Database connection getting userid

TomasV · May 23, 2014

Hey,

I'm really new to PHP and having some difficulties with $_SESSION and getting userid from the database. I've managed to put content to my database and also a login script. Though, adding sessions has been a pain. Here's what I got so far:

$sql = "SELECT username, password FROM users WHERE username = '$username' and password = '$pas'";
			$query_login = $db->prepare($sql);
			$query_login->execute(array('userid' => $userid, 'username' => $username, 'password' => $pas));
			$result = $query_login->rowcount();

		if ($result>0)
		{

			session_start();
				$_SESSION['username'] = $username;
				$_SESSION['logged'] = 1;
				$_SESSION['userid'] = $result['userid'];

			header('Location: ../user/user.php');

		}

fastsol · May 23, 2014

You're assigning $result only to the row count, not the actual query result.

$sql = "SELECT username, password FROM users WHERE username = '$username' and password = '$pas'";
			$query_login = $db->prepare($sql);
			$result = $query_login->execute(array('userid' => $userid, 'username' => $username, 'password' => $pas));

		if ($result->rowCount() > 0)
		{

			session_start();
				$_SESSION['username'] = $username;
				$_SESSION['logged'] = 1;
				$_SESSION['userid'] = $result['userid'];

			header('Location: ../user/user.php');

		}

Edited May 23, 2014 by fastsol

TomasV · May 24, 2014

Almost there I guess.

Getting following error message now using this:

Fatal error: Call to a member function rowCount() on a non-object in

	// Check so the form was filled
	if ($_SERVER['REQUEST_METHOD'] === 'POST'
		&& $_POST['submit'] === 'Login'
		&& !empty($_POST['username'])
		&& !empty($_POST['password']))
	{
		// Include DB credentials
		include_once('db.inc.php');
		$db = new PDO(DB_INFO, DB_USER, DB_PASS);

		// Fetch username and password from form, to match up from DB
		$username = mysql_real_escape_string($_POST['username']);
		$password = mysql_real_escape_string($_POST['password']);
		$pas = md5($password, "testar");

		$sql = "SELECT username, password FROM users WHERE username = '$username' and password = '$pas'";
			$query_login = $db->prepare($sql);
			$result = $query_login->execute(array('username' => $username, 'password' => $pas));
			$uid = $rowCount->

		if ($result->rowCount() > 0)
		{

			session_start();
				$_SESSION['username'] = $username;
				$_SESSION['logged'] = 1;
				$_SESSION['userid'] = $result['userid'];

			header('Location: ../user/user.php');

		}

Edited May 24, 2014 by TomasV

Frank_b · May 24, 2014

assuming that you have a primary key column in your database with the name 'userid' you should do the following

$sql = "SELECT userid, username, password FROM users WHERE username = '$username' and password = '$pas'";
$query_login = $db->prepare($sql);
$result = $query_login->execute(array('username' => $username, 'password' => $pas));
if ($result->rowCount() > 0)
   $uid = $result['userid'];
echo $uid;

TomasV · May 24, 2014

Still experiencing problems, thanks for your patience guys and for your help!

"Fatal error: Call to a member function rowCount() on a non-object in"

		$sql = "SELECT userid, username, password FROM users WHERE username = '$username' and password = '$pas'";
			$query_login = $db->prepare($sql);
			$result = $query_login->execute(array('username' => $username, 'password' => $pas));

		if ($result->rowCount() > 0)
		{

			session_start();

Jacques1 · May 24, 2014

The whole code doesn't make a lot of sense. No offense, but this looks more like guesswork (or copy and paste) than actual programming.

You should definitely start using the PHP manual as a reference. This will tell you how the PHP functions and classes actually work.

$result is a boolean which indicates whether or not the query was successful. If you want to get the number of rows, you need to get them from $query_login.
To get the result set, you must actually fetch it (again from $query_login).
Why are you using mysql_real_escape_string()? This function belongs to an entirely different database extension and is completely misplaced here.
Why do you insert the $username and $pas into the query string? The whole point of a prepared statement is to not do that. In your case, all the prepare() and execute() doesn't do anything.
What's the second argument of the md5() call supposed to do? The second parameter expects a boolean, and this tells the function whether it should return the hash as a binary string or hexadecimally encoded. I'm pretty sure that's not what you want. Is this supposed to be a salt? Then it's not. A salt is a unique random string for a single hash. If you just add a constant string, that doesn't do anything. But salting doesn't help you, anyway, because MD5 hashes can be broken in a matter of minutes on a stock PC. You need an actual password hash algorithm.
You must generate a new session ID when the user logs in. Otherwise, PHP will use the old ID which may be known to or even have been set by an attacker.
What is $_SESSION['logged'] supposed to do? And why do you store both the user ID and the user name in the session?
Every header('Location: ...') call should be followed by an exit statement to stop script execution. Otherwise, the script will happily keep running and can cause all kinds of unwanted behaviour.

Sign In

Database connection getting userid

Recommended Posts

TomasV

Link to comment

Share on other sites

fastsol

Link to comment

Share on other sites

TomasV

Link to comment

Share on other sites

Frank_b

Link to comment

Share on other sites

TomasV

Link to comment

Share on other sites

Jacques1

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information