Member Avatar for devianleong 
<?php
include('./config.php');

//protect SQL injection
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password=hash('sha256',$password);


//SQL query that sent login info to database


$result = mysql_query ("SELECT * FROM admin WHERE Login ='$username' AND Password ='$password'",$con);
$check = mysql_num_rows ($result);


@session_start();


if ($check == 1){
    while($rows = mysql_fetch_array($result)){
    $_SESSION['adminID'] = $rows['ID'];
    $_SESSION['username'] = $username;
        header('Location: ../home.php');
}
}

else {
    header('Location: ../index.php');

}


?>

Please help me take a look what's going on to .
SESSION['username'] was working fine but SESSION['adminID'] not registered..help~

  • 3 Contributors
  • 4 Replies
  • 129 Views
  • 6 Hours Discussion Span
  • Latest Post Latest Post by phorce
Member Avatar for phorce 
<?php
ob_start();
session_start();
include('./config.php');

//protect SQL injection
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password=hash('sha256',$password);


//SQL query that sent login info to database


$result = mysql_query ("SELECT * FROM admin WHERE Login ='$username' AND Password ='$password'",$con);
$check = mysql_num_rows ($result);

if ($check == 1){
    while($rows = mysql_fetch_array($result)){
    $_SESSION['adminID'] = $rows['ID'];
    $_SESSION['username'] = $username;
        header('Location: ../home.php');
}
}

else {
    header('Location: ../index.php');

}


?>

Username will work, however, are you sure that 'ID' actually exists in the database?

Member Avatar for ryantroop

looks like a spelling/case error with your DB columns. As above, make sure that 'ID' is the actual name of the column, and not something like 'userID' or something similar.

You don't need to stripslashes if you're using real_escape_string().

Don't give idiots who try to hack your page more room to get a right answer. Treat slashes as an invalid character.

If you really want to add an extra layer of security, you should look into preg_match().

Member Avatar for devianleong

yes...the problem solved..is because my other php file not contain session_start =)

anyway..thank you..

Member Avatar for phorce

If this thread is solved, please mark it as solve. And give respect to those who you think helped you.

Good luck :))!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.