How to retrieve information from a record in a database in PHP 5.5?

Question

I am mostly confused about the new php 5.5, I apologize for any inconvenience.

I am trying to get information from whomever logs in, so for example if I log in with an email, I'd like the website to get my first name and do a "Welcome, Shinji!".

    $conn = mysqli_connect('localhost','root','');
    $db = mysqli_select_db($conn , 'session_start');

    $user = $_POST['user'];
    $pass = $_POST['pass'];

    $query = mysqli_query($conn , "SELECT * FROM `info_table` WHERE '$user' = `user` AND '$pass'=`password`") or die(mysqli_error($conn));
    $rows = mysqli_num_rows($query);

    if($rows == 1){

        #$query2 = mysqli_query($conn , "INSERT INTO `who_logged` (`name`) VALUES ('$user')") or die(mysqli_error($conn));
        #$rows = mysqli_num_rows($query);

        session_start();

         $_SESSION['username'] = $_POST['user']; // store username
         $_SESSION['password'] = $_POST['pass']; // store password

        $query2 = mysqli_query($conn ,"SELECT `name` FROM `info_table` WHERE '$user' = `user`") or die(mysqli_error($conn));
        $result = mysqli_num_rows($query2);

        while ($row = mysql_fetch_assoc($result)) {
        $_SESSION['name'] = $row['name'];//I thought to try setting the name to the Session variable, but does not work
    }

        header('Location: next_page.php');
        exit();

    }else{
        echo "Wrong username or password.";
    }

I tried to set the name to a session variable, but if there is a more efficient way please say so! (This current code works, except the name setting to session.

You're using the wrong identifiers around your column(s) and values, including mixing MySQL APIs. Plus, you need to invert what you're using. `$pass` and `password` etc. — Funk Forty Niner, Nov 18 '14 at 21:45
I was writing up an answer, but at this point, I have changed my mind. — Funk Forty Niner, Nov 18 '14 at 21:53
@Rahul It's all yours Rahul ;) I'm skipping this one out. You'll have to retype it lol — Funk Forty Niner, Nov 18 '14 at 21:53
@Fred-ii-, LOL .. just kidding .. I am no way interested writing an answer for this question. If someone must then that should be you since you have pointed that first. — Rahul, Nov 18 '14 at 21:55
@Rahul I'm just unsure about `while ($row = mysql_fetch_assoc($result))` which I know should be `while ($row = mysqli_fetch_assoc($result))` with the added `i`, however, when an OP says "it works..." and with what is posted, nope... not touching this with a 10 foot pole. — Funk Forty Niner, Nov 18 '14 at 21:56
Is this what the community can bring to those who are learning? — Shinji, Nov 18 '14 at 22:12
I know it is a bad code, I am only just learning. If you have some remarks go ahead, But i hardly understand the need to be insulting @fred-ii. People like you might as well leave the world of learning to those who have the heart for it. Thank you. — Shinji, Nov 18 '14 at 22:13
I hardly think I was insulting. I said I wasn't touching this. Your code is unsure and I am afraid it will only open up something bigger and that I will only be commenting back and forth with an "answer". I've given you enough information to fix it yourself. — Funk Forty Niner, Nov 18 '14 at 22:15
Thank you for your kind input. I am not using this code for anything serious, it is only a test code. I build simple modules before the main one. Thank you again. — Shinji, Nov 18 '14 at 22:22
I will post the answer I was writing up earlier, but if it doesn't work, I will delete it. — Funk Forty Niner, Nov 18 '14 at 22:23

score 4 · Answer 1 · edited May 23 '17 at 10:26

You have your column(s) and values mixed up in order.

It's column first, then the value and not the other way around.

Change both:

WHERE '$user' = `user` AND '$pass'=`password`

to:

WHERE `user` = '$user' AND `password`='$pass'

Plus, you're mixing MySQL APIs. Those different APIs do not intermix with each other.

Change mysql_fetch_assoc to mysqli_fetch_assoc

I noticed you are using sessions; make sure session_start(); is indeed loaded.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.

Also, add or die(mysqli_error($conn)) to mysqli_query()

Your present code is open to SQL injection.
Use prepared statements, or PDO with prepared statements, they're much safer.

EDIT:

Try the following instead and it will get you started. Please read my footnotes concerning the use/storage of plain text passwords.

Sidenote: I removed $_SESSION['password'] = $pass; // store password
do not do this, it's insecure.

Plus, do not put anything "above" the PHP below, such as HTML etc., otherwise, you will receive a warning about headers already sent.

<?php 
$conn = mysqli_connect('localhost','root','');
$db = mysqli_select_db($conn, 'session_start');

$user = stripslashes($_POST['user']);
$user = mysqli_real_escape_string($conn,$_POST['user']);

$pass = stripslashes($_POST['pass']);
$pass = mysqli_real_escape_string($conn,$_POST['pass']);

$query = mysqli_query($conn , "SELECT * FROM `info_table` 

    WHERE `user` = '$user' AND `password`='$pass'") 

        or die(mysqli_error($conn));

$num_rows = mysqli_num_rows($query);

    if($num_rows > 0){

    session_start();

    // it's not really needed
    // we are pulling it from $row['user'] in the while loop
    // and setting it to $_SESSION['username']
    // $_SESSION['username'] = $user; // store username

    while ($row = mysqli_fetch_assoc($result)) {
    $_SESSION['username'] = $row['user'];
    }

    // for testing only. Do not use with header
    //  echo $_SESSION['username'];

    header('Location: next_page.php');
    exit();
}

// do not place any echos here, only the else statement

else{
    echo "Wrong username or password.";
}

next_page.php

<?php 
session_start();

if(isset($_SESSION['username'])){

    echo $_SESSION['username'];
}

else{

    echo "Not logged in.";

}

Footnotes

It is highly recommended that you do not store passwords in plain text.

Visit the following Website:

http://daveismyname.com/login-and-registration-system-with-php-bp

It contains a full registration/login/verification system as well as using PDO with prepared statements and PHP's password_hash() function, which is highly recommended.

Since you are using PHP 5.5, then you will benefit from these features.

Thank you fred. This has set me on the right direction. I doubt my query works, so I will try to rewrite it differently. I apologize for being rude as well. — Shinji, Nov 18 '14 at 22:39
@Shinji You're quite welcome. Please reload my answer, I have included a few extras to check for errors. *Cheers* — Funk Forty Niner, Nov 18 '14 at 22:51
@Shinji Reload my answer and look under **EDIT** near the bottom. Plus, it contains more information about security/links. — Funk Forty Niner, Nov 19 '14 at 02:59

How to retrieve information from a record in a database in PHP 5.5?

1 Answers1