How to check two php sessions variables username and a drop down if they match in php?

Question

After login I store in session for the user, the username and the user id. After the login, the user goes to his / her page they select their name so to see their statistical scores from the evaluations. This name is stored in session too. But I don't know how can I control what the user can see. I don't know to how to do it.

loginForm.php

<html>
<head><link rel="stylesheet" type="text/css" href="../../statistics/style.css">
</head>
<body>
<div id="login">
        <h3>Login</h3>
            <form action = "login.php" method = "POST">
                <label>Username: </label> <br/>
                <input class="inputfield"  type="text" name="username" size="20"/> <br /><br/>
                <label>Password: </label> <br/>
                <input class="inputfield" type="password" name="password" size="20"/> <br /><br/>
                <input type="submit" value="Login" name="submit"/>
                <input type="reset" name="reset" value="Clear"/>
            </form>
            <!--End of Login-->
        </div>
</body>
</html>

login.php

<?php

  require ('connect.php');
  if (isset($_POST['submit'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

   if ($username && $password) {
        $check = mysql_query("SELECT * FROM users WHERE username='".$username."' AND password= '".$password."'");
         $rows = mysql_num_rows($check);


    if(mysql_num_rows($check) != 0){

        session_start();
        $run_login =mysql_fetch_array($check);
        $uid = $run_login['id'];
        $_SESSION['uid'] = ['uid'];
        $_SESSION['username']=$_POST['username'];
        header("location:../../statistics/home.php");

     }
      else{
      die("Could not find the Username or password.");
   }
 }
else {
     echo "Please fill all the fields.";
   }
 }
?>

lecturer.php

 <?php 

 include 'connect.php';

 $years     = array(
      2005,
      2006,
      2007
 );

$lecturers = array(
    'dimopoulos',
    'lagkas',
    'kehagias',
'chrysochoou'
);


if(isset($_POST['submit'])){

    $year = mysql_real_escape_string($_POST['year']);
    $lecturer = mysql_real_escape_string($_POST['lecturer']);

   session_start();

/*checks if the user types the url of the page that he is not allowed to use, it leads him to the main page so to login*/
   if(!isset($_SESSION['username'])){

        header("location:../../statistics/main.htm");
   }
   $username=$_SESSION['username'];


 /*checks if the lecturer name the user selected matches their username*/
    if(isset($_POST['lecturer'])== isset($_SESSION['username'])){

     $_SESSION['lecturer'] = $_POST['lecturer'];


        if (in_array($lecturer, $lecturers) && in_array($year, $years)) {

            $sql = "SELECT unit_name,a1,a2,a3,l1,l2,l3,l4,l5,l6,l7,lavg,r1,r2,u1,u2,u3 FROM $lecturer WHERE year=$year";

            $result = mysql_query($sql);
        }

        else {
            echo "No data found";
        }

      }

    }
  ?>
   <html>
   <head>
   <link rel="stylesheet" type="text/css" href="../../statistics/style.css">
   </head>
    <body>
<div id="container">
<table id="table" width="900" border="1" cellspacing="1">
<tr>
    <td>Unit Name</td>
    <td>A1 </td>
    <td>A2 </td>
    <td>A3 </td>
    <td>L1 </td>
    <td>L2 </td>
    <td>L3 </td>
    <td>L4 </td>
    <td>L5 </td>
    <td>L6 </td>
    <td>L7 </td>
    <td>LAVG </td>
    <td>R1 </td>
    <td>R2 </td>
    <td>U1 </td>
    <td>U2 </td>
    <td>U3 </td>


