0

I have ran into a problem when passing a the result of SQL Query as a variable than as a session across all pages.

I currently have the "username" being passed as a session and that works but I have tried to set up a "privledge level" as a session exactly the same but this doesn't work while the "username" does.

I have tested the mySQL query on the database within phpmyadmin and it works fine, any help with this would be apprecated as I have been going round in circles.

SELECT privledge_lvl FROM `users` WHERE username='$username'

Result:

|privledge_lvl|
---------------
|2            |

Login.php

<?php
        require('db.php');
        session_start();
    // If form submitted, insert values into the database.
    if (isset($_POST['username'])){

                $username = stripslashes($_REQUEST['username']); // removes backslashes
                $username = mysqli_real_escape_string($con,$username); //escapes special characters in a string
                $password = stripslashes($_REQUEST['password']);
                $password = mysqli_real_escape_string($con,$password);

        //Checking is user existing in the database or not
        $query = "SELECT * FROM `users` WHERE username='$username' and password='".md5($password)."'";
                $result = mysqli_query($con,$query) or die(mysqli_error());
                $rows = mysqli_num_rows($result);

        $privquery = "SELECT privledge_lvl FROM `users` WHERE username='$username'";
                $privresult = mysqli_query($con,$privquery) or die(mysqli_error());

        if($rows==1){

                        $_SESSION['username'] = $username;
                        $_SESSION['privledgelvl'] = $privresult;
                        header("Location: index.php"); // Redirect user to index.php
            }else{
                                echo "<div class='form'><h3>Username/password is incorrect.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
                                }
    }else{
?>

auth.php

<?php
session_start();
if(!isset($_SESSION["username"])){
header("Location: login.php");
exit(); }
?>

index.php

<p>Welcome <?php echo $_SESSION['username']; ?>!</p>
<p>Privledge Level <?php echo $_SESSION['privledgelvl']; ?></p>
user3712469
  • 3
  • 1
  • 1
    you dont need the 2nd select, you get `privledge_lvl` in the first query by selecting * –  Apr 10 '18 at 23:29
  • 2
    **Please do not store plain text passwords** nor hash it with weak algorithms, use the [password functions](http://php.net/manual/en/faq.passwords.php) provided by PHP. Check: [How do you use bcrypt for hashing passwords in PHP](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) – Spoody Apr 10 '18 at 23:35
  • You never `fetch` a result. – StackSlave Apr 10 '18 at 23:42
  • @MehdiBounya thanks for the tip, I am pretty new to this as you can probably tell. Any advice is appreciated. – user3712469 Apr 11 '18 at 00:01
  • 1
    Check [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) too so you can prevent SQL injection attacks. Never concatenate user input to queries. – Spoody Apr 11 '18 at 00:03

1 Answers1

0

You should be getting a PHP warning from trying to convert a mysqli_result object (the return value from a mysqli_query) to a string on this line:

<?php echo $_SESSION['privledgelvl']; ?>

You should be setting $_SESSION['privledgelvl'] using

$row = $privresult->fetch_assoc();
// or, procedurally, $row = mysqli_fetch_assoc($privresult);
$_SESSION['privledgelvl'] = $row['privledgelvl'];

Or - as was pointed out - you can get it from the first query and not bother with the second:

$row = $result->fetch_assoc();
// or, procedurally, $row = mysqli_fetch_assoc($result);
$_SESSION['privledgelvl'] = $row['privledgelvl'];
Nick
  • 138,499
  • 22
  • 57
  • 95