0

How can I set a SESSION and bind it in a prepared statement, so I can get a result from mysqli where email is equal to my SESSION['email']?

I have this code that I can't get to work, so it only gets the result with my session email:

public static function getById($email) {

// Initialize session array
$email = $_SESSION['email'];

// Build database query
$sql = "select * from users where email = ?";

// Open database connection
$database = new Database();

// Get instance of statement
$statement = $database->stmt_init();

// Prepare query
if ($statement->prepare($sql)) {

// Bind parameters
$statement->bind_param('s', $email);

// Execute statement
$statement->execute();

// Bind variable to prepared statement
$statement->bind_result($id, $first_name, $last_name, $username, $email,     $created, $active);

// Populate bind variables
$statement->fetch();

// Close statement
$statement->close();
}

// Close database connection
$database->close();

// Build new object
$object = new self;
$object->id = $id;
$object->first_name = $first_name;
$object->last_name = $last_name;
$object->username = $username;
$object->email = $email;
$object->created = $created;
$object->active = $active;
return $object;
}
jeroen
  • 91,079
  • 21
  • 114
  • 132
nicolai olsen
  • 25
  • 7
  • I don't really understand what the problem is, but overwriting the parameter you send to the function is probably not what you want. – jeroen Sep 23 '16 at 19:19
  • Scopes scopes scopes.. the `$_SESSION` supervariable is not accessible through a method scope, you'll need to pass the variable through & ensure you're using `session_start();` – Jaquarh Sep 23 '16 at 19:24

2 Answers2

1
$variable = "I am a variable";

function getVariable() {
    echo $variable;
}

Q) Why would the above script error? A) Scopes...

the $_SESSION['email'] cannot be accessed inside your method, you'll need to either global or define it or pass it in as an parameter.

function getById($email)
{
    echo $email;
}

session_start();
getById($_SESSION['email']);
Jaquarh
  • 6,493
  • 7
  • 34
  • 86
  • 1
    got it thx used this $user = User::getById($_SESSION['email']); too call the metod and now it is working – nicolai olsen Sep 23 '16 at 19:44
  • glad it helped @nicolaiolsen – Jaquarh Sep 23 '16 at 19:51
  • i have another question. why is it that i have to bind all the columns from my table and is it unsecure with my password even if it is private?? – nicolai olsen Sep 23 '16 at 20:26
  • Use PDO rather than MySQLi, you can just use the `execute()` method and put an array of values rather than bind each parameter. & Private scopes just ensure that the variable is only accessible inside the Object unless you create a method to return its value - there is no vulnerability using this. All I'd suggest is using a unique generated salt and hashing the password with the salt, that way, if you was to accidentally print sensitive information, its encrypted & any attacks will only lead to encryption. @nicolaiolsen – Jaquarh Sep 24 '16 at 10:07
0

Binding essentially just sets a pointer/reference between a PHP variable and a placeholder in a query. That's it. Since you bound $email, any changes to $email will have NO effect on $_SESSION['email'], even though that's where $email came from. There's no code link between them once the assignment is completed.

You want this instead:

$statement->bind_param('s', $_SESSION['email']);

and similar for when you bind_result as well. There's no link between $email and $_SESSION, so anything that a DB fetch call stuffs into $email will have NO effect on the session var.

Marc B
  • 356,200
  • 43
  • 426
  • 500