$_SESSION['EVIL!!!']; Hah!

[pengu]

Hey guys,

 

Not the best with php, hence why I'm here asking for some help.

 

I'm currently doing a website using "user authentication".  So if you try to go to index.php or news.php it will redirect you to the login page, this is working just fine!  Goes to database selects username&password, makes a session ID true and all pages check this..

 

The problem I'm having is I want to pass more information through the session, I'm 100% sure this is possible.  For example in my "login.inc.php" page which checks all data entered I want to take the users "id" and pass this thru all pages so I can make for example.. a profile page.

 

LOGIN.INC.PHP

<?php

require_once('*changed*');
require_once('functions.inc.php');

session_start();

// Check if user is already logged in
if ($_SESSION['logged_in'] == true) {

redirect('../index.php');
} else {

if ( (!isset($_POST['username'])) || (!isset($_POST['password'])) OR
     (!ctype_alnum($_POST['username'])) ) {
	header('Location: ../login.php');
}

	$mysqli = @new mysqli(DB_HOSTNAME, DB_USERNAME, DB_PASSWORD, DB_DATABASE);

if (mysqli_connect_errno()) {
	printf("Unable to connect to database: %s", mysqli_connect_error());
	exit();
}

$username = $mysqli->real_escape_string($_POST['username']);
$password = $mysqli->real_escape_string($_POST['password']);

	$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = md5('" . $password . "')";	

$result = $mysqli->query($sql);

        //sure this is wrong, it doesn't even make sense to me.. but it's what I want it to do
        //pull the ID from the database
while($row = mysql_fetch_array($result))
  		{
	$id = $row['id'];
	}

if (is_object($result) && $result->num_rows == 1) {
	// used throughout the other pages
	$_SESSION['logged_in'] = true;

                // this one works, but only because it's pulling it from the "form"
	$_SESSION['username'] = $username;
                //this don't work 
	$_SESSION['id'] = $id;
	redirect('../index.php');
} else {

	redirect('../login.php');
}
}
?>

 

functions.inc.php

<?php

function redirect($page) {
header('Location: ' . $page);
exit();
}

function check_login_status() {

// If $_SESSION['logged_in'] is set, return the status
if (isset($_SESSION['logged_in'])) {
	return $_SESSION['logged_in'];
	return $_SESSION['username'];
	return $_SESSION['id'];
}
return false;
}
?>

 

Please help!

[trq]

What exactly is the problem your having? Your code looks reasonable except for the fact that a function can only return one value.

 

How / where are you trying to use $_SESSION['id'] ?

[pengu]

Oh can it?

 

So far it's just being displayed as the ID.  But I want to use it for a profile page and some other things.  So I want to be able to grab it all the time SELECT * FROM whatever WHERE id = $_SESSION['id'] kind of thing.

[trq]

Sorry, that still doesn't help us help you. Can you answer the two questions I asked you in my previous response?

[pengu]

I have a table that contains ID username password ect ect

 

Using Session ID I want to pass that information constantly through all the pages.  At the moment as a test I'm just doing a echo of the "ID" on another page and It's not displaying it at all.

 

I want to be able to pull information from the database for different pages.

 

 

LINKS.PHP

<?php

session_start();

require_once('includes/functions.inc.php');

if (check_login_status() == false) {
	redirect('login.php');
}

?>

<html>
<head>
</head>
<style>
a:hover
{
color: #333333;
}
</style>
<body>

<font face="Fixedsys">
<p>WELCOME <?php echo $_SESSION['id'] ; ?> </p>
<p>
[<a href="./news.php" target="body">News</a>]
[<a href="./includes/logout.inc.php" target="body">logout</a>]


</p>

 

so it's not displaying the "ID" on this other page, for example

[pengu]

I eventually came to the conclusion that I can use the username to look up stuff in the database.  The username is unique so I shouldn't run into multiple queries.

 

If there is a better method, please do tell!

[Garethp]

There shouldn't be a better one. A query with a unique identifier is always the best method

 

EDIT: On second thought, query for Username AND Password, so you can just chest the number of rows without having to fetch the array

[pkedpker]

how does this work

 

function check_login_status() {

// If $_SESSION['logged_in'] is set, return the status
if (isset($_SESSION['logged_in'])) {
	return $_SESSION['logged_in'];
	return $_SESSION['username'];
	return $_SESSION['id'];
}
return false;
}

 

you know it will only return either false or the value of logged_in 

 

username id will never be returned..

 

something you gotta learn in programming return exits function right away.. right when it sees it.. if statement may make u be able to use multiple returns.. but as soon as code execution reaches a return its over.. and trust me. if you think just because logged_in is not set of something it will skip the return and go to the second one.. then your mistaken because return exits on ANYTHING.. its like similar to die();.. just without exiting the script execution just function jump. Plus its used in all programming languages..

[pengu]

Ignore that.. I've changed the code and have it fully functioning now.

As soon as someone mentioned you can't return more than one thing I changed bits and pieces.

 

Err.. thanks for your help anyways guys, but the best method is to sit there and fiddle with it, I'm sure I'll be asking more questions soon.

 

Cheers,

Pengu