Moorcam Posted December 22, 2016 Share Posted December 22, 2016 Hi folks, This issue has me baffled with days. I have a query string which works fine. The idea is to display the name of the logged in user, with SESSION. However, if I use the query string without LIMIT 1 on the end, the header area vanishes. If I put it back in, it appears again. Also, I have 2 users registered for testing. But no matter what account I login with, it still shows the same name. Here is the area of code that is playing up, including the HTML area where the name of the logged in user is displayed. include 'templates/header.php'; $result = mysqli_query($mysqli, "SELECT * FROM admin_users LIMIT 1"); if ($row = mysqli_fetch_array($result)) { include 'templates/navbar.php'; $_SESSION['fname'] = $row['fname']; ?> <div class="dcm-content-wrapper"> <div class="dcm-content"> <h1><i class="fa fa-home"></i> Dashboard</h1> <p>Hello <?php echo $_SESSION['fname']; ?> You are logged in as Admin!</p> <?php } ?> Please note that SESSION_START() is in the header.php file. Any help is greatly appreciated. Quote Link to comment Share on other sites More sharing options...
benanamen Posted December 23, 2016 Share Posted December 23, 2016 (edited) How do you expect to login a particular user without a WHERE condition? Of course you are going to keep getting the same user. Edited December 23, 2016 by benanamen Quote Link to comment Share on other sites More sharing options...
Moorcam Posted December 23, 2016 Author Share Posted December 23, 2016 (edited) How do you expect to login a particular user without a WHERE condition? Of course you are going to keep getting the same user. Hi. Thanks for the reply. I have tried even putting WHERE id = $_SESSION['id']; And that also makes the html vanish. Also note, login is working fine. The OP shows the code from the start of index.php after login. Edited December 23, 2016 by DanEthical Quote Link to comment Share on other sites More sharing options...
benanamen Posted December 23, 2016 Share Posted December 23, 2016 No. What you have is nothing close to login code. I will let someone else take it from here. Quote Link to comment Share on other sites More sharing options...
Moorcam Posted December 23, 2016 Author Share Posted December 23, 2016 No. What you have is nothing close to login code. I will let someone else take it from here. As I said, the above code is not the login. This is the Index after login is completed. Here is the login code: <?php // Coach Manager // Version 0.0.0.1 // Author Dan O'Riordan session_start(); if (isset($_SESSION['id'])) { header("Location: index.php"); } include_once 'includes/config.php'; include_once 'includes/db_connect.php'; //check if form is submitted if (isset($_POST['login'])) { $email = mysqli_real_escape_string($mysqli, $_POST['email']); $password = mysqli_real_escape_string($mysqli, $_POST['password']); $psalt = 'eghriwugfro78974togfg0487tr'; $password = hash('sha256', $password); $result = mysqli_query($mysqli, "SELECT * FROM admin_users WHERE email = '" . $email. "' and password = '" .$password . "'"); if ($row = mysqli_fetch_array($result)) { $_SESSION['id'] = $row['id']; $_SESSION['fname'] = $row['fname']; header("Location: index.php"); } else { $errormsg = "Incorrect Email or Password Combination!"; } } ?> <!DOCTYPE html> <html > <head> <meta charset="UTF-8"> <title>Tour Manager | Login</title> <!-- FONTAWESOME STYLES--> <link rel="stylesheet" href="assets/font-awesome/css/font-awesome.min.css" rel="stylesheet" /> <link rel='stylesheet prefetch' href='http://netdna.bootstrapcdn.com/bootstrap/3.0.2/css/bootstrap.min.css'> <link href="css/styles.css" rel="stylesheet"> </head> <body> <div id="loginModal" class="modal show" tabindex="-1" role="dialog" aria-hidden="true"> <div class="modal-dialog"> <div class="modal-content"> <div class="modal-header"> <h1 class="text-center">Tour Manager</h1> </div> <div class="modal-body"> <form class="form-signin" role="form" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="loginform"> <div class="form-group"> <input type="text" name="email" required class="form-control input-lg" placeholder="Email"> </div> <div class="form-group"> <input type="password" name="password" required class="form-control input-lg" placeholder="Password"> </div> <div class="form-group"> <button class="btn btn-primary btn-lg btn-block" name="login">Sign In</button> <span class="text-danger"><strong><?php if (isset($errormsg)) { echo $errormsg; } ?></strong></span> </div> </form> </div> <div class="modal-footer"> <div class="col-md-12"> Powered by <a href="http://www.danethical.com" target="_blank">Tour Manager</a> </div> </div> </div> </div> </div> <!-- script references --> <script src="//ajax.googleapis.com/ajax/libs/jquery/2.0.2/jquery.min.js"></script> <script src="js/bootstrap.min.js"></script> </body> </html> <?php Exit(); ?> Cheers Quote Link to comment Share on other sites More sharing options...
Solution benanamen Posted December 23, 2016 Solution Share Posted December 23, 2016 (edited) Ok, now we are getting somewhere. Let's start from the beginning. You shouldn't be using sha256. You need to use password_hash. Line 13 should be if ($_SERVER['REQUEST_METHOD'] == 'POST') Depending on getting the name of a button to be submitted for your script to work can be problematic in certain instances. Do not SELECT *. Specify the exact columns you want. $_SERVER['PHP_SELF'] is vulnerable to an XSS Attack. Just leave the action out to submit to the same page. You need to kill the script at the header redirect. die(header("Location: index.php")); You need to use prepared statements On the index page, there is no need for another query. You have already set the fname session on login. Just use it now. index.php <?php session_start(); ?> <p>Hello <?= $_SESSION['fname'] ?> You are logged in as Admin!</p> I highly recommend you use PDO https://phpdelusions.net/pdo Edited December 23, 2016 by benanamen Quote Link to comment Share on other sites More sharing options...
Moorcam Posted December 23, 2016 Author Share Posted December 23, 2016 Hi bananamen, Thank you so much. I really appreciate you taking the time to help. The issues of html vanishing has been resolved as is the correct name being displayed, thanks to your instructions. Regarding PDO and password_hash, I will be changing over to these when I get home later. Thanks so much again. You are a legend. Cheers, Danno Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.