I have a login form that accepts both user email and password to login. Im trying to assign that users id to the session variable. To do that im trying to use their email address to query the database and retrieve their ID to assign to the session. I dont get any errors but it doesnt show the persons details so Ive probably messed up with assigning the query to the session variable again. Could someone tell me what im missing with assigning? The part where i introduce the query is at the very bottom.
This code has already queried for and fetched the row of data matching the email. Upon verifying the password hash (you should be using php’s password_hash() and password_verify()) why don’t you just store the fetched user id into the session variable?
In your previous thread, you were correctly using the OOP mysqli statements to perform a prepared query. Why have you now completely changed to using procedural mysqli statements and are incorrectly using a prepared query, by putting an external, unknown, dynamic value directly into the sql query statement?
Also, by having the form and form processing code on separate pages, with all the redirects, you are open to site Phishing, where someone can trick one of your users to enter their username/password on the Phishing site, then redirect back to your site and make it look like the user just entered the wrong credentials. Put the form and the form processing code on the same page. In addition to making this more secure, it greatly simplifies the code.
I just let the password get stored in the database in plain text. Have not made use of hashes yet. Just wanted to make sure the main functionalities would work before looking at security measures since im not familiar with them.
When registering, the user just inserts personal info. Logging in is in a different page so once they’ve registered they would have to go back to home page and then login on a different page. I did it like that since its only an admin that could register a new employee.
It wouldn’t be $_REQUEST['eid'] but the query result value that you would set to session.
But set that aside and take a good look at mabismad’s post #7. There are many important points. You are already doing a query to check the password and so it is from this query where you would grab the eid and set it to session if the password is correct.
I totally agree that you should be using prepared query statements to handle user input against the database so switch back to what your learned in the other thread about prepared statements.
As far as messages, avoid using $_GET when you can. As the form and processing is on the same page… Just define the message in the processing section and display it within content… and upon success there is no need for a message as they are directed to the new page.
Messages can easily created and displayed, IF you have setup your page correctly. All processing should be above <html> content. In general I would have session_start() and DB connection at the top of the page followed by an IF condition that contains the processing code. It might look something like this.
if($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['email'])):
//processing code goes here
//<html> below this
Ooooohh okay il make those changes then and hope it works, thanks for all the advice from you and mabismad. Im just learning off the internet at this point so it really gave me some direction. Thanks and tc.