-2

At the moment I am writing a little media library in PHP and i want to set sessions, so the user stays logged in and get's echoed his name at the front page.

[index.php] 

if(isset($_SESSION['loggedin']))
{
    //ECHO $USERNAME
}else{
    echo '<p>To start, please <a href="?page=login">login</a> or <a href="?page=register">register.</a></p>';
}
?>

I want, if theres an session id set, that PHP echoes out the $username.

[signup.php]

<?php
session_start();

$conn = mysqli_connect("$host", "$user", "$pass", "$db");
$uid = ($_POST['uid']);
$pw  = ($_POST['pw1']);
$pw2  = ($_POST['pw2']);

if ($pw == $pw2) {

    $sql = "INSERT INTO user (uid, pw) VALUES ('$uid', '$pw')";
    $result = mysqli_query($conn, $sql);

    echo "Registration succeeded.";

}else{
    echo "Please check your information.";
}

header ("Refresh: 3; ../index.php");

So, after PHP successfully compares my $pw1 and $pw2 i want to start a session, then it should put the $username in the $_SESSION array.

Of course next to the secure session id.

I repeat, after this i want to echo the $username out at front page.

What is the best way to do it? Thanks.

user7104700
  • 3
  • 3
  • 5
    *"In the WWW i really can not find an useful explanation"* - I sincerely doubt that. – Funk Forty Niner Nov 02 '16 at 13:13
  • Is your question "How do I add username to the session array?"? – Ḟḹáḿíṅḡ Ⱬỏḿƀíé Nov 02 '16 at 13:16
  • and why would you create a session on sign up page? what u must do, register user log the user in then store the session when the user logs in – Masivuye Cokile Nov 02 '16 at 13:17
  • 1
    1. You're inserting passwords in plaintext - a absolut no-go. 2. You insert them directly without any security for injections... COntinue this way and your application could be took down in a few seconds... Why you don't use an existing system? :s – Twinfriends Nov 02 '16 at 13:19
  • 1
    https://www.sitepoint.com/php-sessions/ – Rwd Nov 02 '16 at 13:21
  • Googled, "how to start PHP sessions" and got 46 million results, first one was [`session_start()`](http://php.net/manual/en/function.session-start.php). The first example in there shows how to add data in the session as well. – apokryfos Nov 02 '16 at 13:24
  • Just for practise. If you have'nt noticed, i am new to PHP and first of all i want to learn the general PHP and SQL language. If this site will ever go online, you dont have to worry about my security Twinfriends . @Masivuye Cokile could you please explain your method? – user7104700 Nov 02 '16 at 13:24

2 Answers2

1
$sql="SELECT username FROM users WHERE userid=$uid"; 
$result=mysqli_query($conn,$sql);
$row=mysqli_fetch_assoc($result);
$_SESSION['username']=$row['username'];

You can do something like this.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Aswin
  • 51
  • 7
0

Usage of $_SESSION super global array (compact version)

session_start(); //To init
$_SESSION['username'] = 'Bob'; // Store value
echo $_SESSION['username']; // Treat like normal array

Detailed example

To use a session, you have to init it first.

session_start();

After that you access the session vars via the super global

$_SESSION

A good way is always to store a value in your variables you want to use:

// init session    
session_start();
// check if session var is set, if not init the field with value in the super global array
if(!isset($_SESSION['auth'])) $_SESSION['auth'] = false;

if(!$_SESSION['auth']) {
  //do auth here like eg.
  header('Location: signup.php'); // if auth is okay -> $_SESSION['auth] = true + redirect to this (main) script
  die(); // This is really necessary because a header redirect can be ignored.

}

// if auth okay, do fancy stuff here

For security read the following

Remember to escape your user input, always!

How can I prevent SQL injection in PHP?

The session_id is stored in cookies normally. Or - the old way via URL parameter. You do not have to secure the session_id.

Read also advices about XSS/CSRF. Plus tokens are also good. May be this is what you mean with secure session_id.

Stackoverflow: preventing csrf in php

OWASP: https://www.owasp.org/index.php/PHP_CSRF_Guard

OWASP: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Community
  • 1
  • 1
Tick Tac Joe
  • 43
  • 7