get auto increment id from mysql table with PHP

Question

I have written a login script as below. Can anyone help me to get the current user id within below script? (auto increment id in mysql table). I'm unable to figure out any concept to work within below script, I also need the $_SESSION['user'] = $type; which is currently assigned and working fine, beside this I just want to add the auto increment id within a session variable without any authentication. I appreciate your help :)

login.php

    if(isset($_POST['email'], $_POST['password'], $_POST['type'])){

      $email = $_POST['email'];
      $password = $_POST['password'];
      $type = $_POST['type'];
      if(auth_user($email, $password, $type)){
        $_SESSION['user'] = $type;
            header('location: index.php');
      } else {
        echo '<span class="text-info success">Invalid email or password!</span>';
      }
    }

html fields

     <input type="text" class="form-control" placeholder="Enter Email" name="email" />
     <input type="password" class="form-control" placeholder="Enter Password" name="password" /><br />
     <input type="hidden" id="type" value="user" name="type" /><br />
     <button type="submit" class="btn btn-default" value="Login">Login </button>

functions.php

//auth user****
function auth_user($email, $password, $type){
     mysql_select_db('drive') or die(mysql_error());
     $sql = "SELECT `user`.`password` AS `pass` FROM `user` WHERE `user`.`email` = '$email' and `user`.`type` = '$type'";
     $result = mysql_query($sql) or die(mysql_error()); 
     $row = mysql_fetch_assoc($result);
     if($row['pass'] == $password){
         return true;
     } else {
         return false;
     }
}

Answer 1

Change you query so that it fetch the user_id from the user table and return it.

 if($row['pass'] == $password){
     return $row['user_id'];
 } else {
     return false;
 }


  if($user_id = auth_user($email, $password, $type)){
    $_SESSION['user'] = $type;
    $_SESSION['user_id'] = $user_id;
    header('location: index.php');
  }

IMPORTANT : Your code is vulnable for sql injection!. Make necessary changes to avoid that

How can I prevent SQL injection in PHP?

Answer 2

Note:

• Select and fetch the id column in your user table, then you can store it in your session variable.
• You are prone to SQL injections. So at least use *_real_escape_string to prevent it.
• You should use mysqli_* rather than using deprecated mysql_* API.
• Why not store the id and type inside your session variables while inside your auth_user function?
• Why do you have to fetch the password to do comparing and why not just check it in your query?

Use mysql_real_escape_string:

$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string$_POST['password']);
$type = mysql_real_escape_string$_POST['type']);

Your function:

function auth_user($email, $password, $type){

   mysql_select_db('drive') or die(mysql_error());
   $sql = "SELECT `id`, `user` FROM `user` WHERE `email` = '$email' AND `password` = '$password' AND `type` = '$type'";
   $result = mysql_query($sql) or die(mysql_error());  /* EXECUTE QUERY */

   if(mysql_num_rows($result > 0){ /* IF RESULTS WERE FOUND */
     $row = mysql_fetch_assoc($result);
     $_SESSION['user'] = $type;
     $_SESSION["id"] = $row['id'];
     return true;
   }
   else {
     return false;
   }

} /* END OF auth_user FUNCTION */

Recommendation:

• Use password_hash to secure your password in your MySQL database.
• Upgrade your API from mysql_* to mysqli_* prepared statement.