3

I just started learning mysqli last night and am currently having an issue with a function I created. The function should log in the user. However, when I type in an existing username with the authentic or a made up password, the login page reloads displaying the $user_id. I'm at a lost at what is wrong. I didn't have this problem when I had mysql. 

/** 
 * Returns FALSE, if no valid user found
 * Returns user_id of matching user with $username and $password
 */
function login ($mysqli, $username, $password) {

    // not required at all
    // $user_id = user_id_from_username($mysqli, $username);

    // initialize, in case we do not get a mysqli-statement
    $userID = FALSE;
    $password = md5($password);
    $stmt = $mysqli->prepare(
                     "SELECT `user_id`          "
                   . "  FROM `users`            "
                   . " WHERE ( `username` = ? ) "
                   . "   AND ( `password` = ? ) "
            );

    if ( $stmt ) {
        $stmt->bind_param('ss', $username, $password);  
        $stmt->execute();
        $stmt->bind_result($userID);
        if ( TRUE !== $stmt->fetch()) {
            $userID = FALSE;
        }
    }
    $stmt->close();
    return $userID; 
}

And here is when I call the function login in the login page. $mysqli is the variable containing the connection to the database.

// Now, needs to check against FALSE to work [changed by @SteAp]

//   var_dump( $login ); returns with int(1) 
//   and this is what I want, the integer 1

//Sends me to start.php but start.php does not recognize 
//the variable $_SESSION['user_id']
if ( FALSE === ($login = login($mysqli, $username, $password)) ) {  
  $errors[] = 'That username/password combination is incorrect';
} else {
  $_SESSION['user_id'] = $login;
  header('Location: start.php');
  exit();
}

if (empty($errors) === false) {
  echo '<div>'. output_errors($errors) . '</div>';
}
thank_you
  • 11,001
  • 19
  • 101
  • 185
  • 2
    PLEASE DON'T MD5 PASSWORDS! md5 HAS been broken MANY times and with today's computing power can be broken relatively quick. – Cole Tobin Sep 02 '12 at 00:08
  • 1
    Regarding password hashing http://php.net/manual/en/faq.passwords.php – SteAp Sep 02 '12 at 00:16

2 Answers2

1

Return the user info, not the count:

$stmt = $mysqli->prepare("SELECT `user_id` FROM `users` WHERE `username` = ?"; 
$stmt->bind_param("s", $_SESSION['username']);
$result = $stmt->get_result();
$user_info = $result->fetch_assoc();

Now, $user_info if either FALSE or the found record. So you can get the id from $user_info['id'] and any other user data respectively.

And, certainly, you need to start a session, before any assignment to $_SESSION gets passed along. Example from PHP manual:

page1.php

session_start();

echo 'Welcome to page #1';

$_SESSION['favcolor'] = 'green';
$_SESSION['animal']   = 'cat';
$_SESSION['time']     = time();

// Works if session cookie was accepted
echo '<br /><a href="page2.php">page 2</a>';

page2.php

session_start();

echo 'Welcome to page #2<br />';

echo $_SESSION['favcolor']; // green
echo $_SESSION['animal'];   // cat
echo date('Y m d H:i:s', $_SESSION['time']);

// You may want to use SID here, like we did in page1.php
echo '<br /><a href="page1.php">page 1</a>';
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
SteAp
  • 11,853
  • 10
  • 53
  • 88
0

Replace the following line:

if ($return == 1) {echo $user_id;} else {return false;}

with

if ($return == 1) {return $user_id;} else {return false;}

In your example, you are writing the $user_id variable in the browser, instead of returning it to the function that calls it.

Eduard Luca
  • 6,514
  • 16
  • 85
  • 137