</tr>

<?php
    while($unit=mysql_fetch_assoc($result)){
        echo "<tr>";
        echo "<td>".$unit['unit_name']."</td>";
        echo "<td>".$unit['a1']."</td>";
        echo "<td>".$unit['a2']."</td>";
        echo "<td>".$unit['a3']."</td>";
        echo "<td>".$unit['l1']."</td>";
        echo "<td>".$unit['l2']."</td>";
        echo "<td>".$unit['l3']."</td>";
        echo "<td>".$unit['l4']."</td>";
        echo "<td>".$unit['l5']."</td>";
        echo "<td>".$unit['l6']."</td>";
        echo "<td>".$unit['l7']."</td>";
        echo "<td>".$unit['lavg']."</td>";
        echo "<td>".$unit['r1']."</td>";
        echo "<td>".$unit['r2']."</td>";
        echo "<td>".$unit['u1']."</td>";
        echo "<td>".$unit['u2']."</td>";
        echo "<td>".$unit['u3']."</td>";
        echo "</tr>";    
    }
?>
</table>
</div>

lecturerForm.php

<form name="myform" action="lecturer.php" method="POST" >
<b>Lecturers:<b/>
<select name="lecturer">  
<option value="Choose">Please select..</option>
<?php
    $sql=mysql_query("SELECT lec_name FROM lecturer");

    while($row=mysql_fetch_array($sql)){

        echo "<option value='".$row['lec_name']."'>".$row['lec_name']."</option>";
    }
    ?> 
</select><br/><br/>

<b>Year:<b/>
<select name="year"> 
<option value="Choose">Please select..</option>
<option value="2005">2005</option> 
<option value="2006">2006</option>
<option value="2007">2007</option></select><br/><br/>


<br/>
<input type="submit" name="submit" value="Submit">
<input type="reset" name="reset" value="Clear">

</form>

Assign the username `$_POST` array to a username `$_SESSION` array, then pass the session username array into your `where` clause. — Funk Forty Niner, Apr 30 '15 at 16:28
[You need to prevent SQL Injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Apr 30 '15 at 16:31
@Fred -ii- It is a bit vague, can you explain it better? For the `Assign the username $_POST array to a username $_SESSION array` do mean something like this '$_SESSION['username']=$_POST['username'];' ? And in which file should I make these changes in 'lecturer.php' or 'login.php' ? — aurora, Apr 30 '15 at 17:09
@Fred -ii- I heave two 'where' clauses one in the 'login.php' and the second one in the 'lecturer.php'. In which of the two I pass the session username? Or do I pass it in both? — aurora, Apr 30 '15 at 17:44
if you're going to use sessions and in both/all files, you first need to use a conditonal `isset()` on the session array. Your POST to SESSION array would look something like `$username = $_POST['username']; $_POST['username'] = $_SESSION['user']; $session_user = $_SESSION['user'];` then in your `where` clause `WHERE username='".$session_user."'` something like that. — Funk Forty Niner, Apr 30 '15 at 17:49

score 0 · Answer 1 · answered Apr 30 '15 at 18:20

Comments to answer to close the question: (with a few additions)

Assign the username $_POST array to a username $_SESSION array, then pass the session username array into your where clause.

Now, if you're going to use sessions and in both/all files, you first need to use a conditonal isset() on the session array.

Your POST to SESSION array would look something like:

<?php 
session_start();

// $_POST['username'] = "John"; // test only
$username = $_POST['username'];
$_SESSION['user'] = $username;
$session_user = $_SESSION['user'];

echo $session_user; // test echo

Then in your where clause WHERE username='".$session_user."'

Using isset() on the session array:

<?php 
session_start();
if(isset($_SESSION['user'])){...}

Footnotes:

You should add exit; after each of your headers, otherwise your code may want to continue executing; it's usually best.
Consider using mysqli with prepared statements, or PDO with prepared statements, they're much safer.

should I remove `$run_login =mysql_fetch_array($check);` `$uid = $run_login['id'];` ` $_SESSION['uid'] = ['uid'];` `$_SESSION['username']=$_POST['username'];` from `login.php` ? — aurora, May 01 '15 at 07:35

How to check two php sessions variables username and a drop down if they match in php?

1 Answers1