Show query from sql with session (PHP)

Question

I'm using login feature with session and SQL, in my sql there is a column called first name, I'm trying to find out how can I show after the login Hello $firstname which is not working and not Hello $username which is working and show the username. Thanks for your help.

<?php 
session_start();
require('connect.php');
if (isset($_POST['username']) and isset($_POST['password']) and isset($_POST['firstname'])){

    $username = $_POST['username'];
    $password = $_POST['password'];

    $query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";
    $result = mysqli_query($connection, $query) or die(mysqli_error($connection));
    $count = mysqli_num_rows($result);

    if ($count == 1){
        $_SESSION['username'] = $username;
    }
    else{
        $fmsg = "Invalid Login Credentials.";
    }
}

if (isset($_SESSION['username'])){
    $username = $_SESSION['username'];
    echo "Hello " . $username . "
    ";
    echo "This is the Members Area
    ";
    echo "<a href='logout.php'>Logout</a>";

}else
    header('location: login.php');
?>

Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Nov 30 '17 at 17:15
**Never** store plain text passwords. Instead use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php). If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). — Alex Howansky, Nov 30 '17 at 17:15
chill guys, I'm still a rookie, thats why i'm here, to improve myself :) I will check everything you guys said — Elioz, Nov 30 '17 at 17:26

Mecanik · Answer 1 · 2017-11-30T17:33:24.627

0

Your question is hard to be answered because it has too many problems that will cost you. The code is poorly written, vulnerable and more.

Please accept my advice and follow a simple tutorial how to create a better login system.

Link: https://www.tutorialrepublic.com/php-tutorial/php-mysql-login-system.php

Update because the OP really wants an answer to his question:

First of all check if you are actually posting "firstname":

echo "<pre>";
var_dump($_POST);

If you are, then you need to store the "firstname":

$firstname = $_POST['firstname'];

Inside your result of the query:

if ($count == 1){
$_SESSION['firstname'] = $firstname;
}

Then you can do:

echo "Hello " . $firstname . "

NOTE: I only give you a solution because you really wanted it. Your code is very vulnerable and poorly written. Also, you edited the question while I was answering... :)

edited Nov 30 '17 at 17:33

answered Nov 30 '17 at 17:18

Mecanik

1,539
1
20
50

Your advice accepted, will do but after this, my question stay the same :) to show first name and not username :) so how do I continue from there? – Elioz Nov 30 '17 at 17:23
Well, I guess, in order to become better, you need to fall a million times no? – Elioz Nov 30 '17 at 17:32
Thanks for the answer first all, well i'm a network engineer and i'm trying to learn to code, in this profession I can tell you for sure, only after you locked out a router, you learn :) – Elioz Nov 30 '17 at 17:36
@Elioz LOL this is not a router, this is code. And nowadays with endless tutorials to read from... you do not need to "fall" in order to learn :) – Mecanik Nov 30 '17 at 17:37
lol, well so I didn't use the a correct word, so at least, agree with me that you need to get a lot of errors till you run your code successfully? – Elioz Nov 30 '17 at 17:41
@Elioz Disagree, yes you learn from mistakes but that does not mean you intentionally need to make those mistakes. And you should accept my advice + answer posted :) – Mecanik Nov 30 '17 at 17:42

score 0 · Answer 2 · answered Nov 30 '17 at 17:25

<?php 
session_start();
require('connect.php');
if (isset($_POST['username']) and isset($_POST['password']) and isset($_POST['firstname']))
{
  $query = "SELECT * FROM `user` WHERE username='".trim($_POST['username'])."' and password='".trim($_POST['password'])."'";
  $result = mysqli_query($connection, $query) or die(mysqli_error($connection));
  $count = mysqli_num_rows($result);
  if ($count == 1)
  {
    //store the data which is neccessary
    $_SESSION['username'] = trim($_POST['username']);
    $_SESSION['firstname'] = trim($_POST['firstname']);
  }
  else
  {
    $fmsg = "Invalid Login Credentials.";
  }
}
if(isset($_SESSION['username']))
{
  echo "Hello " . $_SESSION['firstname']." . You are just logged in.<br>";
  echo "This is the Members Area";
  echo "<a href='logout.php'>Logout</a>";
}
else
  header('location: login.php');
?>

Note : use some password encryption to encrypt n decrypt password to maintain user privacy (E.g md5)

Thanks first of all, thats the error I get Notice: Undefined index: firstname in index2.php on line 22 and i'm still practice on this, i'm sure md5 and encryption in general will come after. — Elioz, Nov 30 '17 at 17:29
Learn from mistakes. Do not repeat them. Never hesitate to ask anything because no one is perfect. Always try to improve your coding standards. — Nilesh Lathe, Nov 30 '17 at 17:34

score 0 · Answer 3 · answered Nov 30 '17 at 17:27

<?php 
session_start();
 require('connect.php');
if (isset($_POST['username']) and isset($_POST['password']) and isset($_POST['firstname'])){

$username = $_POST['username'];
$password = $_POST['password'];
$firstname = $_POST['firstname'] // you need to assign it to first name here

$query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";
$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);

if ($count == 1){
$_SESSION['username'] = $username;
$__SESSION['firstname'] = $firstname; // you can store first name in seesion if you want here
}
else{

$fmsg = "Invalid Login Credentials.";
}
}

if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
$firstname = $_SESSION['firstname']; // you ofcourse can assign $firstname again here
echo "Hello " . $username ; // you don't need the appending ." ";
echo "Hello " . $firstname ; // can echo $firstname succesfully here
echo "This is the Members Area
";
echo "<a href='logout.php'>Logout</a>";

}else
header('location: login.php');
?>

Now, you can take advice from other answers and comments and see the vulnerability in your code.

Show query from sql with session (PHP)

3 Answers3