setcookie not working

dragon25

function login($username, $password){
  $username = addslashes($username);
  $password = md5($password);
  echo "SELECT * FROM userstbl WHERE user_name='$username' AND password='$password'";
  $result = mysql_query("SELECT * FROM userstbl WHERE user_name='$username' AND password='$password'");
  if (mysql_num_rows($result) == 1){
    $info = mysql_fetch_array($result);
    $userid = $info[user_id];
    $sessionid = md5($userid.time());
    $time = time();
    @setcookie('mycookie', $sessionid, $time+3600, '/', '');
    echo '*page cookie='.$_COOKIE['mycookie'].'*';
    mysql_query("DELETE FROM sessionstbl WHERE user_id='$userid'");
    mysql_query("INSERT INTO sessionstbl (session_id,user_id,timestamp) VALUES ('$sessionid','$userid','$time')");
    return $userid;
  }else{
    return 0;
  }
};

function status(){
  $sessionid = $_COOKIE[mycookie];
  $oldtime = time() - 3600;
  echo "status SELECT * FROM sessionstbl WHERE session_id='$sessionid' AND timestamp>$oldtime";
  $result = mysql_query("SELECT * FROM sessionstbl WHERE session_id='$sessionid' AND timestamp>$oldtime");
  if (mysql_num_rows($result) == 1){
    $info = mysql_fetch_array($result);
    return $info[userid];
  };
  return 0;
};

Just started to code user login pages and I have found the above login function on the net. The '@setcookie' part seems not working. Where I expect to see sessionid value, the echo line immediately after, gives me
page cookie=

The INSERT works with what looks like a big number in session table.

Can someone tell me what is wrong with this @setcookie code?
Result is when I check login status the 'Status' function never finds the session record!!

Also, this code creates it's own sessionid value (the md5() bit)? Doesn't php auto create a session id?

thanks

bradgrafelman

There are quite a few issues with that code... here are a few of them:

[man]addslashes/man should never be used to prepare data for a SQL query. Instead, you should use a DBMS-/library-specific escaping mechanism such as [man]mysql_real_escape_string/man (for string data).
The SQL queries are rather inefficient - there's no need to do a SELECT just to get the data from another table. Instead, a JOIN should be used. Also, 'SELECT ' should be avoided - instead, only SELECT the columns individually/explicitly from which you actually need data (even if that includes all of the columns in the table).
Array indexes should be quoted when using string keys (such as "user_id"), otherwise you will be generating PHP error messages.
The '@' error suppressor should, IMHO, never be used. On production servers, you should always be logging all errors. On development servers, you should always be displaying (and/or logging) all errors.

In fact, the '@' error suppressor in front of the setcookie() call is doubly wrong since you're having issues with cookies yet are also suppressing any error messages which might be generated to help you debug the code.
Speaking of errors, note that cookies are sent as part of the HTTP headers, thus you can't output any data before setting cookies.
Another note about cookies: [man]setcookie/man sends the cookie to the user's browser in the HTTP headers of the current page request. That means that the cookie data won't actually be available until the next page load when the user's browser sends the new cookie back to the server.

In other words, you won't see a cookie in the $_COOKIE array immediately after calling [man]setcookie/man.
There's no point in running a DELETE followed by an INSERT in that fashion since you could instead do it all in one query using the REPLACE syntax.