如何在会话中显示用户ID？

Question

I would like to get except of the username and user ID in a page. About that I created two php pages. Also my database consists of 3 columns userid, username, password. The login.php page is

<?php 
session_start();
//@$userid = $_GET['userid'];
@$username = $_POST['username'];
@$password = $_POST['pass'];

if(@$_POST['Submit']){
if($username&&$password)
{
$connect = mysql_connect("localhost","*****","") or die("Cannot Connect");
mysql_select_db("project") or die("Cannot find the database");

$query = mysql_query("SELECT * FROM users WHERE username='$username'");
//$query = mysql_query("SELECT * FROM users WHERE userid='$userid' and username='$username'");
$numrows = mysql_num_rows($query);
if($numrows!=0)
{
    while ($row = mysql_fetch_assoc($query))
    //while ($row = mysql_fetch_array($query))
    {
        $dbuserid = $row['userid'];
        $dbusername = $row['username'];
        $dbpassword = $row['password'];
    }
    if($username==$dbusername&&$password==$dbpassword)
    {
        echo "You are login!!!!! Continue now with the survey <a href='mainpage.php'>here</a>";
        $_SESSION['username']=$username;
        $_SESSION['userid']=$userid;
    }
    else
    {
        echo "<b>Incorrect Password!!!!</b>";
    }
}
else
    //die("That user does not exist");
    echo "<b>That user does not exist</b>";
}
else
echo "<b>You must enter a username and a password</b>";
}
?>
<!--<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!--<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />-->
<title>Login Page</title>
<style type="text/css"> 
h2 {letter-spacing: 10px; font-size: .2in; background-color: #33CC00; color: #000000; text-transform:uppercase; width:260px}
span {color: #FF00CC}
legend {font-variant: small-caps; font-weight: bold}
fieldset {width: 260px; height: 100px; font-family: "Times New Roman", Times, serif; background-color: #CCCCCC; color: #000000}
label {display:block;}
.placeButtons {position: relative; left: 0px; width: 70px; margin: 5px; 0px;}
</style>
</head>

<body background="images/good.jpg">

<h2>Login Page</h2>
<form name="loginform" method='POST'>

<fieldset>
<legend>Form</legend>
    <label>Username: <input type="text" name="username"/><span>*</span></label><br/>
    <label>Password: <input type="password" name="pass"/><span>*</span></label>
    <input class="placeButtons" type="reset" value='Reset'/>
    <input class="placeButtons" type="submit" name="Submit" value='Login'/>
    <a href='registration.php'>Register</a>
</fieldset><br>
<a href='firstpage.php'><-- Go Back</a>
</form>
</body>
</html>

and the page which is a welcome page of the user

<?php 
session_start();

if ($_SESSION['username'])
{
//echo "Welcome, ".$_SESSION['username']."! <a href='logout.php'>Logout</a>";
echo "Welcome, ".$_SESSION['username']."<br>".$_SESSION['userid']. "<a href='logout.php'>Logout</a>";

}
else
die("You must be logged in!!");
?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!--<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />-->
<title></title>

</head>
<body background="images/good.jpg">
</body>
</html>

The problem is that in the welcome page it shows me only the username and not the UserID. What am I missing? Furthermore, I know that my login page is not the best and is a typical example of SQL injection attack. I have to improve it.

Answer 1

A quick thing i noticed. That might be the problem. The $_SESSION['userid'] is getting value from $userid which is not set. Also using @ to supress your error is not a good practice. use isset to check if the variable is set and continue.

$_SESSION['userid'] = $userid; //where are you getting $userid from?

This should be

 $_SESSION['userid'] = $dbuserid;

Also instead of using statement like

if ($_SESSION['username'])

First check if the variable is set like this

if ( isset($_SESSION['username']) ){
 //now continue your work
}

Answer 2

and make sure you use ini_set('session_save_path', 'new_dir') or the function session_save_path when you are on a shared webhost. sessions that are in the same directory from different websites are prone to session stealing / snooping / modification.

I checked the PHP source code PHP doesn't keep track which session id's are made by with website (HOST) that why this attack works if the attacker has a account on the same webhosting

So never put to much trust in the SESSION array because you think it's safe because it's server generated it's not if you don't make countermeasures...