stackoom
  简体   繁体   中英

how to get the session id

 原文  2011-08-16 04:52:40       php/ mysql

Question

please help i have the following php code for my login session but i am trying to get the $_session['user_id'] instead of the $_session['email']. i tried print_f function to see what i can use but user_id array says 0 which cannot be right unless i read it wrong.

session_start();

$email = strip_tags($_POST['login']);
$pass = strip_tags($_POST['password']);

if ($email&&$password) {
    $connect = mysql_connect("xammp","root"," ") or die (" ");
    mysql_select_db("dbrun") or die ("db not found");
    $query = mysql_query("SELECT email,pass FROM members WHERE login='$email'");
    $numrows = mysql_num_rows($query);
    if ($numrows!=0) {
        // login code password check
        while ($row = mysql_fetch_assoc($query)) {
            $dbemail = $row['login'];
            $dbpass = $row['password'];
        }

        // check to see if they match!
        if ($login==$dbemail&&$password==$dbpass) {
            echo "welcome <a href='member.php'>click to enter</a>";
            $_SESSION['login']=$email;
        } else {
            echo (login_fail.php);
        }
    } else {
        die ("user don't exist!");
    }
    //use if needed ==> echo $numrows;
} else {
    die ("Please enter a valid login");
}

i am trying to get the $_session['user_id'] instead how can get this to use instead of $_session['email']. tried using $_session['user_id'] but instead i got undefined error msg.

1 answers

solution1
 1 ACCPTED  2011-08-16 05:08:22

Well, you don't define $_session['user_id'] anywhere in this script, so it's no surprise that it's not defined. You have to assign it a value before you can refer to it.

Also, note that there all kinds of security problems with this code.

You're running your MySQL connection as the root user. This is NOT a good idea.

You're trusting user input, which opens your script up to a SQL injection attack. Stripping HTML tags from the user input does not make it safe. Suppose that I came to your site, and filled in the "email" field with this:

bob@example.com'; GRANT ALL PRIVILEGES ON *.* TO 'evil_bob' IDENTIFIED BY '0wned_joo';

As currently written, your script would happily run its query as normal, and also create an account called "evil_bob" with full privileges to all the information in all of the databases on your server.

To avoid this, NEVER assume that user input is safe. Validate it. And to be extra sure, don't stick variables straight into SQL you've written. Use bound parameters instead. There are a few cases where it's hard to avoid -- for example, if you need to specify the name of a column rather than a piece of data, a bound parameter will not help and you'll have to do it some other way. However, for any piece of data you're using as part of a query, bind it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to get $_SESSION['id'] from a session how to get session variables using session id How to get the Session id in Codeignitor How to get the id to set a session variable in php How to get a value from session id How to get for jQuery ID from session PHP? Laravel 9 - How to get my session id in a controller? How to get user id session in prestashop 1.6.1.3 How can I get the session ID in Laravel? How to get the session ID stored in database?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM