0

How do I check if the session id is in this code? If it's not there how can I add it?

<?php
session_start();
if(isset($_REQUEST['login_button'])||$_REQUEST['auto']==1){
    require '../_database/database.php';
    $errmsg_arr = array();
    $errflag = false;
    $username=  mysqli_real_escape_string($database,$_REQUEST['username']);
    $password=  mysqli_real_escape_string($database,$_REQUEST['password']);
    if($username == '') {
        $errmsg_arr[] = 'Username missing';
        $errflag = true;
    }
    if($password == '') {
        $errmsg_arr[] = 'Password missing';
        $errflag = true;
    }
    if($errflag) {
        $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
        session_write_close();
        header("location: authentication-check.php");
        exit();
    }
    $sql="SELECT user_username,user_password FROM user WHERE user_username='$username'AND user_password='$password'";
    $result=  mysqli_query($database,$sql) or die(mysqli_errno());
    $trws= mysqli_num_rows($result);
    if($trws==1){
        $rws=  mysqli_fetch_array($result);
        $_SESSION['user_username']=$rws['user_username'];
        $_SESSION['user_password']=$rws['user_password'];
        header("location:../home.php?user_username=$username&request=login&status=success");    
    }
    else {
        $errmsg_arr[] = 'user name and password not found';
        $errflag = true;
        if($errflag) {
            $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
            session_write_close();
            header("location: ../components/authentication-check.php");
            exit();
        }
    }
}
?>
Stephen Rauch
  • 47,830
  • 31
  • 106
  • 135
Paul Taiwo
  • 71
  • 5
  • i'm confused. Do you mean check if the `id` key is in `$_SESSION`?? or maybe check if the `$_SESSION` array is set? Please clarify – Rotimi Nov 25 '17 at 14:35
  • The both will be better. – Paul Taiwo Nov 25 '17 at 14:38
  • where do you want to do this check? Maybe add that to your question – Rotimi Nov 25 '17 at 14:39
  • Don't rely on the `real_escape_string()` functions to prevent SQL injection, [they alone are not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Nov 25 '17 at 16:50
  • 1
    **Never** store plain text passwords. Instead use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php). If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). – Alex Howansky Nov 25 '17 at 16:50

1 Answers1

2

You can use Session ID like

session_start();    
echo session_id();

Or You can use $_SESSION['user_username'] as a unique identifier for session.

Hemraj Dubey
  • 71
  • 4