How do I assign a different value to my session variable based on user input

I have a login form that accepts both user email and password to login. Im trying to assign that users id to the session variable. To do that im trying to use their email address to query the database and retrieve their ID to assign to the session. I dont get any errors but it doesnt show the persons details so Ive probably messed up with assigning the query to the session variable again. Could someone tell me what im missing with assigning? The part where i introduce the query is at the very bottom.


$email = $_REQUEST['email'];
$password = $_REQUEST['password'];

//check for empty values
if(empty($email) || empty($password)) {
} else {
  mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);  //error handling
  //DB Connection
  require_once 'dbcon.php';
  //Query the DB
  $sql = "SELECT * FROM employee WHERE eemail='$email'";
  $stmt = mysqli_stmt_init($conn);
  //if cannot query the DB
  if(!mysqli_stmt_prepare($stmt, $sql)) {
  } else {
    //passing the values
    mysqli_stmt_bind_param($stmt, "s", $email);
    $result = mysqli_stmt_get_result($stmt);
    if($row = mysqli_fetch_assoc($result)) {
       $pass = $row['epassword'];
      //validate password
      $pswdCheck = ($password == $pass);

      if($pswdCheck == true) {

       $sql=mysqli_query($conn, "SELECT eid FROM employee where eemail='$email'");
       $stmt = mysqli_stmt_init($conn);
        $_SESSION['login_employee'] = $_REQUEST['eid'];

1 Like

What is $_REQUEST[‘eid’]; ?

1 Like

Thats how it assigns it to eid in this case right? Im still a little new to this so i assumed a lot when i modified it

A few lines above you are using a mysql query correct. So why don’t you do it here?

okay i did it the same way i did above but its still not assigning it to the session and the variable is still empty.

1 Like

This code has already queried for and fetched the row of data matching the email. Upon verifying the password hash (you should be using php’s password_hash() and password_verify()) why don’t you just store the fetched user id into the session variable?

In your previous thread, you were correctly using the OOP mysqli statements to perform a prepared query. Why have you now completely changed to using procedural mysqli statements and are incorrectly using a prepared query, by putting an external, unknown, dynamic value directly into the sql query statement?

Also, by having the form and form processing code on separate pages, with all the redirects, you are open to site Phishing, where someone can trick one of your users to enter their username/password on the Phishing site, then redirect back to your site and make it look like the user just entered the wrong credentials. Put the form and the form processing code on the same page. In addition to making this more secure, it greatly simplifies the code.

1 Like

thats the part that im having trouble executing properly, im not sure of the syntax to fetching that, whether at password verification part or later on.

I kinda jst used a sample from one of my previous projects and used here so I didnt really realise that the styles were different since I jst started learning about prepared statements. :sweat_smile:

The form and the processing codes are all in the same page. I only added the php part cz my error was with the php part and i wasnt sure if the whole shabang was too long.

Then there’s absolutely no need for all the extra code and redirects. All they are doing is providing a security hole.

Okay il make sure to get rid of those then, thanks

Do you really have a field called eemail?

Apparently also has a column named epassword and has fallen victim to needlessly including some part of the table name in each column name.

Are you storing plain text passwords in the database?
What method are you using when you create an account?

yeeps i do, it holds the employee emails that they use when logging in

I just let the password get stored in the database in plain text. Have not made use of hashes yet. Just wanted to make sure the main functionalities would work before looking at security measures since im not familiar with them.

When registering, the user just inserts personal info. Logging in is in a different page so once they’ve registered they would have to go back to home page and then login on a different page. I did it like that since its only an admin that could register a new employee.

It wouldn’t be $_REQUEST['eid'] but the query result value that you would set to session.

But set that aside and take a good look at mabismad’s post #7. There are many important points. You are already doing a query to check the password and so it is from this query where you would grab the eid and set it to session if the password is correct.

I totally agree that you should be using prepared query statements to handle user input against the database so switch back to what your learned in the other thread about prepared statements.

As far as messages, avoid using $_GET when you can. As the form and processing is on the same page… Just define the message in the processing section and display it within content… and upon success there is no need for a message as they are directed to the new page.

Messages can easily created and displayed, IF you have setup your page correctly. All processing should be above <html> content. In general I would have session_start() and DB connection at the top of the page followed by an IF condition that contains the processing code. It might look something like this.

if($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['email'])):	
	//processing code goes here


//<html> below this

Best of luck on your project.

1 Like

Ooooohh okay il make those changes then and hope it works, thanks for all the advice from you and mabismad. Im just learning off the internet at this point so it really gave me some direction. Thanks and tc.