#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    42
    Rep Power
    2

    PHP Session question


    Hi,

    1. First i enter a valid user and pw.
    2. it shows welcome user name in registered.php page.
    3. Problem is when i click score button from registered page, i want to see user name in result.php page but i dont see the user name in result.php. How can i display on result.php page as Logged in as ( username ).

    Please see the below.

    Step1: index.php

    PHP Code:
    <?php
    session_start
    ();
    ?>

    <?php 
    echo "<Form name ='form1' Method ='Post' ACTION = 

    'Registered.php'>"

    ."Username: <input type='text' name='username' size='7'><br>"

    ."Password: <input type='password' name='password' size='7'><br>"

    ."<input type='submit' value='Login'>"

    ."</form>"
    ?>

    Step2: Registered.php
    PHP Code:
    <?php
    session_start
    ();
    ?>


    <?PHP
    session_start
    ();

    $username $_REQUEST['username'];

    $password $_REQUEST['password'];

     
    try {  
     
    $conn=new PDO("mysql:host=$host;dbname=$db",$user,$pass); 
    }  
    catch (
    PDOException $e) {  
       die(
    "Connection failure: ".$e->getMessage());  
    }  


    $query "SELECT * FROM users WHERE username='$username' AND password='$password'";



    $result $conn->query($query);  

    foreach(
    $result as $row)  
    {  
    $row2 $row['id'];
     echo 
    "<br />";  


    // echo $row2; 
    echo "<br />"
    $query1 "SELECT * FROM users WHERE id = $row2";


    $result1 $conn->query($query1);  

    foreach(
    $result1 as $row1)  
    {  
    $user $row1['username']; 

     echo 
    "<br />"
    }

    session_start();

    if(
    $username != $user){
     echo 
    "<br />"

     echo 
    "<br />"
    echo 
    "Invalid Username and/or Password. ";
    echo 
    "<br />"
    // echo "          " . "Welcome Guest" ;
    echo "<br />";
    echo 
    "<br />";  
    }

    else
    {
     echo 
    "<br />"

    echo 
    " <font color='green' size = '6' > <b> Welcome $username </b> </font>" ;
    echo 
    "<br />"
    echo 
    "<br />"
    }
    ?>



    <form name="lab5" method="post" action="result.php"> 
     
    <table border=1 cellspacing=0 cellpading=0>  
    <tr> <td> Q1 </td> <td> <?php echo $q1  ?> * <?php echo $q2  ?>  </td> <td> <input type = 'text' size = '2' name = one > </td> </tr>
    <tr><td colspan=6 align='right'><input type='submit' value='Score' name='btn_score'></td></tr>
    </table>

    </form>
    step3: result.php

    PHP Code:
    <?php
    session_start
    ();

     
    echo 
    " <font color='green' size = '6' > <b> Logged in as:  </b> </font>" ;
    echo 
    $_SESSION['username'] ;
     
    ?>
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    before anything else, you should fix several massive security problems in your code:
    • Never store plaintext password. If you cannot or don't want to secure your users' passwords, don't use passwords at all. Then you'll at least not put the user's Facebook account into danger (or wherever he reused the password).
    • Never dump raw values into SQL queries or the HTML markup. This can be used for SQL injections and cross-site scripting. It's kind of funny that you're using the modern PDO but completely ignore all its security features. So whoever told you to use it obviously failed to explain it properly.
    • Don't use this "SELECT *" stuff. This is not only unclean und inefficient, but it will also fetch critical data when you don't even need it.
    • Don't display internal error messages (in your case $e->getMessage()). This will irritate legitimate users and help the bad guys.


    To put it bluntly: Your current configuration has "Hack me!" written all over it.

    After you've fixed this, you might wanna read up on session basics. Calling session_start() three times in a row makes no sense whatsoever. And you have to actually store data in a session. Otherwise it will simply be empty. Have you already read the php.net tutorial on sessions?
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    42
    Rep Power
    2
    Hi,

    Thanks for your help but I am lost. I am simply trying to build a login system. Could you please tell what are the different php topics I should learn first before I do this?

    Thanks.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    The links above should already give you a start.

    I think the most important thing for you is to start getting aware of security problems. You've obviously never even considered that form parameters might be used to manipulate your queries or inject JavaScript into your page -- or that attackers might steal your plaintext passwords and happily misuse them for all kinds of things.

    Never trust your users. Never let them write directly into your HTML or your queries. Whenever you put a variable into an "executable" context (like a database query or HTML markup), it must be escaped first to make sure it cannot be used for manipulations.
    • For variables you want to insert into the HTML markup, always use htmlentities()
    • For database queries, always use prepared statements
    • For your passwords, use the PHPass library to generate strong hashes
    • Remove that die("Connection failure: ".$e->getMessage()) and similar stuff. The details of your database are critical, so don't give them away so carelessly. Doesn't the error message even include the database user and password??


    And you should use a different source for learning. Whatever tutorial or book you were reading, it is not good. Stuff like <font> or align="right" is ancient and shouldn't be used at all on modern websites.

    A pretty good PHP tutorials is the Quakenet/#php Tutorial. And of course it's always a good idea to read the official PHP manual on php.net. They even have some small tutorials on specific topics.
  8. #5
  9. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Originally Posted by phpstudent
    Hi,

    Thanks for your help but I am lost. I am simply trying to build a login system. Could you please tell what are the different php topics I should learn first before I do this?

    Thanks.
    From one of the moderator's signatures:

    Now to program a basic, but secure, login system
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    42
    Rep Power
    2
    Thanks for help!!

IMN logo majestic logo threadwatch logo seochat tools logo