Get username from current PHP Session

Question

I am new to PHP and am trying to create a member login. I am paying with this code block and was curious as to see how I can get the username or uid from the current session so I can welcome the user by their username.

<?php
session_start();
include 'db.php';

$uid = $_POST['uid'];
$pwd = $_POST['pwd'];

$sql = "SELECT * FROM users WHERE uid='$uid' AND pwd='$pwd'";
$result = mysqli_query($conn, $sql);

if (!$row == mysqli_fetch_assoc($result)) {
    echo "Your username or password is incorrect.";
} else {
    $_SESSION['id'] = !$row['$id'];
}

header("Location: index.php");

I tried this if statement to display the username but it displayed no result at all. My thought is that if that statement is displaying the ID of the user the same line would get the uid but that is not working.

if (!$row == mysqli_fetch_assoc($result)) {
    echo "Your username or password is incorrect.";
} else {
    $_SESSION['id'] = !$row['$id'];
    $_SESSION['uid'] = !$row['$uid'];
}

**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Nov 17 '16 at 18:42
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Nov 17 '16 at 18:42
`!$row['$id'];` will make sure the session variable is not populated. Remove the `!` — Jay Blanchard, Nov 17 '16 at 18:43
`$_SESSION['id'] = !$row['$id'];` you realize what that does. It translates to session id `does not equal to` said row. Edit: @JayBlanchard I didn't see yours while I was typing this out. GMTA ;-) — Funk Forty Niner, Nov 17 '16 at 18:43
From @tadman: ***WARNING:*** Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern development framework like Laravel comes with a robust authentication system built-in. — Jay Blanchard, Nov 17 '16 at 18:44
why do people always have to drown in frameworks -_- just google php sanitation, and learn to secure your queries. you don't need to use a framework. frameworks are for people who either don't know how to program on their own, or are required to program by a system. — , Nov 17 '16 at 18:47
Surprisingly I agree with you @Hallur. My larger concern is that newbies will expose themselves unnecessarily and that is echoed by tadman. Frameworks are in use by large corporations as well as those who may be just learning the ropes. Personally I think most are too bloated save for when it comes to handling user security. — Jay Blanchard, Nov 17 '16 at 18:55
I totally agree with you @JayBlanchard, I have, since the beginning of the use of SO, developed a form of bias against frameworks. Mostly because I never used a framework, and therefore I cannot help the people who do use one. This splits the community into people who use and people who don't use a certain framework. You can't help someone who uses one if you don't use that framework yourself, since you basically don't understand what the question is. — , Nov 17 '16 at 19:03

Saeed Ansari · Answer 1 · 2016-11-17T20:33:50.340

if (!$row == mysqli_fetch_assoc($result)) {

You are trying to check if there is at least one result wrongly, there is a built in function mysqli_num_rows() your code should look like:

if(mysqli_num_rows($result) > 0 ) { // this line means if there is at least one result
 // set your session here
  $row = mysqli_fetch_assoc($result);
  $_SESSION['id'] = $row['id'];
  $_SESSION['uid'] = $row['uid'];
} else {
 // print your error message here
}

ON your main page you can say Hello user, by using your session uidusing the code below

///////////// index page code below///////////////////////

//dont forget to start session at the first line after php tags

<?php 
session_start();
echo 'Hello'.' '.$_SESSION['uid'];

Since you are new to php you should understand what is !

! is used to check if the reference statement is false for example

if( 1!=2){
    echo 'not equal';
  }

above statement will print not equal

Did you try running the code in that example? The condition is false; it doesn't print anything. — , Nov 17 '16 at 19:37
@TrentonTyler if you got your problem solved please accept my answer — Saeed Ansari, Nov 17 '16 at 20:35

Get username from current PHP Session

1 Answers1