-1

So i am not sure what to do anymore. I've been trying to create a register/login system for my website. After a lot of struggeling my register now works but i can't yet login to it. I am pretty sure it is a $_session related problem.

So I have two files, one called get_users.php (i know it's a bad name) and one called cart.php. Neither of them has whitespace at the start.

What am i actually trying to do? I am trying to get my session to show up on cart.php.

get_users.php:

    <?php
$username = $_POST['username'];
$password = $_POST['password'];

$con = new mysqli("localhost","root","","ismsite");
$query = ("SELECT name, comment FROM comments ORDER BY id DESC");
$result = mysqli_query($con, $sql, MYSQLI_BOTH);
session_start();
$_SESSION["user_id"] = $row["user_id"];
header('Location: cart.php');
exit();
?>

and at the start of cart.php

<?php
session_start();
include 'config/config.php';
echo $_SESSION["user_id"];
?>

I really am at my wits end here. I've searched this site but i could not find a solution to my problem. Anyone who knows what the problem is?

Additional info: -Latest php installed -I am running it on a virtual webserver that runs the latest ubuntu client with LAMP stack installed. -Database works just fine

Thanks in advance

EDIT:

I changed $row["user_id"]; to $result["user_id"];

But it still doesn't show up

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Ellisan
  • 563
  • 8
  • 22

2 Answers2

1

Try this

        // Define $username and $password
        $username=$_POST['username'];
        $password=$_POST['password'];

        //for hashing passwords
        $username = stripslashes($username);
        $password = stripslashes($password);
        $username = mysqli_real_escape_string($db,$username);
        $password = mysqli_real_escape_string($db,$password);
        $password = md5($password);         
        //Check username and password from database
        $sql="SELECT userid FROM users WHERE username='$username' and   password='$password'";
        $result=mysqli_query($db,$sql) 
        or die("Error");


        $row=mysqli_fetch_array($result,MYSQLI_ASSOC);

        //If username and password exist in our database then create a session.
        //Otherwise echo error.

        if(mysqli_num_rows($result) == 1)
        {
            $_SESSION['username'] = $username; // Initializing Session

        }else
        {
            $error = "Incorrect username or password.";
        }

But you will have to tweak according to your table structure.

  • Above code is a basic one with an expose to mysql injections. So its better to create login and registration pages using prepared statements for a secured experience. –  Dec 29 '15 at 13:41
  • This is a terrible bit of code. Not only does it not protect against [SQL injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) but it assumes you're storing passwords as plain text. You really need to [hash your passwords](http://stackoverflow.com/questions/14992367/using-php-5-5s-password-hash-and-verify-function-am-i-doing-it-right) – Machavity Dec 29 '15 at 13:41
  • I just gave his requirement for which he just wants to login but personally i prefer using prepared statements which i already stated in the above comment. and for hash passwords. let me edit it –  Dec 29 '15 at 13:49
  • I put this code in but it still isn't showing the session variable on the screen – Ellisan Dec 29 '15 at 13:50
  • Post your table structure –  Dec 29 '15 at 13:56
  • @Stark Props for cleaning it up but [md5 is just as bad a solution](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) as no hash at all. Understand that your answer, as you leave it, may live on for years and years and people might use this code. So please don't give "quick" examples with bad code – Machavity Dec 29 '15 at 13:57
-3

May be $_SESSION["user_id"] not set. You can test $_SESSION array by print_r($_SESSION) or print_r($GLOBALS);

Viktor
  • 53
  • 1
  • 4