0

This is a short code from my login function. Im having a problem when trying to get the id from a specific user and indexing it to a new session. The code is commented, hope you guys can help me.

$email = mysql_real_escape_string($_POST['email']);
$password = md5(mysql_real_escape_string($_POST['password']));

include_once("include/connection.php");

$query = "SELECT email,password,id FROM user WHERE email ='".$email."' AND password='".$password."'";
$result = mysqli_query($ligaBD,$query);
$value= mysqli_fetch_array($result);

echo $value['id']; // On this line i get the exact id that i want but if i try to echo this inside "if(mysqli_num_rows($result) == 1) { }"  its like the value variable does not exist

if(mysqli_num_rows($result) == 1) {
    session_start();
    echo $value['id']=$_SESSION['id'];exit; // Getting this error -> "Notice: Undefined index: id" 
    header("Location: ./cpanel/#welcome");
}
Improve this question
3
  • Is your session variable set? It is probably referring to an undefined index of $_SESSION called id. Try print_r($_SESSION); to check. Commented Apr 16, 2013 at 20:36
  • 1
    0_* mysql_real_escape_string combined with mysqli_*? seriously? Why aren't you using prepared statements? Commented Apr 16, 2013 at 20:37
  • Im a noob at this but i want to learn as much as i can so help me :b So, what do you advice me to use for being more compatible with mysqli? Commented Apr 16, 2013 at 20:53

2 Answers 2

Reset to default
1

To solve your question:

echo $value['id']=$_SESSION['id']

is incorrect, that's why you get an error. You're assigning the value of $value['id'] to $_SESSION['id'] which is UNDEFINED because you haven't given it a proper value yet.

You should be doing

$_SESSION['id'] = $valud['id'];
echo $S_SESSION['id'];

The problem was: the session didn't exists, you didn't assign the value like you should.

You should also be using isset() to make sure that the session actually exists.

Also make sure that you have the session started at the top of the script with

session_start();

Now a little offtopic:

Don't use md5, It's not safe.

You should use also be doing

require_once("include/connection.php");

for executable scripts that you don't want to be missing.

Your code is open for SQL injections, you must use prepared statements to prevent sql injections.

"But isn't mysql_real_escape_string() enough"? No, It's not.

I've made a numerous answers about how to use PDO and prepared statements but you can easily google this, also for mysqli.

Now that I've answered your question, take a look at my answer here about PHPhass and how you can easily use it instead of md5: php md5 password for user login

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks alot for you help and advices! I'm shure i will check that
md5 not being safe is the least of the OP's worries, really but instead of using that PHPASS object,why not simply use crypt, CRYPT_BLOWFISH and some salt... that should do it for now
Sure but I have only used crypt in java but I've used the phpass library in PHPass for over a year now and I like it a lot, it's safe and very easy to implement so that's why I'm recommending it. Also It was just a sidenote to my answer.
0

That's because you haven't set $_SESSION['id'] yet, by what I can gather, you'll need to set it to the value of $value['id'] (you can't set a variable to something that doesn't exist).

echo $_SESSION['id']=$value['id'];
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.