$_SESSION breaks when using pdo instead of mysqli

Question

A week ago I started working with js and php to build a little website. To allow people to log in I started with a db access via mysqli query but after a while I found out, using pdo would be the better idea.

The php-script itself works just like I want it to and returns the user if the login-params are correct.

My problem now is, when I use the pdo implementation (which is currently commented out in my example), there is no $_SESSION['user'] anymore, while it is there using the mysqli-query implementation.

I wouldn't be suprised if I miss something basic here, but I didn't find the solution yet. The 'unserialize(serialize($user))' also has just been a desperate attempt to solve my problem. Just saying $_SESSION['user'] = $user; acts the same way.

Does anyone have an idea what's wrong with my code? I could stick with the working version but I'd prefer using pdo.

In my example I use a table user which has the columns email, password and firstname. The php-file is called test1l.php

<!DOCTYPE html>
<html lang="en">

<head>
    <title>Test1l</title>
    <meta content="text/javascript" charset="UTF-8"/> 
</head>

<?php

    if(isset($_POST['login'])) {

        session_start();
        session_regenerate_id();

        $dbservername = "127.0.01";
        $dbusername = "username";
        $dbpassword = "password";
        $dbname = "dbname";
        $dbport = 1337;

        $conn = new mysqli($dbservername, $dbusername, $dbpassword, $dbname, $dbport);

        if ($conn->connect_error) {
            header('HTTP/1.1 901 Connection failed', true);
            header('X-PHP-Response-Code: 901', true);
        } else {

            $email = $_POST['email'];
            $password = $_POST['password'];

            $errormsg = "";

            $user = NULL;
            $sql = "SELECT * FROM user WHERE email = '" . $email . "'";

            $result = $conn->query($sql);

            $conn->close();

            if ($result->num_rows > 0) {

                $count = 0;
                while($row = $result->fetch_assoc()) {

                    if (count > 1) {
                        header('HTTP/1.1 902 Too many results', true);
                        header('X-PHP-Response-Code: 902', true);
                    }

                    $user = $row;
                    $count++;
                }

                if (password_verify($password, $user['password'])) {
                    $_SESSION['user'] = $user;
                } else {
                    header('HTTP/1.1 903 Wrong password', true);
                    header('X-PHP-Response-Code: 903', true);
                }

            } else {
                header('HTTP/1.1 904 Unknown E-Mail', true);
                header('X-PHP-Response-Code: 904', true);
            }
        }
    }
?>

<!-- 

    if(isset($_POST['login'])) {

        $email = $_POST['email'];
        $password = $_POST['password'];
        $user = NULL;

        $pdo = new PDO('mysql:host=127.0.01;dbname=dbname;port=1337', 'username', 'password');
        $statement = $pdo->prepare("SELECT * FROM user WHERE email = ?");
        $result = $statement->execute(array($email));

        if ($result === false) {
            header('HTTP/1.1 901 Login Statement failed', true);
            header('X-PHP-Response-Code: 901', true);
        } else {

            $count = 0;

            while($row = $statement->fetch()) {
                $user = $row;
                $count++;
            }

            if ($count > 1) {
                header('HTTP/1.1 902 Too many results', true);
                header('X-PHP-Response-Code: 902', true);
            } else if ($count < 1) {
                header('HTTP/1.1 904 Unknown E-Mail', true);
                header('X-PHP-Response-Code: 904', true);
            } else {
                if (password_verify($password, $user['password'])) {
                    $_SESSION['user'] = unserialize(serialize($user));
                } else {
                    header('HTTP/1.1 903 Wrong password', true);
                    header('X-PHP-Response-Code: 903', true);
                }
            }
        }
    }
-->

<body>
    <div style="display:table; margin-left:auto; margin-right:auto;">

        <?php session_start(); if(!isset($_SESSION['user'])) : ?>

            <form method="post">

                <div id="errorlogin"></div>

                <div>
                    <input type="text" placeholder="Enter E-Mail-Address" name="email" required>
                </div>
                <div>
                    <input type="password" placeholder="Enter Password" name="password"required>
                </div>

                <button type="button" class="btn-login" name="login" onclick="logMeIn(this.form.email.value, this.form.password.value)">Login</button>

                <script>

                    function logMeIn(email, password, remember) {

                        var http = new XMLHttpRequest();
                        var url = 'test1l.php';
                        var params = 'login=1&email=' + email + '&password=' + password + '&remember=' + remember;
                        http.open('POST', url, true);

                        http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');

                        http.onreadystatechange = function() {

                            if (http.readyState == 4) {

                                document.getElementById('errorlogin').innerHTML = '';

                                if (http.status == 200) {
                                    document.location = 'test1l';
                                } else if (http.status == 903 || http.status == 904) {
                                    document.getElementById('errorlogin').innerHTML += 'Incorrect email or password.';
                                } else {
                                    document.getElementById('errorlogin').innerHTML += 'Error during login: ' + http.status;
                                }
                            }
                        }
                        http.send(params);
                    }

                </script>
            </form>

        <?php else : ?>
            Hello <?php echo $_SESSION['user']['firstname']; ?>
        <?php endif; ?>
    </div>
</body>
</html>

why is this tagged as both mysqli and pdo? I don't see any pdo here. — Funk Forty Niner, Apr 30 '18 at 13:12
The best bet would be to set through and log/echo to find out why. Is it verifying the password? Try `var_dump($user);` inside of that function (or before) to make sure it contains what you think it should. — aynber, Apr 30 '18 at 13:13
Did you just forget to call `session_start();` in your "PDO version"? This is why it's important to show the code that *isn't working*, not show code that *is working* and then vaguely describe a change you made which broke it. — David, Apr 30 '18 at 13:14
php script didn't have a problem, that's why I've been so confused. But I found the solution right after posting the question. I missed session_start(); @FunkFortyNiner In my prefered version I used 'new PDO('mysql:host=127.0.01;dbname=dbname;port=1337', 'username', 'password');' Sorry again guys. — BenGe89, Apr 30 '18 at 13:17

score 1 · Accepted Answer · answered Apr 30 '18 at 13:15

1

In the commented out version, it's attempting to write to the session before calling session_start.

answered Apr 30 '18 at 13:15

jspcal

50,847
7
72
76

score -1 · Answer 2 · answered Apr 30 '18 at 13:14

-1

OK... I'm just dumb. I needed to ask this question after trying around for ages just to see the problem right after publishing the question.

My pdo attempt lack session_start();.

Sorry for wasting your time guys.

answered Apr 30 '18 at 13:14

BenGe89

141
1
7

$_SESSION breaks when using pdo instead of mysqli

2 Answers2