1

Hi I'm new to angularJS and PHP,

I'm trying to maintain session between two pages and the code as follows,

Index.php

<?php
    session_start();
    if(!isset($_SESSION["id"])) {    
        $post_date = file_get_contents("php://input"); 
        $data = json_decode($post_date,true);
        $nme = $data['name'];
        $passwd= $data['password'];
        if (mysql_query("SELECT * FROM `admin_auth` WHERE `username` = '$nme' and `password` = '$passwd' ")) { 
            $_session["id"] = $nme;
            echo $_session["id"];
            return;
        } else {
            echo "invalid user";
        }
    }
?>

and I'm checking the session as follows

exe.php

<?php
session_start();
if(!isset($_SESSION['id'])){ //if login in session is not set
    header("Location:index.php");
}
    echo "SESSION set";
?>

It will always redirect me to the index page even when the session is set in index page. Index.php printing out correct value

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Narasimha Maiya
  • 1,009
  • 4
  • 12
  • 35
  • 2
    Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in new code **[a Kitten is strangled somewhere in the world](http://2.bp.blogspot.com/-zCT6jizimfI/UjJ5UTb_BeI/AAAAAAAACgg/AS6XCd6aNdg/s1600/luna_getting_strangled.jpg)** it is deprecated and has been for years and is gone for ever in PHP7. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions. [Start here](http://php.net/manual/en/book.pdo.php) – RiggsFolly Dec 03 '16 at 12:47
  • 1
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Dec 03 '16 at 12:47
  • 1
    You also appear to be storing password in Plain Text. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Dec 03 '16 at 12:48
  • You should probably show us the javascript code that send the data to `index.php` – RiggsFolly Dec 03 '16 at 12:54
  • `echo $_session["id"];` this statement is printing value that means the values coming from java script.. right? – Narasimha Maiya Dec 05 '16 at 03:54

0 Answers0