如何获得 session id

Question

please help i have the following php code for my login session but i am trying to get the $_session['user_id'] instead of the $_session['email']. i tried print_f function to see what i can use but user_id array says 0 which cannot be right unless i read it wrong.

session_start();

$email = strip_tags($_POST['login']);
$pass = strip_tags($_POST['password']);

if ($email&&$password) {
    $connect = mysql_connect("xammp","root"," ") or die (" ");
    mysql_select_db("dbrun") or die ("db not found");
    $query = mysql_query("SELECT email,pass FROM members WHERE login='$email'");
    $numrows = mysql_num_rows($query);
    if ($numrows!=0) {
        // login code password check
        while ($row = mysql_fetch_assoc($query)) {
            $dbemail = $row['login'];
            $dbpass = $row['password'];
        }

        // check to see if they match!
        if ($login==$dbemail&&$password==$dbpass) {
            echo "welcome <a href='member.php'>click to enter</a>";
            $_SESSION['login']=$email;
        } else {
            echo (login_fail.php);
        }
    } else {
        die ("user don't exist!");
    }
    //use if needed ==> echo $numrows;
} else {
    die ("Please enter a valid login");
}

i am trying to get the $_session['user_id'] instead how can get this to use instead of $_session['email']. tried using $_session['user_id'] but instead i got undefined error msg.

Answer 1

Well, you don't define $_session['user_id'] anywhere in this script, so it's no surprise that it's not defined. You have to assign it a value before you can refer to it.

Also, note that there all kinds of security problems with this code.

You're running your MySQL connection as the root user. This is NOT a good idea.

You're trusting user input, which opens your script up to a SQL injection attack. Stripping HTML tags from the user input does not make it safe. Suppose that I came to your site, and filled in the "email" field with this:

bob@example.com'; GRANT ALL PRIVILEGES ON *.* TO 'evil_bob' IDENTIFIED BY '0wned_joo';

As currently written, your script would happily run its query as normal, and also create an account called "evil_bob" with full privileges to all the information in all of the databases on your server.

To avoid this, NEVER assume that user input is safe. Validate it. And to be extra sure, don't stick variables straight into SQL you've written. Use bound parameters instead. There are a few cases where it's hard to avoid -- for example, if you need to specify the name of a column rather than a piece of data, a bound parameter will not help and you'll have to do it some other way. However, for any piece of data you're using as part of a query, bind it.