-1
//login.php//
<?php $q=mysqli_query($conn,"select * from register where mid='$uname' AND pass='$pwd'");
        if(mysqli_num_rows($q)===1)
        {
            $r=mysqli_fetch_row($q);
                echo "logged in<br><br>You will be redirected in 3 sec";
                $um=$r[0];
                $cm=explode("@",$uname);
                $rx=$cm[0];
                $_SESSION['val']=$uname;
                $valid=$_SESSION['val'];
                $_SESSION['usnm']=$um;
                // $un=$_SESSION['usnm'];
                $_SESSION['rol']=$rx;
                echo $_SESSION['rol'];
                echo " ".$_SESSION['usnm'];
              echo "<script>location.href='main.php';</script>";
            echo "<script>alert($_SESSION[usnm])</script>;";
        }
?>
//MAIN.PHP//
<?php
session_start();
// $_SESSION['usnm']=$um;
// echo $_SESSION['usnm'].": HI";
// $_SESSION['usnm']="Dhanush";
if(!empty($_SESSION['usnm']))
{
// //     $var=$_SESSION['vali'];
// //   echo "<script>window.location.replace('main.php');</script>";
}
else if(empty($_SESSION['usnm']))
{
    echo "<script>alert($_SESSION[usnm]);</script>";
echo "<script>window.location.replace('index.html');</script>";
}
?>

The PHP code above is used for the validation of details entered by the user and when they match with that from those of database, then the session of name is being set and when ECHO is used in PHP page then it is seen but when ECHO SESSION is used in MAIN PAGE then the session value is empty. Can i know what is the problem down here? I tried and changed the script and even some session variables but still it failed to execute`

EDRK
  • 1
  • 2
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Sep 02 '23 at 17:45
  • 1
    **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Sep 02 '23 at 17:45
  • How do you know it's getting destroyed? – Dharman Sep 02 '23 at 17:46
  • Also, there is no HTML here, so I don't understand what you mean by redirection. There is no redirection. There is some JS code that probably redirects, but how does this tie in to your session logic? – Dharman Sep 02 '23 at 17:48
  • I dont have an error with session_start() because my whole code was running sucessfully until last week the only error is when the SESSION variable is stored in LOGIN.php , then it should be stored in that unless and until the session_destroy is called right?? but when the control moves from login.php to main.php then the SESSION variable is empty – EDRK Sep 02 '23 at 18:01
  • Are you sure you have `session_start` in login.php? You didn't show us this part. – Dharman Sep 02 '23 at 18:47

0 Answers0