-1

So below I have my php code, everything works fine and dandy except when the user logs in and is redirected to the restricted page. When a person signs up, they fill out their first name, email, and password. In the login page it only requires email and password. When they are redirected I want to only display their first name though. I have tried making the session = $result which should return the result of the sql query, but if I do that it doesn't even redirect to the restricted page. What am I doing wrong?

<?php

// DATABASE VARIABLES
$user_name = "";
$pass_word = "";
$database = "";
$server = "";

// CONNECTS TO DATABASE
$db_handle = mysql_connect($server, $user_name, $pass_word);
$db_found = mysql_select_db($database, $db_handle);

// ACCOUNT INFORMATION
$email;
$password;
$num_rows = 0;

// IF SUBMIT IS CLICKED
if (isset($_POST['submit'])) {

    // STORES INPUTS AS VARIABLES
    $email = $_POST['email'];
    $password = $_POST['password'];

    // REMOVES HARMFUL CODE
    $email = htmlspecialchars($email);
    $password = htmlspecialchars($password);

    if ($db_found) {

        $SQL = "SELECT * FROM accounts WHERE email = '$email' AND password = '$password'";
        $result = mysql_query($SQL);
        $num_rows = mysql_num_rows($result);

        if ($num_rows > 0) {

            session_start();
            $_SESSION['login'] = ?;
            header ("Location: loggedin/account.php");

        }
        else {

            session_start();
            $_SESSION['login'] = '';

        }

    }
    else {

    }

}
?>
user3757779
  • 31
  • 1
  • 6
  • 1
    What's with the `$_SESSION['login'] = ?;` is that your question? – Funk Forty Niner Jun 20 '14 at 20:17
  • Yes, that is the part I need help with. I dont know what to set it equal to... – user3757779 Jun 20 '14 at 20:19
  • 1
    You need to fetch a row from the result set and use fields from that row to populate your session variable. – jeroen Jun 20 '14 at 20:22
  • So what is the problem? The redirect isn't working, or not displaying their name correctly? – Marc B Jun 20 '14 at 20:23
  • Here: http://stackoverflow.com/q/21382441/ - http://stackoverflow.com/q/21095943/ - http://stackoverflow.com/q/20838973/ - http://tutsforweb.blogspot.ca/2012/05/registration-system-with-email.html - those will give you an insight. – Funk Forty Niner Jun 20 '14 at 20:27
  • Your present code is open to [**SQL injection**](http://stackoverflow.com/q/60174/). Use [**`mysqli_*` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO**](http://php.net/pdo) with [**prepared statements**](http://php.net/pdo.prepared-statements). – Funk Forty Niner Jun 20 '14 at 20:28

2 Answers2

1

Here is what I would do.....

// DATABASE VARIABLES
$user_name = "";
$pass_word = "";
$database = "";
$server = "";

// CONNECTS TO DATABASE
$db_handle = mysql_connect($server, $user_name, $pass_word);
$db_found = mysql_select_db($database, $db_handle);

// ACCOUNT INFORMATION
$email;
$password;
$num_rows = 0;

// IF SUBMIT IS CLICKED
if (isset($_POST['submit'])) {

// STORES INPUTS AS VARIABLES
$email = $_POST['email'];
$password = $_POST['password'];

// REMOVES HARMFUL CODE
$email = htmlspecialchars($email);
$password = htmlspecialchars($password);

if ($db_found) {

    $SQL = "SELECT * FROM accounts WHERE email = '$email' AND password = '$password'";
    $result = mysql_query($SQL);
    $num_rows = mysql_num_rows($result);

// Grab user name from db 

    $row = mysql_fetch_row($result);
    if ($num_rows > 0) {

// Add to session variable

        session_start();
        $_SESSION['login'] = $row['username'];
        header ("Location: loggedin/account.php");

    }
    else {

//Either exit or redirect to login failure page.

    }

}
else {

This seems alright to me although I cant test at current.

Edit You may want to have a read on using the Mysqli and PDO connection, it is slightly quicker and definitely more secure, just a suggestion if you have the time. Also prepared statements would definitely be more secure.

Warren88
  • 36
  • 3
0

This is how I do Login... You must have an ID for each user in mysql and define

$_SESSION['user_id'] = $fetched_id;

and in loggedin/account.php page you can simply make this:

$user_id = $_SESSION['user_id'];
$query = mysql_query("SELECT `first_name` FROM `users` WHERE `id` = '{$user_id}'");
Levan Lotuashvili
  • 841
  • 10
  • 13