagrant formatting. I
> > give up.
>
> <?php
> session_start();
> error_reporting(E_ALL);
> if (!defined("BASE_PATH")) define('BASE_PATH', isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : substr($_SERVER['PATH_TRANSLATED'],0, -1*strlen($_SERVER['SCRIPT_NAME'])));
> $_SERVER['DOCUMENT_ROOT']=BASE_PATH;
> include($_SERVER['DOCUMENT_ROOT']."/script/dbconnect.php");
> if (!isset($_SESSION['Login'])) $_SESSION['Login']=false;
> //echo "SESSION[Login]:".$_SESSION['Login'];
> $IdUser=session_id();
> $data=date('Y-m-d');
> if (!isset($HTTP__VARS["TeachingOnLine"])) set("TeachingOnLine",$IdUser,time()+60*60*24 *365);
> else
> $IdUser=$HTTP__VARS["TeachingOnLine"];
> // Apertura tabelle dei dati
> //mysql_select_db($dbname);
> $username=$_POST["username"];
> if (strlen($username)<=3)
> {
> session_write_close();
> if (isset($_SERVER['HTTP_REFERER']))
> $url=$_SERVER['HTTP_REFERER'];
> else
> $url='http://'.$SERVER['HTTP_HOST']."/index.php";
> header("Location: $url");}
>
> $username=mysql_escape_string($username);
> $password=$_POST["password"];
> $password=mysql_escape_string($password);
> $tabella="utenti";
> // Ricerca nella tabella Utenti la coppia UserName e UserPassword
> $query="Select IdUser, Username, UserPassword from $tabella where ('$password'=UserPassword) and ('$username'=Username)";
> $result=mysql_query($query) or die(mysql_error());
> // Legge IdUser
> $record=mysql_fetch_array($result);
> //$UserId=$record["IdUser"];
> //$Username=$record["Username"];
> //echo "UserId=".$UserId;
> //echo " Username=".$Username;
> // Se esiste l'utente con username e password allora consenti il login if
> (mysql_affected_rows()==1)
> {
> $_SESSION['Login']=True;
> //echo "SESSION[Login]:".$_SESSION['Login'];
> $_POST['Login']=False;
> ////echo '<input type="hidden" name="Login" value='.$_SESSION['Login'].">";
> $UserId=$record['IdUser'];
> $Username=$record["Username"];
> //echo "UserId=".$UserId;
> $permessi="permessiutente";
> $query_permessi="Select IdUtente, TipoPermesso from $permessi where (IdUtente='$UserId')";
> $risultato=mysql_query($query_permessi) or die (mysql_error());
> if (mysql_affected_rows()>0)
> {
> $record=mysql_fetch_array($risultato);
> $permit=$record["TipoPermesso"];
> //echo "Permesso ".$permit;
> if (!isset($_SESSION["TipoPermesso"]))
> $_SESSION["TipoPermesso"]=$permit;
> ////echo '<input type="hidden" name="TipoPermesso" value='.$_SESSION['TipoPermesso'].">";
> //echo "Tipo Permesso :". $_SESSION['TipoPermesso'];
> }
> $url='http://'.$HTTP_SERVER_VARS['HTTP_HOST']."/index.php";
> //echo "Referer: ".$url;
> //echo "Login:".$_SESSION['Login'];
> session_write_close();
> header("Location: $url");}
>
> else // Invia l'utente sulla pagina di registrazione {
> $_SESSION['Login']=False;
> //echo "SESSION[Login]:".$_SESSION['Login']; $_POST['Login']=False;
> $url='http://'.$HTTP_SERVER_VARS['HTTP_HOST']."/script/RegistraUtente.php";
> session_write_close();
> header ("Location: $url");}
>
> ?>
>
> I hope now it is ok :-(
>
> --http://www.itp-news.com

I'm not sure, but I also think redirection is the problem. When you
visit a page that sets session values,
the page automatically transmits the session id in . However,
if you redirect the user in the header,
I don't think the browser will bother to read and place the
locally, but will automatically cancel
everything and go to the given address. So, you should try sending
<meta> redirection directives instead of
this, or use Javascript, whatever.

