Error In Session With Login Scripts

Question

I'm receiving the error Error In Session when I run my login script:

session_start();
if (isset($_POST['login'])) {
    $logusername=$_POST['username'];
    $logpassword=sha1(md5($_POST['password']));
    $redirectLoginSuccess = "dashboard.php";

    $result=mysqli_query($con, "SELECT * FROM users WHERE username='$logusername' AND password='$logpassword'")or die('Error In Session');
    $row=mysqli_fetch_array($result);

    if($result>0){
        $access  = mysqli_fetch_assoc($result,0,'access');
        $userID = mysqli_fetch_assoc($result,0,'id');
        $username = mysqli_fetch_assoc($result,0,'username');
        $name = mysqli_fetch_assoc($result,0,'name');

        //declare two session variables and assign them
        $_SESSION['username'] = $username;
        $_SESSION['userID'] = $userID;
        $_SESSION['name'] = $name;
        $_SESSION['access'] = $access;
    }

        header("Location: " . $redirectLoginSuccess );
}

I receive this error everytime I run the script not sure exactly where the error is.

MD5 is considered broken for security purposes and is not sufficient for password hashing. Use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. — Alex Howansky, Aug 16 '18 at 17:16
Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Aug 16 '18 at 17:16
Also note that `if($result>0){` checks the result of `mysql_query()` and *not* the result of `mysqli_fetch_array()` as you probably intended. Here, you'll get a truthy value as long as the query executes, *even if it doesn't select any rows*. I.e., with this code, all login attempts will always succeed, regardless of a password match, and even if the userid doesn't exist. — Alex Howansky, Aug 16 '18 at 17:22

score 0 · Accepted Answer · answered Aug 16 '18 at 18:45

The code below works but for some reason, I am not able to echo the session variable name. Is it possible that the session variable not being stored?

if ( isset( $_POST[ 'login' ] ) ) {
    $errMsg = '';
    // Get data from FORM
    $username = $_POST[ 'username' ];
    $password = sha1($_POST[ 'password' ]);
    if ( $username == '' )
        $errMsg = 'Enter username';
    if ( $password == '' )
        $errMsg = 'Enter password';
    if ( $errMsg == '' ) {
        try {
            $stmt = $connect->prepare( 'SELECT id, name, username, password, access FROM users WHERE username = :username AND password = :password' );
            $stmt->execute( array(
                ':username' => $username,
                ':password' => $password
            ) );
            $data = $stmt->fetch( PDO::FETCH_ASSOC );
            if ( $data == false ) {
                $errMsg = "User $username not found.";
            } else {
                if ( $password == $data[ 'password' ] ) {
                    $_SESSION[ 'name' ] = $data[ 'fullname' ];
                    $_SESSION[ 'username' ] = $data[ 'username' ];
                    $_SESSION[ 'password' ] = $data[ 'password' ];
                    $_SESSION[ 'access' ] = $data[ 'access' ];
                    header( 'Location: dashboard.php' );
                    exit;
                } else
                    $errMsg = 'Password not match.';
            }
        } catch ( PDOException $e ) {
            $errMsg = $e->getMessage();
        }
    }
}

Are you calling [`session_start()`](http://php.net/manual/en/function.session-start.php) at the top of the file (or some common included file)? That needs to be called in any file you want to write to or read from the session. — Nathan, Aug 16 '18 at 18:50

Error In Session With Login Scripts

1 Answers1