Jump to content

Database connection getting userid


TomasV

Recommended Posts

Hey,

 

I'm really new to PHP and having some difficulties with $_SESSION and getting userid from the database. I've managed to put content to my database and also a login script. Though, adding sessions has been a pain. Here's what I got so far:

$sql = "SELECT username, password FROM users WHERE username = '$username' and password = '$pas'";
			$query_login = $db->prepare($sql);
			$query_login->execute(array('userid' => $userid, 'username' => $username, 'password' => $pas));
			$result = $query_login->rowcount();

		if ($result>0)
		{

			session_start();
				$_SESSION['username'] = $username;
				$_SESSION['logged'] = 1;
				$_SESSION['userid'] = $result['userid'];

			header('Location: ../user/user.php');

		}
Link to comment
Share on other sites

You're assigning $result only to the row count, not the actual query result.

$sql = "SELECT username, password FROM users WHERE username = '$username' and password = '$pas'";
			$query_login = $db->prepare($sql);
			$result = $query_login->execute(array('userid' => $userid, 'username' => $username, 'password' => $pas));

		if ($result->rowCount() > 0)
		{

			session_start();
				$_SESSION['username'] = $username;
				$_SESSION['logged'] = 1;
				$_SESSION['userid'] = $result['userid'];

			header('Location: ../user/user.php');

		}
Edited by fastsol
Link to comment
Share on other sites

Almost there I guess.

Getting following error message now using this:

Fatal error: Call to a member function rowCount() on a non-object in

	// Check so the form was filled
	if ($_SERVER['REQUEST_METHOD'] === 'POST'
		&& $_POST['submit'] === 'Login'
		&& !empty($_POST['username'])
		&& !empty($_POST['password']))
	{
		// Include DB credentials
		include_once('db.inc.php');
		$db = new PDO(DB_INFO, DB_USER, DB_PASS);

		// Fetch username and password from form, to match up from DB
		$username = mysql_real_escape_string($_POST['username']);
		$password = mysql_real_escape_string($_POST['password']);
		$pas = md5($password, "testar");

		$sql = "SELECT username, password FROM users WHERE username = '$username' and password = '$pas'";
			$query_login = $db->prepare($sql);
			$result = $query_login->execute(array('username' => $username, 'password' => $pas));
			$uid = $rowCount->

		if ($result->rowCount() > 0)
		{

			session_start();
				$_SESSION['username'] = $username;
				$_SESSION['logged'] = 1;
				$_SESSION['userid'] = $result['userid'];

			header('Location: ../user/user.php');

		}
Edited by TomasV
Link to comment
Share on other sites

assuming that you have a primary key column in your database with the name 'userid' you should do the following

$sql = "SELECT userid, username, password FROM users WHERE username = '$username' and password = '$pas'";
$query_login = $db->prepare($sql);
$result = $query_login->execute(array('username' => $username, 'password' => $pas));
if ($result->rowCount() > 0)
   $uid = $result['userid'];
echo $uid;
Link to comment
Share on other sites

Still experiencing problems, thanks for your patience guys and for your help!

"Fatal error: Call to a member function rowCount() on a non-object in"

		$sql = "SELECT userid, username, password FROM users WHERE username = '$username' and password = '$pas'";
			$query_login = $db->prepare($sql);
			$result = $query_login->execute(array('username' => $username, 'password' => $pas));

		if ($result->rowCount() > 0)
		{

			session_start();
Link to comment
Share on other sites

The whole code doesn't make a lot of sense. No offense, but this looks more like guesswork (or copy and paste) than actual programming.

 

You should definitely start using the PHP manual as a reference. This will tell you how the PHP functions and classes actually work.

  • $result is a boolean which indicates whether or not the query was successful. If you want to get the number of rows, you need to get them from $query_login.
  • To get the result set, you must actually fetch it (again from $query_login).
  • Why are you using mysql_real_escape_string()? This function belongs to an entirely different database extension and is completely misplaced here.
  • Why do you insert the $username and $pas into the query string? The whole point of a prepared statement is to not do that. In your case, all the prepare() and execute() doesn't do anything.
  • What's the second argument of the md5() call supposed to do? The second parameter expects a boolean, and this tells the function whether it should return the hash as a binary string or hexadecimally encoded. I'm pretty sure that's not what you want. Is this supposed to be a salt? Then it's not. A salt is a unique random string for a single hash. If you just add a constant string, that doesn't do anything. But salting doesn't help you, anyway, because MD5 hashes can be broken in a matter of minutes on a stock PC. You need an actual password hash algorithm.
  • You must generate a new session ID when the user logs in. Otherwise, PHP will use the old ID which may be known to or even have been set by an attacker.
  • What is $_SESSION['logged'] supposed to do? And why do you store both the user ID and the user name in the session?
  • Every header('Location: ...') call should be followed by an exit statement to stop script execution. Otherwise, the script will happily keep running and can cause all kinds of unwanted behaviour.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.