PHP session does not work

Question

Hey guys I am new to PHP and trying to figure out how to implement $_session in a very basic login system:

<?php
session_start();

include 'dbconn.php'; 

$username = $_POST['username'];
$password = $_POST['password'];


$sql = "SELECT * FROM users WHERE username = '$username'";


$result = $conn->query($sql);


$row = $result->fetch_object();

if($username == "$row->username" && $password == "$row->password") {

   $_SESSION['loggedin'] = "$username"; 

    header('Location: admin.php');

} else {

   header('Location: index.php?msg=wrong-username-or-password');

}

The problem is that when if I use local variables like:

$admin_userName = 'admin';
$admin_password = '1234';

and then making the comparison

if($username == "$adminusername" && $password == "$adminpassword") {

   $_SESSION['loggedin'] = "$username"; 

    header('Location: admin.php'); 

The $_session works perfect. But when I use this:

if($username == "$row->username" && $password == "$row->password") {

   $_SESSION['loggedin'] = "$username"; 

    header('Location: admin.php');

The session does not work. Without session the above statement works perfectly!

login.php

<?php
session_start();

include 'dbconn.php'; 

$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT * FROM users WHERE username = '$username'";

$result = $conn->query($sql);


$row = $result->fetch_object();

if($username == $row->username && $password == $row->password) {

$_SESSION['loggedin'] = $username; 
header('Location: apptify.php'); 
 } else {
     header('Location: index.php?msg=wrong-username-or-password'); 
 }

logout.php

<?php
session_start();
unset($_SESSION['loggedin']);

header('Location: index.php');
?>

I am really lost, any help is appreciated.

Answer 1

The problem is that when if I use local variables like:
$admin_userName = 'admin'; $admin_password = '1234'; and then making the comparison if($username == "$adminusername" && $password == "$adminpassword") {

The problem is that, you're using:

$admin_userName = 'admin';
$admin_password = '1234';

then using:

if($username == "$adminusername" && $password == "$adminpassword")
                 ^^^^^^^^^^^^^^                   ^^^^^^^^^^^^^^

You forgot the underscores and not matching the variables lettercase.

Variables are case-sensitive.

if($username == "$admin_userName" && $password == "$admin_password")

---

My test script, with success:

<?php
session_start();

$DB_HOST = 'xxx';
$DB_USER = 'xxx';
$DB_PASS = 'xxx';
$DB_NAME = 'xxx';

$con = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME)  
       or die(mysqli_connect_error());

$_POST['username'] = "John";
$username = $_POST['username'];

$_POST['password'] = "Johnny";
$password = $_POST['password'];

$_SESSION['loggedin'] = "$username"; 

echo $username; // echo'd John

$sql = "SELECT * FROM users WHERE username = '$username'";

$result = $con->query($sql);

$row = $result->fetch_object();

 if($username == "$row->username" && $password == "$row->password") {

   $_SESSION['loggedin'] = "$username"; 

//    header('Location: admin.php');

echo "Match!";

} else {

//   header('Location: index.php?msg=wrong-username-or-password');

echo "No match.";

}

---

I need to point out that:

You should look into using mysqli with prepared statements, or PDO with prepared statements, they're much safer.

In regards to password storage.

If you're not already hashing passwords rather than what may be a plain text method you may be using, I suggest you look into CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Answer 2

It should be without quotes:

if($username == $row->username && $password == $row->password) {

   $_SESSION['loggedin'] = $username; 
   header('Location: index.php');
}