cannot set session and redirect

Question

i need to set a session called BusinessID in php but its not working on my live server , i cannot figure out what is wrong with it

what happens is that it executes the first query but does not set session and redirect to dashboard.php

heres the code

<?php         
if ($link === false) {
    die("ERROR: Could not connect. " . mysqli_connect_error());
}

// Attempt insert query execution
if(isset($_POST["register"]))
{
    $company = $_POST["company"];
    $address = $_POST["address"];
    $contact = $_POST["contact"];
    $city = $_POST["city"];
    $tags = $_POST["tags"];
    $email = $_POST["email"];
    $password = $_POST["password"];

    $sql="INSERT INTO business(`companyname`, `email`, `password`, `address`, `tel`, `city`, `tag`,`status`, `created_at`,`type`)
VALUES('$company','$email','$password','$address','$contact','$city','$tags','unblocked',CURRENT_TIMESTAMP,'Null')";

    if (mysqli_query($link, $sql)) {

        $query = "select id from business where email='$email' and password='$password'";
        $result = mysqli_query($link,$query);

        if (mysqli_fetch_assoc($result))
        {
            $_SESSION["businessID"] = $result[0]["id"];

            header("Location: dashboard.php");
        }
        else
        {
            header("Location: login.php?Invalid= Please Enter Correct User Name and Password ");
        }
    } 
    else{
        echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
    }
}
// Close connection
mysqli_close($link);
?>

**Warning!** You are _wide open_ for SQL injection attacks! You should use parameterized [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of using completely unescaped user data directly in your queries like that. — M. Eriksson, Oct 08 '19 at 05:32
_**Never ever** ever never_ store passwords in plain text! You should _always_ hash the passwords using [password_hash()](https://www.php.net/manual/en/function.password-hash.php) and only store the hashes. Then you can use [password_verify()](https://www.php.net/manual/en/function.password-verify.php) to verify a password against a hash. — M. Eriksson, Oct 08 '19 at 05:33
Where ever you need to set or get session you have to start session in file once. Include php session_start(); function on top of your file. Remember you have to write this functions on other file that access session as well. If all your files are loaded from one single file i.e. index.php you can write on the file once. — Vantiya, Oct 08 '19 at 05:48
In addition to vulnerability mentioned by Magnus. the code is also prone to xss attack, csrf attck, html injection attack, session fixation attack... — Nancy Moore, Oct 08 '19 at 07:19
Possible duplicate of [mysqli\_fetch\_assoc() expects parameter / Call to a member function bind\_param() errors. How to get the actual mysql error and fix it?](https://stackoverflow.com/questions/22662488/mysqli-fetch-assoc-expects-parameter-call-to-a-member-function-bind-param) — Dharman, Oct 08 '19 at 08:17

score 0 · Answer 1 · answered Oct 08 '19 at 05:30

0

You have missed

session_start();

after php tag

answered Oct 08 '19 at 05:30

Zain Farooq

2,956
3
20
42

session need to be regenerated to avoid session fixation attack `session_regenerate_id();` – Nancy Moore Oct 08 '19 at 07:21

score 0 · Answer 2 · answered Oct 08 '19 at 05:37

0

You can set the Session first in the code.

<?php
    // Start the session
    session_start();
?>

Check this one. https://www.w3schools.com/php/php_sessions.asp

answered Oct 08 '19 at 05:37

Krupal Panchal

1,553
2
13
26

still doestnt work...maybe the problem is with my second query downwards – siyanda Oct 08 '19 at 06:02

cannot set session and redirect

2 Answers2