returning the ID and the username in php to the website

Question

I am trying to make a sign-in, on my website (index.php):

I made a form and sent the information to validation-sign-in.php file to make the validation:

(I will add the encryption later on)

here is the form:

<div class="sign-in-up">

        <div id="sign-in-modal" class="modal">

          <form method="post" class="modal-content animate" action="php/validation-sign-in.php">
            <div class="imgcontainer">
              <span onclick="document.getElementById('sign-in-modal').style.display='none'" class="close" title="Close Modal">&times;</span>
              <img src="images/avatar.png" alt="Avatar" class="avatar" style="width:100px;height:100px">
            </div>

            <div class="container-sign-in-up">
              <label><b>Username</b></label>
              <input type="text" placeholder="Enter Username" name="UserName" required>

              <label><b>Password</b></label>
              <input type="password" placeholder="Enter Password" name="Password" required>

              <button type="submit">Sign In</button>
              <input
              type="button"
              id="sign-up-btn"
              onclick="document.getElementById('sign-up-modal').style.display='block';
              document.getElementById('sign-in-modal').style.display='none'"
              value="Sign Up">
              <input type="checkbox" checked="checked"> Remember me
            </div>

            <div class="container-sign-in-up" style="background-color:#f1f1f1">
              <button type="button" onclick="document.getElementById('sign-in-modal').style.display='none'" class="cancelbtn">Cancel</button>
              <span class="psw">Forgot <a href="#">password?</a></span>
            </div>
          </form>
        </div>
    </div>

and here is the validation-sign-in.php:

<?php
if(empty($_POST)){
    header('location:../index.php');
}
$con=mysqli_connect("localhost","root","","typing_club");
$user = $_POST['UserName'];
$pass = $_POST['Password'];



    $query = "SELECT * FROM Users WHERE " . "UserName = '".$user."' AND Password='". $pass."'" ;
    echo "$query";
    $result = mysqli_query($con,$query);

    if (mysqli_num_rows($result) == 1) {
      echo "query successfull wrote to DB";
      header('location:../index.php?validation=true');
    } else {
      echo"unscccessful login";
      header('location:../index.php?validation=false');
    }
?>

Every thing is working great.

but I need to get the username and the id of the signed in user, this is to keep track of the user, to update his progress, and write his name on the web ....

Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — John Conde, Aug 14 '17 at 11:04
**Never store plain text passwords!** Please use **[PHP's built-in functions](http://php.net/manual/en/function.password-hash.php)** to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() **[compatibility pack](https://github.com/ircmaxell/password_compat)**. Make sure you **[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)** or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. — John Conde, Aug 14 '17 at 11:05
First fetch the data from the DB. Next, read more about *Cookies* or *Sessions* — Ofir Baruch, Aug 14 '17 at 11:07

Script47 · Accepted Answer · 2017-08-14T11:20:22.780

Stop!

I can't emphasis more than John Conde in regards to the security implication you are posing to your users and yourself by not following correct standards. Please fix your code before progressing further. Definitely read OWASP's section on PHP which can be found here.

Next...

You wrongly assume that if $_POST is populated that all the required fields will be populated, that assumption is incorrect and will cause your page to break due to undefined variable errors. Ensure that all the fields are set before progressing to access them.

What the...?

echo "$query";

What are you even doing here!? That should be removed!

Wrote what to the DB?

echo "query successfull wrote to DB";

You never wrote anything to the DB! You just ensured the credentials are correct.

Now, back to your question...

You are looking for the global variable $_SESSION or $_COOKIES.

An associative array containing session variables available to the current script. See the Session functions documentation for more information on how this is used.

page1

<?php
// page1.php

session_start();

echo 'Welcome to page #1';

$_SESSION['favcolor'] = 'green';
$_SESSION['animal']   = 'cat';
$_SESSION['time']     = time();

// Works if session cookie was accepted
echo '<br /><a href="page2.php">page 2</a>';

// Or maybe pass along the session id, if needed
echo '<br /><a href="page2.php?' . SID . '">page 2</a>';
?>

page2

<?php
// page2.php

session_start();

echo 'Welcome to page #2<br />';

echo $_SESSION['favcolor']; // green
echo $_SESSION['animal'];   // cat
echo date('Y m d H:i:s', $_SESSION['time']);

// You may want to use SID here, like we did in page1.php
echo '<br /><a href="page1.php">page 1</a>';
?>

@OfirBaruch most definitely, updated. – Script47 Aug 14 '17 at 11:11 — Script47, Aug 14 '17 at 11:11

score 0 · Answer 2 · answered Aug 14 '17 at 11:10

0

After validating user credentials, you can store his details "usetname", "id" in the sessions. Then you can echo this details in your HTML.

answered Aug 14 '17 at 11:10

score 0 · Answer 3 · answered Aug 14 '17 at 11:13

To keep a track of your user your can use $_SESSIONS. But keep in mind session are kept in browser memory when the user close the browser session will get destroyed and he or she has log in again.

To convert your code to set session do like this.

<?php
if(empty($_POST)){
    header('location:../index.php');
}
$con=mysqli_connect("localhost","root","","typing_club");
$user = $_POST['UserName'];
$pass = $_POST['Password'];



    $query = "SELECT * FROM Users WHERE " . "UserName = '".$user."' AND Password='". $pass."'" ;
    echo "$query";
    $result = mysqli_query($con,$query);

    if ($row = $result->fetch_assoc()) {
      $_SESSION["id"] = $row["id"];
      $_SESSION["UserName"] = $row["UserName"];
      echo "query successfull wrote to DB";
      header('location:../index.php?validation=true');
    } else {
      echo"unscccessful login";
      header('location:../index.php?validation=false');
    }
?>

And please drop using variables inside your SQL start using prepared statements.