0

I have a customer table. Each customer has a specific ID. In my project(ecommerce website) I want to store the ID of the user in a $_SESSION['user_id'] when he/she successfully login. How do I do that? What do I need to add? Here's my code:

<?php
// establishing the MySQLi connection
$con = mysqli_connect("localhost","root","","ecommerce");
// checking the user
if(isset($_POST['login'])){
    $email = mysqli_real_escape_string($con,$_POST['c_email']);
    $pass = mysqli_real_escape_string($con,$_POST['pass']);
    $sel_user = "select * from customer where customer_email ='$email' AND customer_pass='$pass'";
    $run_user = mysqli_query($con, $sel_user);
    $check_user = mysqli_num_rows($run_user);
    if($check_user>0){
        $_SESSION['customer_email']=$email;
        echo "<script>window.open('index.php','_self')</script>";
    } else {
        echo "<script>alert('Email or password is not correct, try again!')</script>";
    }
}
?>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
juju17
  • 271
  • 4
  • 15
  • Start the session. http://php.net/manual/en/function.session-start.php You also could use `header` instead of `echo ""`. – chris85 Dec 31 '15 at 23:19
  • Oh, and then to get the userid run a fetch on the query result and store the userid in the session variable.. – chris85 Dec 31 '15 at 23:22
  • 1
    You should [hash](http://php.net/manual/en/faq.passwords.php) your password and make use of MySQLi's [prepared statements](http://php.net/manual/en/mysqli.prepare.php). – Script47 Dec 31 '15 at 23:23
  • @chris85 I've Already started the session xD I just forgot to copy it as well as the ` – juju17 Dec 31 '15 at 23:32
  • @Script47 Thank you for your suggestion. I'll surely be improving my coding with it :) Happy New Year! – juju17 Dec 31 '15 at 23:33
  • 1
    @user4932301 yea, roughly that looks correct. Did you try that and it failed? If so please update the question. – chris85 Dec 31 '15 at 23:34

1 Answers1

1

First, as @chris85 mentioned, call session_start() at the top of your script.

Then, you're almost there. First, you need to get the result object from the results.

$rows = array();

while ($row = mysql_fetch_assoc($run_user)) {
    $rows[] = $row; // Same as array_push($rows, $row) but has better performance when pushing a single item.
}

Then, assuming we know there is only one row returned:

$customerData = $rows[0];

Cool. Now, set whatever SESSION variables you want:

$_SESSION["user_id"] = $customerData["user_id"];
...

Also, as has been noted in the comments, please please please do not ever store a user's password as plain text. You should hash and salt it. Here is a good starter post to read through: Best way to store password in database

Community
  • 1
  • 1
Matthew Herbst
  • 29,477
  • 23
  • 85
  • 128
  • Thanks! Happy Holidays! – juju17 Dec 31 '15 at 23:39
  • Follow up question, is this statement possible? ` $user_login = "select * from customer where customer_email = '$_SESSION['email']'";` – juju17 Dec 31 '15 at 23:52
  • I mean, am I allowed to use a $_SESSION['email'] variable in a query? Sublime seems to highlight the background of the word `email` inside the `$_SESSION['']` index. – juju17 Dec 31 '15 at 23:54
  • @user4932301 that's totally allowed. Just make sure you call `isset($_SESSION['email'])` first to make sure their is actually data there. – Matthew Herbst Dec 31 '15 at 23:55
  • Sadly, it shows this error : `Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\xampp\htdocs\ProjectWebDev\HTML\payment.php on line 4` – juju17 Jan 01 '16 at 00:07
  • That's just a syntax error - you likely have a typo on or before line 4. If you can't find it create another question (and comment with a link to it) and we can go through it - not really possible to discuss it in comments. – Matthew Herbst Jan 01 '16 at 00:19