I am trying to fill a varialble $login with the users user_id so I can use sessions, however the query does not return the user_id to fill the $login with.
users.php
<?php
function user_exists($username, $con) {
$data = $username;
$username = sanitize($data, $con);
$username = $data;
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username'");
return(mysqli_affected_rows($con) == 1) ? true : false;
}
function user_active($username, $con) {
$data = $username;
$username = sanitize($data, $con);
$username = $data;
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username' AND `active` = 1");
return(mysqli_affected_rows($con) == 1) ? true : false;
}
function user_id_from_username ($username, $con) {
$data = $username;
$username = sanitize($data, $con);
$username = $data;
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username'");
return mysqli_affected_rows($con) ? 0 : 'user_id';
}
function login($username, $password, $con) {
$user_id = user_id_from_username($username, $con);
$data = $username;
$username = sanitize($data, $con);
$username = $data;
$password = md5($password);
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username' AND `password` = '$password'");
return (mysqli_affected_rows($con) == 1) ? $user_id : false;
}
?>
login.php
<?php
include 'core/init.php';
if (empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = 'You need to enter a username and password';
} else if (user_exists($username, $con) === false) {
$errors[] = 'We can\'t find that username. Have you registered?';
} else if (user_active($username, $con) === false) {
$errors[] = 'You have not activated your account. Please see the instructions.';
} else {
$login = login($username, $password, $con);
if ($login === false) {
$errors [] = 'That username and password combination is incorrect;';
} else {
echo 'hi';
die($login);
$_SESSION['user_id'] = $login;
}
}
print_r($errors);
}
?>
Init.php
<?php
session_start();
//error_reporting(0);
require 'database/connect.php';
require 'functions/users.php';
require 'functions/general.php';
$errors = array();
?>
When you get your userid you are returning the wrong value:
function user_id_from_username ($username, $con) {
$data = $username;
$username = sanitize($data, $con);
$username = $data;
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username'");
return mysqli_affected_rows($con) ? 0 : 'user_id';
}
This function will return a 0 (if affected_rows is not 0) or the string 'user_id' (if affected rows is 0). First off I think the logic is probably reversed (0 vs non-zero) and secondly I think you really want to return an actual user_id instead of just the string 'user_id'.
Then in your login function:
function login($username, $password, $con) {
$user_id = user_id_from_username($username, $con);
$data = $username;
$username = sanitize($data, $con);
$username = $data;
$password = md5($password);
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username' AND `password` = '$password'");
return (mysqli_affected_rows($con) == 1) ? $user_id : false;
}
You get this 0 or 'user_id' (string) into $user_id and then ignore it until the very end when you return either that value or a false. Since the logic was reversed on the return value of the previous function, then on a successful login your $user_id contains the 0 (which is boolean false in PHP) and so this function is returning either a 0 or a false from login - both of them are false so login() is returning false. But specifically in the case of a good login you are returning a 0 which then isn't going to look like a valid ID to put into your session and, if you get it there, isn't going to compare well because of the whole situation of zero being evaluated to boolean false.