Try to use session id

Question

i am trying to us my session id for getting the user id of the current logged in user.

I would like to write this current user id in an other database table if the user fills out a form.

Here is my current code.

User Login:

$query = "SELECT * FROM `users` WHERE email = '".mysqli_real_escape_string($link, $_POST['email'])."'";

$result = mysqli_query($link, $query);

$row = mysqli_fetch_array($result);

if (isset($row)) {

        $hashedPassword = md5(md5($row['id']).$_POST['password']);

        if ($hashedPassword == $row['password']) {

               $_SESSION['id'] = $row['id'];

               if ($_POST['stayLoggedIn'] == '1') {

                     setcookie("id", $row['id'], time() + 60*60*24*365);

               } 

               header("Location: loggedinpage.php");

         } else {

                $error = "That email/password combination could not be found.";

         }

} else {

       $error = "That email/password combination could not be found.";           
}

Here i am trying to use the session id.

include ("connection.php");


$usersid = mysql_query("select id from Users where id ='".$_SESSION['id']."'");

$query = "INSERT INTO `fahrten` (`startort`, `zielort`, `users_id`) VALUES ('".mysqli_real_escape_string($link, $_POST['startort'])."', '".mysqli_real_escape_string($link, $_POST['zielort'])."','$usersid')";


if (!mysqli_query($link, $query))
{
    echo 'nicht eingetragen';
}
else
{
     echo 'eingetragen';

}
header("Location: fahrten.php");

Unfortunately every time the value of the users_id is 0 in the database table.

I hope anybody can help me out :)

Please dont __roll your own__ password hashing. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) — RiggsFolly, Aug 31 '16 at 18:35
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Aug 31 '16 at 18:35

Try to use session id

0 Answers0