accessing session variable over different pages

Question

here I have a login.php file that starts a session when I'm directed my home page and I check whether or not there is a session it says session doesn't exist. here is the login.php file:

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);

header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: *");


session_start();

include "connect.php";

if (isset($_POST['email']) && isset($_POST['password'])) {
  $email = $_POST['email'];
  $password = $_POST['password'];

  $sql = "SELECT * FROM user_record WHERE email='$email' and password='$password'";
  $result = mysqli_query($conn, $sql);

  if ($result && mysqli_num_rows($result) == 1) {
    $_SESSION['email'] = $email;
    echo "success";
  } else {
    echo "error";
  }
} else {
  echo "missing_data"; // Indicate that required data is missing
}
?>

and here is the session check file:

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);

header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: *");


session_start();

include "connect.php";

if (isset($_POST['email']) && isset($_POST['password'])) {
  $email = $_POST['email'];
  $password = $_POST['password'];

  $sql = "SELECT * FROM user_record WHERE email='$email' and password='$password'";
  $result = mysqli_query($conn, $sql);

  if ($result && mysqli_num_rows($result) == 1) {
    $_SESSION['email'] = $email;
    echo "success";
  } else {
    echo "error";
  }
} else {
  echo "missing_data"; // Indicate that required data is missing
}
?>

I've tried changing the php.ini file. I've tried adding session id before session start

`header` sends output, `session_start` should be before that. — user3783243, Aug 28 '23 at 17:10
You are open to SQL injections. Use parameterized queries and prepared statements. Don't store passwords in plain text. — user3783243, Aug 28 '23 at 17:11
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) — Dharman, Aug 28 '23 at 17:18
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, Aug 28 '23 at 17:18
It looks like you are using some really bad tutorial. I highly encourage you to find something better. If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. Start here https://phpdelusions.net/pdo & https://websitebeaver.com/php-pdo-prepared-statements-to-prevent-sql-injection. Here are some good video tutorials https://youtu.be/2eebptXfEvw & https://www.youtube.com/watch?v=sVbEyFZKgqk&list=PLr3d3QYzkw2xabQRUpcZ_IBk9W50M9pe- — Dharman, Aug 28 '23 at 17:18
i tried printing session id in login.php and session.php it gives two different session id. — lucifer08, Aug 29 '23 at 04:40

accessing session variable over different pages

0 Answers0