As for the rest of code, consider the following advices:
* Use $_ and $_SERVER instead of $HTTP__VARS and
$HTTP_SERVER_VARS, respectively; $_
and $_SERVER are superglobal, while using HTTP__VARS and
HTTP_SERVER_VARS requires calling
global() on them. Also, unless you're using PHP 4.1.0 or older,
$_ and $_SERVER are recommended
by the manual, for they are newer.
* While debugging, error_reporting( E_STRICT ) is recommended, since
E_ALL doesn't imply E_STRICT which might
* Check mysql_query() for errors differently. Don't use die() since
the users will be left with a blank page.
* Use mysql_real_escape_string instead of mysql_escape_string. Look up
the manual for explanation and
confirmation that it's recommended.
* Don't just redirect the user to the previous page; it doesn't have
to mean they have bad intentions
if they don't fill the data right. If you just take them back to
previous page, they will be confused.
Use error reports instead.
* mysql_affected_rows doesn't count the number of SELECT-ed rows. It
serves the purpose of counting
how many rows were affected by last INSERT, UPDATE, REPLACE or
DELETE queries.
* Don't "calculate" base path, index page, etc. Use some form of
Config class or .ini files to define these values.

Regards,

Darko

"Darko" <darko.maksimovic@gmail.com> wrote in message
news:1194644890.091070.8510@v2g2000hsf.googlegroup s.com...

> I'm not sure, but I also think redirection is the problem. When you
> visit a page that sets session values,
> the page automatically transmits the session id in . However,
> if you redirect the user in the header,
> I don't think the browser will bother to read and place the
> locally, but will automatically cancel
> everything and go to the given address. So, you should try sending
> <meta> redirection directives instead of
> this, or use Javascript, whatever.

I would expect that a META would have the same effect as a header().
That's why it uses the attribute "http-equiv".
I'd be interested to hear if that's how it worked out.

On Nov 9, 11:10 pm, "Sanders Kaufman" <bu...@kaufman.net> wrote:
> "Darko" <darko.maksimo...@gmail.com> wrote in message
>
> news:1194644890.091070.8510@v2g2000hsf.googlegroup s.com...
>
> > I'm not sure, but I also think redirection is the problem. When you
> > visit a page that sets session values,
> > the page automatically transmits the session id in . However,
> > if you redirect the user in the header,
> > I don't think the browser will bother to read and place the
> > locally, but will automatically cancel
> > everything and go to the given address. So, you should try sending
> > <meta> redirection directives instead of
> > this, or use Javascript, whatever.
>
> I would expect that a META would have the same effect as a header().
> That's why it uses the attribute "http-equiv".
> I'd be interested to hear if that's how it worked out.

I'm not sure, really. I didn't use it for a long time; from the time I
hadn't used
sessions

Although, I know that the page in that case does get completely loaded
and even
shown in the browser, so I reckon maybe the still -get- read,
but it
should be tested.

Until then, Ezechiele should try it with Javascript, just to make sure.

Greetings, Ezechiele.
In reply to Your message dated Friday, November 9, 2007, 19:44:40,

> Hi,

> I have problems with this following script that is called from page1.php
> and then go back to the calling page. But it seems the SESSION values are
> not saved properly, for in the calling page they are empty.
> This is the script:

The strange thing is that You using autoglobal arrays the same time as
deprecated long-name arrays.
Rewrite Your script using recommended autoglobal arrays $_SERVER, $_
only and see if it work.
BTW, make sure You are NOT redirecting from http://www.host/ to http://host


> The strange thing is that the same script works properly for another
> domain.

If that domain on another hoster - probablethey both have different settings
for PHP.


--
Sincerely Yours, AnrDaemon <anrdaemon@freemail.ru>

Greetings, Ezechiele.
In reply to Your message dated Friday, November 9, 2007, 19:44:40,

More light to issue.
Common:
Code structure is ambigous. You're continue to work on user input even if
there's nothing to do after first block.

Pack code into if's, draw logic on paper if that would You better than
raw code.

And please do not use such lame formatting rules. It is hard to decide what
happened after many if's in this code.

