1

I'm trying to figure out what's going on with my userspice 3.2 installation, and unfortunately their forum is closed and there doesn't seem to be anywhere else to get support. I followed the install instructions, got the green light that everything was set up correctly and upon returning to the index page I get:

Fatal error: Uncaught Error: Attempt to modify property "user_id" on null in /homepages/13/d904845752/htdocs/models/funcs.php:393 Stack trace: #0 /homepages/13/d904845752/htdocs/models/top-nav.php(69): isUserLoggedIn() #1 /homepages/13/d904845752/htdocs/index.php(21): require_once('/homepages/13/d...') #2 {main} thrown in /homepages/13/d904845752/htdocs/models/funcs.php on line 393

The code in question is:

function isUserLoggedIn()
{
    global $loggedInUser, $mysqli, $db_table_prefix;
    $stmt = $mysqli->prepare("SELECT
        id,
        password
        FROM " . $db_table_prefix . "users
        WHERE
        id = ?
        AND
        password = ?
        AND
        active = 1
        LIMIT 1");
    $stmt->bind_param("is", $loggedInUser->user_id, $loggedInUser->hash_pw);
    $stmt->execute();
    $stmt->store_result();
    $num_returns = $stmt->num_rows;
    $stmt->close();

    if ($loggedInUser == NULL) {
        return false;
    } else {
        if ($num_returns > 0) {
            return true;
        } else {
            destroySession("userCakeUser");
            return false;
        }
    }
}

The line it's mad about is:

$stmt->bind_param("is", $loggedInUser->user_id, $loggedInUser->hash_pw);

Unfortunately I'm not comfortable enough with OOP to understand what's going on here.

Dharman
  • 30,962
  • 25
  • 85
  • 135
user3750017
  • 31
  • 1
  • 4
  • 2
    The error message says that `$loggedInUser` is null, which means that you can't use it as an object. Btw, why not check the session if the user is logged in instead of calling the database? – M. Eriksson Mar 17 '22 at 21:42
  • 1
    You should probably have `if ($loggedInUser == NULL)` _before_ you're trying to use that variable as an object, so just put your query inside the `else` block and it should work. – M. Eriksson Mar 17 '22 at 21:52
  • That seemed to work, weird that I seem to be the only one with his issue :S Thanks! – user3750017 Mar 17 '22 at 21:56
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Mar 17 '22 at 23:04

1 Answers1

1

The error is very clear. The variable $loggedInUser is NULL and it's not an object. You can't access a property of a non-object.

//                      VVV - NULL   VV - trying to access property
$stmt->bind_param("is", $loggedInUser->user_id, $loggedInUser->hash_pw);

To fix the problem, you should return early from the function when the variable is NULL.

function isUserLoggedIn()
{
    global $loggedInUser, $mysqli, $db_table_prefix;
    // Return early if null
    if ($loggedInUser === NULL) {
        return false;
    }

    $stmt = $mysqli->prepare("SELECT
        id,
        password
        FROM " . $db_table_prefix . "users
        WHERE
        id = ?
        AND
        password = ?
        AND
        active = 1
        LIMIT 1");
    $stmt->bind_param("is", $loggedInUser->user_id, $loggedInUser->hash_pw);
    $stmt->execute();
    $stmt->store_result();
    $num_returns = $stmt->num_rows;

    if ($num_returns > 0) {
        return true;
    }

    destroySession("userCakeUser");
    return false;
}
Dharman
  • 30,962
  • 25
  • 85
  • 135