#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Posts
    11
    Rep Power
    0

    Storing info in session


    Rather new to PHP but I am learning

    I have a simple login system for a website, and a table for users.

    user table has these fields;

    id
    firstname
    lastname
    email
    username
    password

    What I would like to do is store the first and last name in the session also in order to display "Welcome FIRSTNAME LASTNAME" on the site

    Code is as follows;

    main_login.php
    Code:
    <table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
    <tr>
    <form name="form1" method="post" action="checklogin.php">
    <td>
    <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
    <tr>
    <td colspan="3"><strong>Member Login </strong></td>
    </tr>
    <tr>
    <td width="78">Username</td>
    <td width="6">:</td>
    <td width="294"><input name="myusername" type="text" id="myusername"></td>
    </tr>
    <tr>
    <td>Password</td>
    <td>:</td>
    <td><input name="mypassword" type="text" id="mypassword"></td>
    </tr>
    <tr>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
    <td><input type="submit" name="Submit" value="Login"></td>
    </tr>
    </table>
    and

    checklogin.php
    Code:
    $host="localhost"; // Host name 
    $username="******"; // Mysql username 
    $password="*****"; // Mysql password 
    $db_name="*****"; // Database name 
    $tbl_name="members"; // Table name 
    
    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");
    
    // username and password sent from form 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 
    
    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
    $result=mysql_query($sql);
    
    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);
    
    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count==1){
    
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("mypassword"); 
    header("location:index.php");
    }
    else {
    echo "Wrong Username or Password";
    }
    ?>
    Any help is appreciated Thank You
    Rab
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2007
    Location
    US
    Posts
    105
    Rep Power
    54
    Where are you having the problem?
    You already retrieved all fields from the database with your query:
    Code:
    SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'
    All you have to do is retrieve the first and last name from the results and store in the session.

    Btw session_register is deprecated. Maybe you should try storing values in the session array? Something like:
    PHP Code:
    $_SESSION['varName'] = 'value'
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,034
    Rep Power
    535
    Been a while since I've not used PDO for my SQL calls. You should definitely consider doing so. So, forgive me if I am wrong, but you want to do something similar to the following:

    PHP Code:
    $result=mysql_query($sql);
    $user=$result->fetch_array(MYSQLI_ASSOC);
    $_SESSION['varName'] = $user
    Now you have all your user data in your session instead of just myusername and mypassword.

    PS. Do you really want to store your user's password in a session? Also, resist using SELECT *, and use SELECT specific_columns.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    This code is extremely unsecure.

    First of all, never store passwords in plaintext. This means that as soon as the database gets exposed (which may very well happen), the attacker can happily collect all passwords. And those passwords probably not only work for your site but also for Facebook or Twitter accounts, maybe online banking etc.

    So never do it. Storing the password in the session is also a very bad idea. This means that the passwords basically float around everywhere on your server, waiting for someone to steal them. What's the point of that, anyway? All the session must contain is the user id and maybe some additional information to avoid database queries.

    The session_register() function is also ancient (as has been said already). It's been deprecated since over 10 years and will spit out a whole lot of warnings on any contemporary PHP setup. It may not even work.

    Long story short, please read up on security and best practices before you store any critical data on your server. Online applications aren't a good place for playing around and testing. If you fail to write proper code, you'll be in serious trouble.

IMN logo majestic logo threadwatch logo seochat tools logo