August 14th, 2012, 08:13 PM
Storing info in session
Rather new to PHP but I am learning
I have a simple login system for a website, and a table for users.
user table has these fields;
What I would like to do is store the first and last name in the session also in order to display "Welcome FIRSTNAME LASTNAME" on the site
Code is as follows;
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<form name="form1" method="post" action="checklogin.php">
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<td colspan="3"><strong>Member Login </strong></td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
<td><input name="mypassword" type="text" id="mypassword"></td>
<td><input type="submit" name="Submit" value="Login"></td>
Any help is appreciated Thank You
$host="localhost"; // Host name
$username="******"; // Mysql username
$password="*****"; // Mysql password
$db_name="*****"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
// Mysql_num_row is counting table row
// If result matched $myusername and $mypassword, table row must be 1 row
// Register $myusername, $mypassword and redirect to file "login_success.php"
echo "Wrong Username or Password";
August 15th, 2012, 01:33 AM
Where are you having the problem?
You already retrieved all fields from the database with your query:
All you have to do is retrieve the first and last name from the results and store in the session.
SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'
Btw session_register is deprecated. Maybe you should try storing values in the session array? Something like:
$_SESSION['varName'] = 'value';
August 15th, 2012, 02:06 AM
Been a while since I've not used PDO for my SQL calls. You should definitely consider doing so. So, forgive me if I am wrong, but you want to do something similar to the following:
Now you have all your user data in your session instead of just myusername and mypassword.
$_SESSION['varName'] = $user;
PS. Do you really want to store your user's password in a session? Also, resist using SELECT *, and use SELECT specific_columns.
August 15th, 2012, 04:02 AM
This code is extremely unsecure.
First of all, never store passwords in plaintext. This means that as soon as the database gets exposed (which may very well happen), the attacker can happily collect all passwords. And those passwords probably not only work for your site but also for Facebook or Twitter accounts, maybe online banking etc.
So never do it. Storing the password in the session is also a very bad idea. This means that the passwords basically float around everywhere on your server, waiting for someone to steal them. What's the point of that, anyway? All the session must contain is the user id and maybe some additional information to avoid database queries.
The session_register() function is also ancient (as has been said already). It's been deprecated since over 10 years and will spit out a whole lot of warnings on any contemporary PHP setup. It may not even work.
Long story short, please read up on security and best practices before you store any critical data on your server. Online applications aren't a good place for playing around and testing. If you fail to write proper code, you'll be in serious trouble.