Now read the rest: (or load into any environmet with Colorer support and call
errors list)

<?php

session_start();
error_reporting(E_ALL);

if (!defined("BASE_PATH"))
{
define('BASE_PATH', isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] :
// FIX Why not dirname($_SERVER['SCRIPT_NAME']) ??
substr($_SERVER['PATH_TRANSLATED'], 0, -1*strlen($_SERVER['SCRIPT_NAME'])));
}

$_SERVER['DOCUMENT_ROOT'] = BASE_PATH;

include($_SERVER['DOCUMENT_ROOT']."/script/dbconnect.php");
if (!isset($_SESSION['Login']))
{
$_SESSION['Login'] = false;
}

//echo "SESSION[Login]:".$_SESSION['Login'];

$IdUser = session_id();
$data = date('Y-m-d');

if (!isset($_["TeachingOnLine"]))
{
// BUG $_ array does not filled when set called
set("TeachingOnLine", $IdUser, time()+60*60*24*365);
// FIX You should call it yourself if You want to use it's value in current script
// FIX $_["TeachingOnLine"] = $IdUser;
}
else
{
$IdUser = $_["TeachingOnLine"];
}
// Apertura tabelle dei dati
//mysql_select_db($dbname);
$username = $_POST["username"];
if (strlen($username) <= 3)
{
session_write_close();
// BUG CRITICAL: DO NOT TRUST USER INPUT! EVER!
if (isset($_SERVER['HTTP_REFERER']))
{
$url = $_SERVER['HTTP_REFERER'];
}
else
{
$url='http://'.$SERVER['HTTP_HOST']."/index.php";
}
header("Location: $url");
}
$username = mysql_escape_string($username);
$password = $_POST["password"];
$password = mysql_escape_string($password);
$tabella = "utenti";
// Ricerca nella tabella Utenti la coppia UserName e UserPassword
// BUG CRITICAL: DO NOT FETCH PASSWORDS FROM DATABASE! EVER!
$query = "SELECT IdUser, Username, UserPassword FROM $tabella WHERE ('$password' = UserPassword) and ('$username'=Username)";
$result = mysql_query($query) or die(mysql_error());
// Legge IdUser
$record = mysql_fetch_array($result);
//$UserId=$record["IdUser"];
//$Username=$record["Username"];
//echo "UserId=".$UserId;
//echo " Username=".$Username;
// Se esiste l'utente con username e password allora consenti il login
if (mysql_affected_rows() == 1)
{
$_SESSION['Login'] = true;
//echo "SESSION[Login]:".$_SESSION['Login'];
$_POST['Login'] = false;
////echo '<input type="hidden" name="Login" value='.$_SESSION['Login'].">";
$UserId = $record['IdUser'];
$Username = $record["Username"];
//echo "UserId=".$UserId;
$permessi = "permessiutente";
$query_permessi = "SELECT IdUtente, TipoPermesso FROM $permessi WHERE (IdUtente='$UserId')";
$risultato = mysql_query($query_permessi) or die (mysql_error());;
if (mysql_affected_rows()>0)
{
$record = mysql_fetch_array($risultato);
$permit = $record["TipoPermesso"];
//echo "Permesso ".$permit;
// BUG Why such lame? If You want to change user permissions, You can't before expires.
if (!isset($_SESSION["TipoPermesso"]))
{
$_SESSION["TipoPermesso"] = $permit;
}
////echo '<input type="hidden" name="TipoPermesso" value='.$_SESSION['TipoPermesso'].">";
//echo "Tipo Permesso :". $_SESSION['TipoPermesso'];
}
$url = 'http://'.$_SERVER['HTTP_HOST']."/index.php";
//echo "Referer: ".$url;
//echo "Login:".$_SESSION['Login'];
session_write_close();
header("Location: $url");
}
else // Invia l'utente sulla pagina di registrazione
{
$_SESSION['Login'] = false;
//echo "SESSION[Login]:".$_SESSION['Login'];
$_POST['Login'] = false;
$url='http://'.$_SERVER['HTTP_HOST']."/script/RegistraUtente.php";
session_write_close();
header ("Location: $url");
}
?>

--
Sincerely Yours, AnrDaemon <anrdaemon@freemail.ru>

> Until then, Ezechiele should try it with Javascript, just to make sure.

Hi, excuse me everybody that tried to me if I didn't answer. I
refined my script, reading your posts, and it works better now. I removed
a lot of incongruences, but it still doesn't pass values to the calling
page.
I tried to avoid using javascript for it could be not activated.
It seems that a $_SESSION value couldn't be passed between pages if I use
an header() function, but it is really strange, for I have used the same,
identical script in another site I have written, and it works fine.


Francesco


--
http://www.itp-news.com