2

I am building a new project right now and finished my login/registration script. It is working so far but now I need a new function and I am not sure how exactly I should do that.

If a user logged in with success the first page the user will see is his profile. On this page I get my data with the following query:

<?php 
session_start();

if(empty($_SESSION)) // if the session not yet started
   session_start();

if(!isset($_SESSION['email'])) { //if not yet logged in
   header("Location: login.php");// send to login page
   exit;
}

include 'header.php';

$get = "SELECT * FROM user" or die(mysql_error());
$result_get = mysqli_query($connect, $get);
$_SESSION['data'] = mysqli_fetch_assoc($result_get);
 
?>

And inside my HTML code I get the data with the following code:

Firstname: <?php echo $_SESSION['data']['firstname']; ?>
Lastname: <?php echo $_SESSION['data']['lastname']; ?>
Username <?php echo $_SESSION['data']['username']; ?>

Problem is now, that I need to show the data only from the user which is currently logged in. Right now my query is "SELECT * FROM user" but I think I can change this query to something, that only the data are received from the currently logged in user. Something like "SELECT * FROM user WHERE SESSION"?!

I am not sure how I can achieve that.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Christoph C.
  • 840
  • 2
  • 22
  • 38
  • 1
    `"SELECT * FROM user WHERE email = '".$_SESSION['email']."'" `assuming email is the field name in your user table. – Dipen Shah Aug 24 '15 at 19:15
  • 3
    Warning: major cargo-cult programming detected: `$sql = "..." or die()`? A string assignment cannot fail, and would not trigger a database error, and definitely wouldn't trigger a `mysql` error, as you're using `mysqli` elsewhere. – Marc B Aug 24 '15 at 19:15
  • `$_SESSION['data']['firstname']` why not just `$_SESSION['firstname']`? – developerwjk Aug 24 '15 at 19:21
  • make sure you set your email field to `unique` in your sql table definition too – developerwjk Aug 24 '15 at 19:22
  • @DipenShah thank you so much! That is exactly what I was looking for! Thanks you!! – Christoph C. Aug 24 '15 at 19:31
  • @developerwjk thanks for your inputs! Changed the email field to unique and also changed the code to $_SESSION['firstname'] – Christoph C. Aug 24 '15 at 19:32
  • @ChristophC. using that in production is a very bad idea: http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work?lq=1 – Craig van Tonder Aug 24 '15 at 19:33
  • @ChristophC Glad I could help. – Dipen Shah Aug 24 '15 at 19:37
  • @ChritophC Although you should follow the comments above and the answer below. My comment was just a dirty hack to get things done. – Dipen Shah Aug 24 '15 at 19:47
  • @DipenShah yeah I know that but that was exactly what I need right now ;)! Tested @indigoldentity´s method right now and is working too ;) – Christoph C. Aug 24 '15 at 20:08

1 Answers1

2

You could accomplish this like so:

<?php
# Store the user input username
if (isset($_SESSION['email']) && strlen($_SESSION['email']) > 0) {
    $email = $_SESSION['email'];
} else {
    // Die the error
    printf('No email address available');
    exit;
}

# Set DB connection details
$DBHost = 'localhost';
$DBUser = 'username';
$DBPass = 'password';
$DBName = 'database';
// Configure error reporting
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

# Create a database connection for PHP to use
$link = mysqli_connect($DBHost, $DBUser, $DBPass, $DBName);
// Set encoding type to uft8
mysqli_set_charset($link, 'utf8mb4');

# Query the database
// Build the query
$query = 'SELECT `firstname`,`lastname`,`username` FROM `table` WHERE `email` = ? LIMIT 1 ';
// Prepare it
$stmt = $link->prepare($query);
// Bind in the user input data so as to avoid SQL injection
$stmt->bind_param('s', $email);
// Execute the query
$stmt->execute();
// Bind the results to some variables
$stmt->bind_result($firstname, $lastname, $username);
// Fetch the data
$stmt->fetch();
// Close the query
$stmt->close();

# Build the html
$pageHtml = '
<p>First Name: '.$firstname.'</p>
<p>Last Name: '.$lastname.'</p>
<p>User Name: '.$username.'</p>
';

# Display the html
echo $pageHtml;

Further Reading

MySQLi Manual:

http://php.net/manual/en/book.mysqli.php

About MySQLi Connections:

http://php.net/manual/en/mysqli.quickstart.connections.php

About MySQLi Prepared Statements:

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

About database table indexes and "where" to use them... Pun intended :)

How does database indexing work?

http://dev.mysql.com/doc/refman/5.0/en/mysql-indexes.html

Craig van Tonder
  • 7,497
  • 18
  • 64
  • 109
  • 1
    @ChristophC. No problem, we all need a reference for this at some point :) BTW, i added `LIMIT 1` to the query as you would ideally only want to return one record, just in case for whatever reason there is more than one value to return. You could avoid this possibility by using a unique index on the `email` field in your table in the database, if you opt for this you'd need to test to ensure that the user is added correctly and that they get prompted should the email already exist. – Craig van Tonder Aug 24 '15 at 21:13