Session data help

[spangle1187]

Ok guys and girls,

 

What I am tryting to do is when a user logs into my site and starts a session I would like to display some information about that user. The information displayed needs to be dynamic as this site will only have a few users buy I dont users viewing other users information.

 

So far I have this code to process the login and start the session:

	<?php
include("php/dbconnect.php"); //connects to the database when connected

		//get the username and password from the login form on the index page
		$username=$_POST['username'];
		$password=$_POST['password'];

		//stop an MySQL Injection by removing slashes and real_escape
		$myusername = stripslashes($username);
		$mypassword = stripslashes($password);
		$myusername = mysql_real_escape_string($username);
		$mypassword = mysql_real_escape_string($password);

		//Select users from the database that match the password and username
		$sql="SELECT * FROM users WHERE username='$username' and password='$password'";
		$result=mysql_query($sql);

		// Mysql_num_row is counting table row
		$count=mysql_num_rows($result);

		// If result matched $myusername and $mypassword, table row must be 1 row 
		if($count==1){

		// Register $myusername, $mypassword and redirect to file "login_success.php" or such file
		session_register("username");
		session_register("password"); 
		session_start();

		//echo section test
		//echo "details ok";

		header("Location: http://webdev/schools/hhs/psy_bookings/memberspage.php");
		}
		else {
		echo "Wrong Username or Password";			
}
mysql_free_result($result);
?>

 

And when they successfuly login into the members page to keep the session active I have the following code:

 

<?php

//////////////////////check the the user has logged in and allowed to view the pages///////////////////////
session_start();

//check to make sure the session variable is registered
if(session_is_registered('username')){

//the session variable is registered, the user is allowed to see anything that follows

echo 'Welcome, you are still logged in.';//test echo
}
else{

//the session variable isn't registered, send them back to the login page
header( "Location: http://webdev/schools/hhs/psy_bookings/" );
}
////////////////////////////////////end of session data code///////////////////////////////////////////////

?>

 

What I would like is to be able to display the users name on the page and maybe call their email from the db. Thanks in advance as always

[beegro]

You shouldn't use the function session_register() anymore.  It's been deprecated as of PHP 5.3.  Same thing with session_is_registered(). 

 

Now, what seems to be the issue?  Are you not getting session values back on the members page?

[spangle1187]

Thanks for the reply,

 

I was unure as how to proceed in displaying the current users details like on this website it displays my username top left once logged in.

 

Which functions have replaced session_register and session_is_registered?

[Psycho]

In the login script you are already saving the username to the session data, you should use the query results to save the email to the session data as well. Then on any, page, just use those session values to display on the page as you wish. However, you are currenly storing the "modified" username from stripslashes() and mysql_real_escape_string(). So, I'd probably use the value from the query. Lastly, why are you storing the password to the session? Not a good idea.

 

As for your current code; you are starting the session AFTER you are trying to save session variables - need to reverse that. And, the strip_slashes() will be problematic on a server without magic quotes turned on. Check the documentation on a way to dynamically apply stip_slashes only when needed.

 

And as beegro stated some of those functions are deprecated. You don't need any replacement functions, just set the session variables directly.

 

Revised code

<?php

include("php/dbconnect.php"); //connects to the database when connected

//get the username and password from the login form on the index page
$username = trim(stripslashes($_POST['username']));
$password = stripslashes($_POST['password']);

//stop an MySQL Injection
$sql_username = mysql_real_escape_string($username);
$sql_password = mysql_real_escape_string($password);

//Select email from the database that matches the password and username
$query = "SELECT email FROM users WHERE username='{$sql_username}' and password='{$sql_password}'";
$result = mysql_query(query);

//Check if there was a match 
if(mysql_num_rows($result) != 1)
{
    //Authentication failed
    echo "Wrong Username or Password";
}
else
{
    //Authentication passed, set session values and continue
    session_start();
    $_SESSION['username'] = $username;
    $_SESSION['email'] = mysql_result($result, 0);
    header("Location: [url=http://webdev/schools/hhs/psy_bookings/memberspage.php]http://webdev/schools/hhs/psy_bookings/memberspage.php[/url]");
}

mysql_free_result($result);

?>

 

<?php

session_start();

//Check if user is authenticated
if(!isset($_SESSION['username'])
{
    //User not logged in, redirect to login page
    header( "Location: [url=http://webdev/schools/hhs/psy_bookings/]http://webdev/schools/hhs/psy_bookings/[/url]" );
}
else
{
    //User is logged in, contiue (use session vars to diplay username/email)
    echo 'Welcome, {$_SESSION['username']}. You are still logged in. <br />';
    echo 'Your email address is: {$_SESSION['email']}.';
}

?>

[beegro]

Those functions haven't been replaced outright by other functions.  Instead PHP now wants you to explicitly start sessions and assign values to the global _SESSION array. 

 

i.e.

session_start();
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;

 

you can then check on other pages for the existence of values

 

i.e.

session_start();
if (isset($_SESSION['username'])) {
    // do something
}

[spangle1187]

Thanks for the reply I will look through what you have revised. I am teaching myself php from various web tutorials so probable picking up bad habits!

[spangle1187]

why are you storing the password to the session? Not a good idea.

 

I take it I shoud remove as it is a security issue?

[beegro]

Yes, generally it is not a good idea to store password information.  Best practice is to verify it when the user enters it and then have your program forget it.

[spangle1187]

Thanks guys really appreciate your input. I can now show a welcome message to the user as they log in.

 

I am not sure where I am going with this but if the database contained other pieces of personal information say favourite food and favourite colour how shoud I verify the user if I want the program to forget the users password?

[Psycho]

I am not sure where I am going with this but if the database contained other pieces of personal information say favourite food and favourite colour how shoud I verify the user if I want the program to forget the users password?

 

It really depends on how secure this really needs to be. For a "casual" site I would just use the fact that the user is logged in (i.e. username is set as a session variable) and use the username to query the database for the additional information.