know the userid of logged in user

Question

Good morning guys, I have a problem. I created one login page and connected it with another page. That page is like a sending friend request system. I want the sender to be able to view their own profile but not be able to send friend requests to their own id. How can I hide the details of the logged in user? How can I get the logged in user's id? I hope someone will help me. Thanks a lot.

Login page:

<?php
session_start(); 
$mysqli=new MySQLi('127.0.0.1','root','','accounts');

if(isset($_POST['login'])) {
    $username =$mysqli->real_escape_string($_POST['username']);
    $pass = md5($_POST['pass']);
    $sql="SELECT * id FROM users WHERE username='$username' AND pass='$pass' LIMIT 1;";
    $result = mysqli_query($mysqli,$sql);

    if(mysqli_num_rows($result)>0)
        $row = mysqli_fetch_array($result);{

        $_SESSION['loggedIn'] = true;
        $_SESSION['uid'] = $result['id'];
        $result['id']= trim($row["id"]);
        header ("Location:Home.php");
        exit;
    }
}
?>

Home page:

<?php

session_start();
$_SESSION['uid'];
$db = new PDO('mysql:host=127.0.0.1;dbname=accounts','root','');
require 'class/friends.php';

$query = $db->prepare("SELECT * FROM users");
$query->execute();
if($query->rowCount()>0)
{
    while($fetch = $query->fetch(PDO::FETCH_ASSOC)) {
        $id = $fetch['id'];
        $username = $fetch['username'];
        $profile = $fetch['profile'];
        $email = $fetch['email'];
?>

    <form method="post"><table>
        <tr class="border_bottom">

            <td height="230">
                <img src='<?php echo $profile;?>'width="200" height="200"/>&nbsp;
            </td>
            <td><td></td></td>
            <td><?php echo $username;?><br />
                <?php echo $email;?>
            </td>
<?php 
    if($id != $_SESSION['uid']) {
        if(Friends::renderfriendship($_SESSION['uid'],$id,'isThereRequestPending')== 1){
?>
                <td><button class="request_pending" disabled>Request Pending</button></td>
<?php
    } else {
        if(Friends::renderfriendship($_SESSION['uid'],$id,'isThereFriendShip')== 0) {
?>
                <td><button class='friendBtn_add' data-uid='<?php echo $id;?>' data-type='addfriend'>Ad as friend</button></td>
                <td> <button class="request_pending hidden" disabled>Request Pending</button></td>
<?php
        }else{
?>
                <td> <button class='friendBtn unfriend' data-uid='<?php echo $id;?>' data-type="unfriend">Unfriend</button></td>
                <td> <button class='friendBtn_add hidden' data-uid=<?php echo $id;?> data-type='addfriend'>Ad as friend</button></td>
                <td>   <button class="request_pending hidden" disabled>Request Pending</button></td>
               </td >
            </tr>
        </table>
    </form>
<?php
        }
    }

}else{

}
?>
         </div>
        </div>
        <?php
    }
}
?>
</div>
</table>

Please dont __roll your own__ password hashing specially not using MD5(). PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) — RiggsFolly, Jul 16 '18 at 02:07
Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's — RiggsFolly, Jul 16 '18 at 02:08
Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. — RiggsFolly, Jul 16 '18 at 02:11
Why are you using mysqli AND PDO? Use one or the other (probably PDO is preferable). — user3783243, Jul 16 '18 at 02:14
**TYPO** In login page `$_SESSION['uid'] = $result['id'];` should be `$_SESSION['uid'] = $row['id'];` — RiggsFolly, Jul 16 '18 at 02:18
Probably the most valuable advice would be to Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you can see on the browser and other errors will also be visible on your browser. — RiggsFolly, Jul 16 '18 at 03:06

score 0 · Answer 1 · answered Jul 16 '18 at 02:56

Your login file seems a little big jumbled, but I will try to decipher your errors. From Progrock, the MySQLi query is wrong. You want it to look like: SELECT * FROM users WHERE username='$username' AND pass='$pass' LIMIT 1 RiggsFolly helped me notice a little error with a if statement as well. It should look like this:

if(mysqli_num_rows($result)>0) {
    $row = mysqli_fetch_array($result);

    $_SESSION['loggedIn'] = true;
    $_SESSION['uid'] = $row['id'];
    $result['id']= trim($row["id"]);
    header ("Location:Home.php");
    exit;
}

You had the curly bracket in the wrong column and you used the $result variable instead of the $row variable.

Apart from that, I would strongly recommend RiggsFolly's advice, as your code is very susceptible to lots of attacks and is not written very securely.

Just a note: TYPO Questions really only warrant a comment and a close vote. They are rarely any use to anyone else and therefore fail to fulfil the basic requirement of SO which is to be a useful resource of programming related questions and answers — RiggsFolly, Jul 16 '18 at 03:08

know the userid of logged in user

1 Answers1