1

I am trying to create a user login system. I know there are probably some security issues with my code...but I am just learning. I am trying to take the session data from the initial user sign up and display it on a page designated for showing the user information (a profile). My problem is the session data isn't being stored...neither is the data I am sending to the user database. I was using mysqli until I found some posts saying that PDO is more secure. I tried converting everything - but I am not sure if I am doing it right (apparently not if data isn't being stored). Everything was working before I changed to PDO. Here is my code:

storeuser.php

<?php
session_start();

$host="localhost"; // Host name
$uname="XXXX"; // Mysql username
$password="XXX"; // Mysql password
$db_name="XXX"; // Database name
$tbl_name="XXX"; // Table name

// Connect to server and select database.
$link = new PDO("mysql:host=$host;dbname=$db_name, $uname, $password");

// Get values from form
$username=$_POST['username'];
$pw=$_POST['pw'];
$email=$_POST['email'];

//$stm = 'SELECT * FROM users WHERE username = ?';
//$stm->bind_param(1,$username);
//$stm->execute();
//$result = $link->query($stm);


$_SESSION["timeout"] = time();
$_SESSION["username"] = $_POST['username'];
$_SESSION["password"] = $_POST['pw'];
$_SESSION["loggedIn"] = true;

// Insert data into mysql
$sql = "INSERT INTO $tbl_name(username, password, email)VALUES(?,?,?)";
$stm = $link->prepare($sql);
$sql->bindParam(1, $username);
$sql->bindParam(2, $pw);
$sql->bindParam(3, $email);
$sql->execute();
$result = $stm->fetch(PDO::FETCH_ASSOC);
?>

<?php
// close connection
$link=null;
?>

The commented out code is just the beginning of me trying to check if the username is already taken. I don't know why my database variables were replaced with "XXX" - but that is not the way it is in my code...

Here is part of my index.php (I left out the html):

<?php
    $handler = new MySessionHandler();
    session_set_save_handler($handler, true);
    session_start();
    // set time-out period (in seconds)
    $inactive = 600;

    // check to see if $_SESSION["timeout"] is set
    if (isset($_SESSION["timeout"])) {
        // calculate the session's "time to live"
        $sessionTTL = time() - $_SESSION["timeout"];
        if ($sessionTTL > $inactive) {
            session_destroy();
            printf("session destroyed");
        }
    }
?>

Then, eventually, I need to set up user login (not user registration) - here is my login script:

<?php
    session_start();
    $_SESSION["timeout"] = time();
    $_SESSION["username"] = $_POST['usernamein'];
    $_SESSION["password"] = $_POST['pwin'];
    $_SESSION["loggedIn"] = true;
?>

