I am trying to convert a calendar script from php4 to php5. I have already changed several things that work differently like short tags and a few other syntax differences.

The last issue with my upgrade seems to be how a session setting is being set and/or tested. Also, I am novice at php code so please provide a little depth with suggestions (all are appreciated). I am just trying to get an old function going on my web site that was fine under php4 but has problems under php5.

It is a calendar applaction that allows visitors to view scheduled events. However, only the administrator can add events. The application starts in visitor mode and the administrator must go through a login process. On successful login, the page is refreshed with the new admin functions listed (add event and view events) and a logout option. it can be viewed at time4fishing.com/calendar.

In the main script, the following code it appears that the $_session['admin'] test looks like it is coming back as true because "add event" and "search" functions are made available (this is before the login process has had a chance to occur).

<table border=0 width="600" cellpadding=10 align=center>
<TR>
<TD>
<?php if(isset($_SESSION['ADMIN']))?>
<?php { ?>
<a href="#" onClick="popup('add.php', 'mywin1', 450, 425)"
onMouseOver="window.status='Add Event To Planner';return true"
onMouseOut="window.status='';return true">
<img src="images/addbtn1.gif" border="0">
</a>&nbsp;&nbsp;
<a href="#" onClick="popup('findme.php', 'rightnowwin', 600, 150)"
onMouseOver="window.status='See what I have scheduled right now';return true"
onMouseOut="window.status='';return true">
<img src="images/findbtn1.gif" border="0">
</a>
<?php } ?>
</TD>
</TR>

The beginning of the index.php script starts like this:

<?php
require("include/calvars.inc.php");
?>

The first statement of the include/calvars is:

<?php
session_start();
if(!isset($_SESSION['ADMIN']))
$_SESSION['ADMIN'] = 0;

Further down in the index.php, the script tests $_SESSION['ADMIN'] again and is testing true because logout and purge functions are shown.:

<?php if(!isset($_SESSION['ADMIN'])) { ?>
<A HREF="#"
onMouseOver="window.status='Login';return true"
onMouseOut="window.status='';return true" onClick="popup('login.php', 'Win1', 300, 150); return false"

class="eventlink">Login
</A>
<?php } ?>
<?php if(isset($_SESSION['ADMIN'])) { ?>
<A HREF="#"
onMouseOver="window.status='Logout';return true"
onMouseOut="window.status='';return true" onClick="popup('logout.php', 'Win1', 300, 150); return false"

class="eventlink">Logout
</A>
<?php } ?>
<BR>
<?php if(isset($_SESSION['ADMIN'])) { ?>
<a href="#"
onClick="popup('purgeold.php?daystamp=<?php echo $stamp2;?>', 'purgewin1', 450, 150)"
class="eventlink" style="color:maroon">Purge Old
</a>
<?php } ?>

The login script looks like this:

<?php
mysql_connect($host,$user,$pwd);
mysql_select_db($db);
$sql = "SELECT * FROM `".$admin_table."` WHERE `username`='".$_POST['uname']."' AND password=PASSWORD

('".$_POST['upass']."')";
$rs = mysql_query($sql);
if(mysql_num_rows($rs))
{
$_SESSION['ADMIN'] = 1;
print "Success!<BR><BR><A HREF=index.php TARGET=\"mymain\" onClick=\"self.close()\">return to the

calendar</A>";
}
else
{
$_SESSION['ADMIN'] = 0;
print "Login failed!<BR><BR><A HREF=\"login.php\">go back</A>";
}
}
else
{
?>


So when calendar/index.php starts it looks as if the admin has already signed on. If you attempt to log off it says it is successful but admin functions remain active. I have dumped session admin and admin looks like it is set to 0 always. This did work fine under php4 but will not under php5. Any help would be greatly appreciated!

Are you using a session id to make sure that no sessions are being duplicated?

if(@$_COOKIE['COOKIE_NAME'] == ''){
$sesid = 'COOKIE_NAME' . mt_rand(0, 9999999);
setcookie("COOKIE_NAME", $sesid);
}
else{$sesid = $_COOKIE['COOKIE_NAME'];}
session_id($sesid);
session_start();

if(!isset($_SESSION['user']) || @$_SESSION['user'] == 'mustlogin'){
header('Location: login.php');
exit;
}

No, I think it is being used to determine if this is a session that the administrator has logged on to. The login script sets admin to 1 and the logout script sets it to 0 (I think that is what it is suppose to do).

You misunderstand my point. If you don't set a session id or a session name before starting your session, then the following can occur.

1. User A logs in as administrator.
2. User B views page.
3. User B now has administrator rights because no session_id() or session_name() was set to distinguish the two viewers.

OK, I understand that may close an opening in security which would be good. But still, why was the script working under php4? You can see how it works with php4 under value-websites.com/calendar. The way it works with php5 is time4fishing.com/calendar. Under php5 it comes up as though the administrator has already logged in. You can log off but the script still operates as if the administrator was logged in.

Is the <?php if(isset($_SESSION['ADMIN']))?> statement coded correctly?
Why does it think admin = 1 when it comes up? Looks like it is initialized to = 0 to me.

Thanks for your help and paticience. Like I said I am novice with this.

Well, you see, your coding is without syntax errors, but it contains implementation errors. You are using isset() to see if a user is an administrator. However, you set that same session variable to 0 if he is not. Therefore it is considered empty, but still set.

if(!isset($_SESSION['ADMIN']))
$_SESSION['ADMIN'] = 0;
If you keep this implemented, then you need to change the other isset() calls to empty() instead. The function empty() will return false in the presence of no value assigned or zero.