Im very new to PHP, so I have a bit of a challenge here. Right now, im trying to get the specific user id in the url, so its possible for me to change content according to what user that is logged in. (Showing different profile texts, names, ages and such)
I have tried this: header("Location: profile.php?id=$id"); but it dosent seem to work.
<?php
session_start();
if(isset($_SESSION['usr_id'])!="") {
header("Location: index.php");
}
include_once 'dbconnect.php';
//check if form is submitted
if (isset($_POST['login'])) {
$email = mysqli_real_escape_string($con, $_POST['email']);
$password = mysqli_real_escape_string($con, $_POST['password']);
$result = mysqli_query($con, "SELECT * FROM users WHERE email = '" . $email. "' and password = '" . md5($password) . "'");
if ($row = mysqli_fetch_array($result)) {
$_SESSION['usr_id'] = $row['id'];
$_SESSION['usr_name'] = $row['name'];
header("Location: profile.php?id=$id");
} else {
$errormsg = "Incorrect Email or Password!!!";
}
}
?>
change your code from
header("Location: profile.php?id=$id");
to
header("Location: profile.php?id=" . $row['id']);
You don't have $id defined anywhere. Use header("Location: profile.php?id={$row['id']}");
Also mind, that you should check on profile.php if it is logged user - unless you want to lookup diffrent user data by just swaping id around. Best if you use your $_SESSION variable on profile.php - just access it there, it is global.
Also, don't use md5 for password hashing - right now it is not very secure (use password_hash), same as concatenating your sql query. Use binding params
You already have the ID available in the session. Use $_SESSION['usr_id'] to access it from profile.php.
Do not pass the user id in the URL, as this can be easily faked. Never trust user input.
$id = $row['id'];
header("Location: profile.php?id=$id");