Session variables? passing thru php pages

Question

I'm having issues passing session info or setting them. I have this code.

        // To protect MySQL injection for Security purpose
        $UserName = stripslashes($UserName);
        $Password = stripslashes($Password);
        $UserName = mysqli_real_escape_string($con, $UserName);
        $Password = mysqli_real_escape_string($con, $Password);
        // SQL query to fetch information of registerd users and finds user match.
        $query = mysqli_query($con, "select * from Employee where password='$Password' AND username='$UserName'");
        $rows = mysqli_num_rows($query);
        if ($rows == 1) {
            $_SESSION['User']= $rows['FName'] $rows['LName']; // Initializing Session
            header("location: Dashboard.php"); // Redirecting To Other Page
        } else {
            header("location: index.php"); // Redirecting To Other Page
            $error = "Username or Password is invalid";
        }
        mysqli_close($con); // Closing Connection
    }
}
?>

once the user has authenticated. I want the session of user to be set as their first and last name. If I need to set in 2 different session var I can.

The page that gets the info. here is relivent code. I can get it to echo the User where it says welcome (Name Here).

<?php session_start(); 
 $User = $_SESSION['$User'];
 echo $User;
 ?>

<table border="0" width="100%" cellspacing="0" cellpadding="0" height="45" bgcolor="#aabbcc">
    <tr>
        <td>
            <p align="Left"><font face="Monotype Corsiva" size="3">&nbsp;&nbsp;Welcome <?php echo $User; ?>&nbsp;</font>
<?php
//Gets the IP address
$ip = getenv("REMOTE_ADDR") ;
Echo "Your IP is " . $ip;
?>
    </tr >
</table>

Can someone give me a lead. I have checked some of the tutorials etc. New to sessions. Just not seeing the solution on tutorial sites.

New CODING!!! XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['Submit'])) {
if (empty($_POST['UserName']) || empty($_POST['Password'])) {
$error = "Username or Password is invalid";
}
else
{
// Define $username and $password
$UserName=$_POST['UserName'];
$Password=$_POST['Password'];
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$con = mysqli_connect("localhost", "USER", "PASS", "DATABASE");
if (mysqli_connect_errno())
   {
   echo "Failed to connect to MySQL: " . mysqli_connect_error();
   }

// To protect MySQL injection for Security purpose
$UserName = stripslashes($UserName);
$Password = stripslashes($Password);
$UserName = mysqli_real_escape_string($con, $UserName);
$Password = mysqli_real_escape_string($con, $Password);
// SQL query to fetch information of registerd users and finds user match.
$query = mysqli_query($con, "select * from Employee where password='$Password' AND username='$UserName'");
$rows = mysqli_num_rows($query);
if ($rows == 1) {
$_SESSION['User']= array( 'FName' =>$rows['FName'], 'LName' => $rows['LName']); // Initializing Session
header("location: Dashboard.php"); // Redirecting To Other Page
} else {
header("location: index.php"); // Redirecting To Other Page
$error = "Username or Password is invalid";
}
mysqli_close($con); // Closing Connection
}
}
?>

OK its passing to a include in my dashboard.php here is that code

<?php session_start(); 
 $User = $_SESSION['User'];
 error_reporting(E_ALL); ini_set('display_errors', 1);
 ?>

 <table border="0" width="100%" cellspacing="0" cellpadding="0" height="45" bgcolor="#aabbcc">
<tr><td>
 <p align="Left"><font face="Monotype Corsiva" size="3">&nbsp;&nbsp;<?php echo "Welcome {$User['FName']} {$User['LName']}"?>&nbsp;</font>
<?php
 //Gets the IP address
 $ip = getenv("REMOTE_ADDR") ;
 Echo "Your IP is " . $ip;
 ?>
</tr >
  </table>

And thank you all for the suggestions!!!

Is `session_start();` on the login script? If not, it needs to be. — Rasclatt, Aug 13 '17 at 19:25
Also don't do this `"select * from Employee where password='$Password' AND username='$UserName'"`. You need to look up bind parameters — Rasclatt, Aug 13 '17 at 19:26
Yes I left out the top part of that top code in question. Yes it is there with my data connect info — Ken Mckay, Aug 13 '17 at 19:29
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Aug 13 '17 at 19:32

RiggsFolly · Answer 1 · 2017-08-13T19:43:02.553

1

You will need to amend this line as it should be causing a compile error like

Parse error: syntax error, unexpected '$rows' (T_VARIABLE) in .....

$_SESSION['User']= $rows['FName'] $rows['LName'];

Change it to

$_SESSION['User'] = array( 'FName' => $rows['FName'], 'LName' => $rows['LName'] );

Now in the other script you can do

<?php
session_start();

$User = $_SESSION['User'];

echo "Hello {$User['FName']} {$User['LName']}";

Add error reporting to the top of your file(s) while testing right after your opening PHP tag for example <?php error_reporting(E_ALL); ini_set('display_errors', 1); to see if it yields anything.

edited Aug 13 '17 at 19:43

answered Aug 13 '17 at 19:36

RiggsFolly

93,638
21
103
149

It still isn't working with the suggestion. I get the following now PHP Warning: session_start(): Cannot send session cache limiter - headers already sent. that's in my errorfile. Not showing the var for user the first and last name thank you for the suggestion its helping me understand. – Ken Mckay Aug 13 '17 at 19:52
Then you must be doing something in that second script that you are not showing us that is sending something to the browser – RiggsFolly Aug 13 '17 at 19:53
OK I'm gonna edit with what I have currently as of right now. I'll comment again on when the code is updated. – Ken Mckay Aug 13 '17 at 19:56
@RiggsFolly I see you didn't see their past questions. – Funk Forty Niner Aug 13 '17 at 20:15
Fred have I asked this before about sessions? – Ken Mckay Aug 13 '17 at 20:18
@Fred-ii- No, I cannot see it now either? – RiggsFolly Aug 13 '17 at 21:17
@RiggsFolly Meaning, their track record. – Funk Forty Niner Aug 14 '17 at 10:14

Swittmann · Answer 2 · 2017-08-13T20:47:41.750

You set the key for your session variable to 'User' but in the second script you use '$User'. So that's two different keys.

$rowWithUserName =  mysqli_fetch_row($query); // fetch first and only row from query 
$_SESSION['User'] = $rowWithUserName['FName'] . " " . $rowWithUserName['LName']; // Initializing Session to key 'User' 




<?php session_start(); 
     // $User = $_SESSION['$User'];  why are you using '$User' as the key inside []. use 'User' instead. 
     $User = $_SESSION['User'];
     echo $User;
 ?>

score 0 · Answer 3 · answered Aug 17 '17 at 19:15

Found the solution!!

// To protect MySQL injection for Security purpose
$UserName = stripslashes($UserName);
$Password = stripslashes($Password);
$UserName = mysqli_real_escape_string($con, $UserName);
$Password = mysqli_real_escape_string($con, $Password);
// SQL query to fetch information of registerd users and finds user match.
$sql = "SELECT * FROM Employee where Password='$Password' AND UserName='$UserName'";
    $result = mysqli_query($con, $sql) or die(mysqli_error($con));
    $User=mysqli_fetch_array($result);
$row = mysqli_num_rows($result);
if ($row == 1) 
{
$_SESSION["FName"] = $User['FName'];
$_SESSION["LName"] = $User['LName'];
$_SESSION["AccessLvl"] = $User['AccessLvl']; // Initializing Session header

header("location: Dashboard.php");

Session variables? passing thru php pages

3 Answers3