0

I want to create simple profile system. I want to display data of user from the database on the profile page. I dont want to make setting page. I just simply want to display it.

There are three columns in db right now, Id,username and password. I am adding first name,lastname, about me and about me to database.

I want to improve on my current php page and dont want to create new page. Please give me advice on how can i create simple profile system?

Here is my code of index.php

<?php
    session_start();

    if(isset($_SESSION['user'])){
        header("location: profile.php");
        echo "Welcome ".$_SESSION['user']." !";
    }
    else{
        display_form();
    }

    function display_form(){
        ?>
        <form action="verify.php" method="POST">
            Name:<input name = "username" type = "text" />
            Pass:<input name = "password" type = "text" />
            <input name = "submit" type="submit" />
        </form>
        <?php
    }
?>

My code of profile.php

<?php
    session_start();

    if (isset($_SESSION['user'])){
        $loggeduser = $_SESSION['user'];
        echo "Welcome ".$loggeduser." !";

        ?>
        <a href="logout.php"> Log out now! </a>
        <?php

        //Start displaying profile


    }
    else
        header("location: index.php");
?>

Code of verification page

<?php

    session_start();

    //Make sql connection and select databases
    $database_connect = mysql_connect('localhost','root','');
    if(!$database_connect){
        die('Could not connect to databse');
    }
    else{
        echo "Connected to database successfully!<br/>";
    }

    $db_table_connect = mysql_select_db('selftest');
    if(!$db_table_connect){
        echo "Connection to table failed";
    }
    else{
        echo "Connected successfully to table!<br/><br/>";
    }

    //Begin with user verifications
    if(isset($_POST['submit'])){
        $username = $_POST['username'];
        $userpass = $_POST['password'];

        $sql = "SELECT * FROM users WHERE username = '$username' and password = '$userpass'";
        $result = mysql_query($sql);

        $count = mysql_num_rows($result);

        if($count == 1){
            echo "Successfully logged in!";
            $_SESSION['user'] = $username;
            header("refresh:5;url=profile.php");
        }
        else{
            echo "Failed to log in!";
            header("refresh:5;url=index.php");
        }
    }
  • Two improvements I'd make straight away: close the SQL injection vulnerability, and hash passwords. As it stands, the password for any user can be trivially cracked out of this. – halfer Apr 11 '15 at 10:15

1 Answers1

0

Such questions are not acceptable in SO Read This. But i'll try to help.

1) Never trust user input, always sanitize it. you are inputting login information directly in query. Thats a SQL injection right there. Read prevent SQL injection

2) mysql API is deprecated, means its production will stop soon. make habit of using new API which is mysqli. there is not much difference 90% same. Or PDO which is kind of same thing as mysqli.

3) Try to make use of classes for database interaction. That way you can easily get query information and show within same page.

For now, you can put the information the result variable of select query in session, do following:

//Code of verification page
 if($count == 1){
            echo "Successfully logged in!";
            $_SESSION['user'] = $username;

            $_SESSION['user_info'] = mysql_fetch_array($result);
            header("refresh:5;url=profile.php");
        }

//Start displaying profile
echo $_SESSION['user_info'][name];
echo $_SESSION['user_info'][aboutme];
Community
  • 1
  • 1
Abdul Rehman
  • 1,662
  • 3
  • 22
  • 36
  • Can you elaborate a little bit. Sorry I am very new to it! –  Apr 11 '15 at 10:57
  • what part isn't clear? and the code is actual code, copy paste it and it will work, try this. – Abdul Rehman Apr 11 '15 at 11:41
  • Thanks! I thought you were giving example. It worked! –  Apr 11 '15 at 16:01
  • Welcome, but its not a proper way to display stuff, u just have to query and output the record. i just simplified it for u. Sessions r used to pass and store sismple messages. and to display DB records obviously u would query and display it wherever u want. Goodluck – Abdul Rehman Apr 11 '15 at 17:43
  • I will make a fresh login system now. What according to you should I use? Classes, arrays? I am trying a diffrent approach now the way real developers approach the problem –  Apr 11 '15 at 17:58
  • email me at adeel.cs@gmail.com & i'll reply back with a good enough starting model for u, this is not the place for conversation :) – Abdul Rehman Apr 11 '15 at 18:03