0

This is a short code from my login function. Im having a problem when trying to get the id from a specific user and indexing it to a new session. The code is commented, hope you guys can help me.

$email = mysql_real_escape_string($_POST['email']);
$password = md5(mysql_real_escape_string($_POST['password']));

include_once("include/connection.php");

$query = "SELECT email,password,id FROM user WHERE email ='".$email."' AND password='".$password."'";
$result = mysqli_query($ligaBD,$query);
$value= mysqli_fetch_array($result);

echo $value['id']; // On this line i get the exact id that i want but if i try to echo this inside "if(mysqli_num_rows($result) == 1) { }"  its like the value variable does not exist

if(mysqli_num_rows($result) == 1) {
    session_start();
    echo $value['id']=$_SESSION['id'];exit; // Getting this error -> "Notice: Undefined index: id" 
    header("Location: ./cpanel/#welcome");
}
miguelfsf
  • 97
  • 1
  • 1
  • 7
  • Is your session variable set? It is probably referring to an undefined index of `$_SESSION` called `id`. Try `print_r($_SESSION);` to check. – showdev Apr 16 '13 at 20:36
  • 1
    0_* `mysql_real_escape_string` _combined_ with `mysqli_*`? seriously? Why aren't you using prepared statements? – Elias Van Ootegem Apr 16 '13 at 20:37
  • Im a noob at this but i want to learn as much as i can so help me :b So, what do you advice me to use for being more compatible with mysqli? – miguelfsf Apr 16 '13 at 20:53

2 Answers2

1

To solve your question:

echo $value['id']=$_SESSION['id']

is incorrect, that's why you get an error. You're assigning the value of $value['id'] to $_SESSION['id'] which is UNDEFINED because you haven't given it a proper value yet.

You should be doing

$_SESSION['id'] = $valud['id'];
echo $S_SESSION['id'];

The problem was: the session didn't exists, you didn't assign the value like you should.

You should also be using isset() to make sure that the session actually exists.

Also make sure that you have the session started at the top of the script with

session_start();

Now a little offtopic:

Don't use md5, It's not safe.

You should use also be doing

require_once("include/connection.php");

for executable scripts that you don't want to be missing.

Your code is open for SQL injections, you must use prepared statements to prevent sql injections.

"But isn't mysql_real_escape_string() enough"? No, It's not.

I've made a numerous answers about how to use PDO and prepared statements but you can easily google this, also for mysqli.

Now that I've answered your question, take a look at my answer here about PHPhass and how you can easily use it instead of md5: php md5 password for user login

Community
  • 1
  • 1
Jonast92
  • 4,964
  • 1
  • 18
  • 32
  • 1
    Thanks alot for you help and advices! I'm shure i will check that – miguelfsf Apr 16 '13 at 20:47
  • md5 not being safe is the least of the OP's worries, really but instead of using that PHPASS object,why not simply use `crypt`, `CRYPT_BLOWFISH` and some salt... that should do it for now – Elias Van Ootegem Apr 16 '13 at 20:48
  • Sure but I have only used crypt in java but I've used the phpass library in PHPass for over a year now and I like it a lot, it's safe and very easy to implement so that's why I'm recommending it. Also It was just a sidenote to my answer. – Jonast92 Apr 16 '13 at 20:53
0

That's because you haven't set $_SESSION['id'] yet, by what I can gather, you'll need to set it to the value of $value['id'] (you can't set a variable to something that doesn't exist).

echo $_SESSION['id']=$value['id'];
SamTebbs33
  • 5,507
  • 3
  • 22
  • 44