0

some help if you wish please for beginner user will you please show me where is my code problem ? i want to get user id from $_SESSION['userid']

but it's not working i success to get username but not the id i include session_start(); on each page to want to use it but it's not showing the user id only username working here are my code

<?php
include("conn.php");

    // variable declaration
    $userid = "";
    $username = "";
    $email    = "";
    $errors   = array(); 
    $_SESSION['success'] = ""; 

    // call the login() function if register_btn is clicked
    if (isset($_POST['login_btn'])) {
        login();
    }


    if (isset($_GET['logout'])) {
        session_destroy();
        unset($_SESSION['user']);
        unset($_SESSION['username']);
        unset($_SESSION['userid']);
        unset($_SESSION['user_type']);
        header("location: ../login.php");
    }

    // return user array from their id
    function getUserById($id){
        global $conn;
        $query = "SELECT * FROM users WHERE id=" . $id;
        $result = mysqli_query($conn, $query);
        $user = mysqli_fetch_assoc($result);
        return $user;
    }


    // LOGIN USER
    function login(){
        global $conn, $username, $errors;

        // grap form values
        $username = e($_POST['username']);
        $password = e($_POST['password']);

        // make sure form is filled properly
        if (empty($username)) {
            array_push($errors, "Username is required");
        }
        if (empty($password)) {
            array_push($errors, "Password is required");
        }

        // attempt login if no errors on form
        if (count($errors) == 0) {
            $password = md5($password);


            $query = "SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1";
            $results = mysqli_query($conn, $query);
            if (mysqli_num_rows($results) == 1) { // user found
            // Storing username in session variable 
                session_start(); 
                // check if user is admin or user
                $logged_in_user = mysqli_fetch_assoc($results);
                $userid=$row['id'];
                $username=$row['username'];
                $user_type=$row['user_type'];
                $_SESSION['username'] = $username;
                $_SESSION['userid'] = $userid; // <-this variable should now exist
                $_SESSION['user_type'] = $user_type;
                if ($logged_in_user['user_type'] == 'admin') {

                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "You are now logged in";
                    header('location: admin/home.php');       
                }else{
                if ($logged_in_user['user_type'] == 'superuser') {

                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "You are now logged in";
                    header('location: superuser/home.php');       
                }else{
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "You are now logged in";

                    header('location: index.php');
                }
        }   }else {
                array_push($errors, "Wrong username/password combination");
            }
        }
    }

    function isLoggedIn()
    {
        if (isset($_SESSION['user'])) {
            return true;
        }else{
            return false;
        }
    }
    function isSuperuser()
    {
        if (isset($_SESSION['user']) && $_SESSION['user']['user_type'] == 'superuser' ) {
            return true;
        }else{
            return false;
        }
    }
    function isAdmin()
    {
        if (isset($_SESSION['user']) && $_SESSION['user']['user_type'] == 'admin' ) {
            return true;
        }else{
            return false;
        }
    }

    // escape string
    function e($val){
        global $conn;
        return mysqli_real_escape_string($conn, trim($val));
    }

    function display_error() {
        global $errors;

        if (count($errors) > 0){
            echo '<div class="error">';
                foreach ($errors as $error){
                    echo $error .'<br>';
                }
            echo '</div>';
        }
    }

?>
AbuErada
  • 1
  • 2
  • 1
    Note that your script has very common flaws that an attacker can use, such as [SQL injection](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php), the use of now insecure `md5`, trying to select the association of user and password to see if it exists (password should be checked separately).. You should probably read a little bit before you implement this in real conditions – Kaddath Jul 22 '20 at 08:05

1 Answers1

0

As far as i can tell, your script would run.
Though please note that when using with sessions and $_SESSION globals, you have to initialise it first by adding session_start(); at the top of your page.

You should also dig into using PDO rather than mysqli or mysql.
I know this looks complicated, but it's the safest way to handle database queries.

Also don't use md5, use password_hash();

I also recommend adding var_dump($row); in this if statement, to see what data you are working with: if (mysqli_num_rows($results) == 1) { // user found

Thrallix
  • 699
  • 5
  • 20
  • what i want is that if i echo $_SESSION['userid']; it give me logged in user id – AbuErada Jul 22 '20 at 08:01
  • @AbuErada then you have to store it like i did where that id is applied to the user. – Thrallix Jul 22 '20 at 08:02
  • i think you misunderstand my question , or am not understand your point – AbuErada Jul 22 '20 at 08:06
  • Yeah you edited your question, i'll edit my answer in a sec. – Thrallix Jul 22 '20 at 08:07
  • thanks' for your advise / i add session start(); as you and me say before but it's not working i don't know why so i ask for help from you..and by the way i will change the password encryption method after finishing my code , – AbuErada Jul 22 '20 at 08:15
  • @AbuErada You have to start it ALL THE WAY at the top of your file. – Thrallix Jul 22 '20 at 08:15
  • yes i do that ---/ like these //session_start(); $addbyuser = $_SESSION['username']; // username is ok but userid is not return when use $_SESSION['userid']; – AbuErada Jul 22 '20 at 08:22
  • @AbuErada use var_dump($row); so you can see if you are even getting an id. – Thrallix Jul 22 '20 at 08:23
  • @AbuErada You can also check you code to see if this session variable is not used or unset by another script, as all scripts that use session will share it – Kaddath Jul 22 '20 at 08:33
  • ok thanks i will, thank you, I am grateful for your advice – AbuErada Jul 22 '20 at 08:40