0

I am using PHP to process a form and generate report for mysql database. I have three forms (pages) where users create account (register.php), login page (index.php), home page opens when login successful (home.php) and logout page (logout.php) when users are done with activities.

The table for login is USERS-TABLE which is the primary table for the entire systems. Other tables are linked to USERS-TABLE using accountnumber and phone number.

Actually I did not write the scripts myself because I am entirely new to php so I copied it from online.

The index.php (login page) has a session for userid that is used to identify users and display their names on the homepage and all other pages I have. The USERS-TABLE only have 4 fields and its main purpose is for registration and login purposes.

THE PROBLEM: How do I create session from other tables in addition to the session based on the USERS-TABLE that runs through every-page?

THE CODE BELOW IS THE CODE FOR INDEX PAGE (LOGIN PAGE)

<?php
         ob_start();
         session_start();
         require_once 'dbconnect.php';

         // it will never let you open index(login) page if session is set
         if ( isset($_SESSION['user'])!="" ) {
          header("Location: home.php");
          exit;
         }

         $error = false;

         if( isset($_POST['btn-login']) ) { 

          // prevent sql injections/ clear user invalid inputs
         $acctnumber = trim($_POST['acctnumber']);
          $acctnumber = strip_tags($acctnumber);
          $acctnumber = htmlspecialchars($acctnumber);

          $phone = trim($_POST['phone']);
          $phone = strip_tags($phone);
          $phone = htmlspecialchars($phone);

           $acctname = trim($_POST['name']);
          $acctname = strip_tags($namer);
          $acctname = htmlspecialchars($name);
          // prevent sql injections / clear user invalid inputs

          if(empty($phone)){
           $error = true;
           $emailError = "Please Enter Your Phone Number.";
          } else if ( !filter_var($email,FILTER_VALIDATE_EMAIL) ) {
           $error = false;
           $emailError = "<br>Please enter valid account credentials";
          }

          if(empty($acctnumber)){
           $error = true;
           $passError = "Please enter your account number.";
          }

          // if there's no error, continue to login
          if (!$error) {

           $password = hash('sha256', $pass); // password hashing using SHA256

           $res=mysql_query("SELECT userId, acctname, acctnumber, phone FROM userss WHERE acctnumber='$acctnumber' AND phone='$phone'");
           $row=mysql_fetch_array($res);
           $count = mysql_num_rows($res); // if uname/pass correct it returns must be 1 row

           if( $count == 1 && $row['phone']==$phone ) {
            $_SESSION['user'] = $row['userId'];
                $_SESSION['acctnumber'] = $row['acctnumber'];

            header("Location: home.php");
           } else {
            $errMSG = "Incorrect Credentials, Try again...";
           }

          }

         }
        ?>

HERE IS THE CODE FOR HOME PAGE AFTER USERS SUCCESSFULLY LOGGED IN.

<?php
ob_start();
 session_start();
require_once 'dbconnect.php';
 // if session is not set this will redirect to login page
  if( !isset($_SESSION['user']) ) {
   header("Location: index.php");
  exit;
  }
 // select loggedin users detail
  $res=mysql_query("SELECT * FROM userss WHERE
  userId=".$_SESSION['user']);
     $_SESSION['acctnumber'] = $row['acctnumber'];

    $userRow=mysql_fetch_array($res);
   ?>

HERE IS THE QUERY THAT NEED I TO MAKE REFERENCE TOO A SESSION IN ORDER TO AUTOMATICALLY IDENTIFY THE LOGGED IN USER.

  $result = mysql_query("select mydate, preamount, currentdeposit, debit,
   currentinterest, totalamount, status  from NormalAccount where    
   acctnumber = '$actno' AND phone = '$pin' ORDER BY mydate DESC LIMIT
   5");

Sorry to bother you guys with lots of text but I am total novice to PHP world.

Thanks guys.

Michael
  • 1
  • 1
    Please let [mysql_](http://php.net/manual/en/function.mysql-query.php) die already (notice the big red warning?) – Mikey Jul 27 '17 at 16:25
  • Please do not SHOUT. – Jay Blanchard Jul 27 '17 at 16:27
  • @Mikey Always use the `_` when referencing the PHP `mysql_` functions. – chris85 Jul 27 '17 at 16:27
  • 1
    ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 27 '17 at 16:27
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jul 27 '17 at 16:27

0 Answers0