UPDATE

application.js

$(document).ready(function() {
    $("#signupform").submit(function(e) {  
        e.preventDefault();
        $.post('storeuser.php', $(this).serialize(), function(){
            $("#showuser").load("templates/showuser.php");
            $("#signupform").remove();
        });
    });
});
ewizard
  • 2,801
  • 4
  • 52
  • 110
  • have you tried a `var_dump()` just before your SQL statement to check if your variables have any values at all to be saved? – Jonathan Thurft Jun 10 '13 at 16:23
  • 2
    Your credentials were replaced by Fabio to prevent people to see it; it's a useless edit, as they are still in this question's history. Mail team@stackoverflow.com to let developers remove old revisions. BTW, which posts say that PDO is more secure than MySQLi? – Marcel Korpel Jun 10 '13 at 16:23
  • ill try that jonathan....and marcel - here is one article that seems to be informative - http://net.tutsplus.com/tutorials/php/pdo-vs-mysqli-which-should-you-use/ .... although I have found more than one source saying to use PDO. – ewizard Jun 10 '13 at 16:29
  • 2
    That article is plainly wrong: first it states that MySQLi doesn't support prepared statements, but then it gives just an example of one. I even would state the other way around: by default, PDO doesn't use *real* prepared statements, but simple quote escaping. You have to explicitly disable `EMULATE_PREPARES` to use real prepared statements with PDO. – Marcel Korpel Jun 10 '13 at 16:33
  • where does var_dump() output? I put `var_dump($username, $pw, $email);` right after where I declare the session variables in storeuser.php (right before the $sql statement). – ewizard Jun 10 '13 at 16:33
  • marcel - interesting - so i should use mysqli? or are u saying it doesnt matter – ewizard Jun 10 '13 at 16:34
  • To stdout, in your case probably to the browser. – Marcel Korpel Jun 10 '13 at 16:34
  • You should use whatever you like, but if something works one way, just don't try to convert it to the other way. – Marcel Korpel Jun 10 '13 at 16:34
  • ok...well if i dont get an answer from this question i guess i'll switch back to mysqli – ewizard Jun 10 '13 at 16:35
  • Did it work in MySQLi? Moreover, session variables are independent of PDO vs. MySQLi. And did you try the `var_dump`? – Marcel Korpel Jun 10 '13 at 16:36
  • yes...it worked with mysqli - I could get the user data stored...and the session data stored just fine...I wanted to move on to creating the whole login system..but then i started reading that pdo was better (which u say isnt true - and i believe u :)) – ewizard Jun 10 '13 at 16:38
  • i put in the var_dump() line - but i dont know where it outputs the info - u can see what i did in my comment to jonathan above – ewizard Jun 10 '13 at 16:38
  • hmmm dont see anything in my browser...it just goes to the showuser page i created – ewizard Jun 10 '13 at 16:40
  • Do you use a `Location` header to move the user to another page? Then also the `var_dump`ed data is gone. – Marcel Korpel Jun 10 '13 at 16:42
  • @MarcelKorpel Despite that I should've expected it, given PHP developers' generally lackadaisical and sloppy approach to security concerns, I did not know that about PDO. Thanks for cluing me in! – Aaron Miller Jun 10 '13 at 16:42
  • i do not use a location header...should i be? – ewizard Jun 10 '13 at 16:43
  • No, but that could be one cause of removal of data. After all, you wrote that it goes to the showuser page. The code you show is from storeuser.php. – Marcel Korpel Jun 10 '13 at 16:44
  • i use some jquery to load the "showuser" page after my form gets submitted (and after "storeuser" gets executed) – ewizard Jun 10 '13 at 16:46
  • 1
    @AaronMiller http://stackoverflow.com/a/12202218/258127 – Marcel Korpel Jun 10 '13 at 16:46
  • thanks aaron...gonna bookmark that one – ewizard Jun 10 '13 at 16:47
  • You're making an AJAX request? In that case, the output is sent to the browser, but to the JavaScript interpreter and by default not output to the DOM. Do this yourself and you'll see the result. – Marcel Korpel Jun 10 '13 at 16:50
  • ill post my jquery...im not sure i follow – ewizard Jun 10 '13 at 16:50
  • Yes, [`$.post`](http://api.jquery.com/jQuery.post/) makes an AJAX request. At a `data` parameter to the `success` function and put that data in a div. Or disable JavaScript in your browser and test it with normal forms, without AJAX requests; then you'll see the output directly in the browser window. – Marcel Korpel Jun 10 '13 at 16:55
  • would u mind giving me an example of how to use the success function this way? if u think this is the answer to my problem..just post it as an answer if u will :) – ewizard Jun 10 '13 at 17:00
  • Just change your success function to `function (data) { $('#somediv').text(data) }` or, as I said, use the non-JS way of normal forms. – Marcel Korpel Jun 10 '13 at 17:32
  • Oh, and always use @MarcelKorpel to call me, otherwise I won't be notified. – Marcel Korpel Jun 10 '13 at 17:47
  • -1 for there is no such thing like PDO sessions. – Your Common Sense Jun 10 '13 at 18:26
  • cool thanks....and stfu with ur -1 bs – ewizard Jun 10 '13 at 18:44

0 Answers0