0

I will try to keep this post as simple as possible while including as much information as I can to assist you in helping me. Just as a forewarning, I am extremely new to PHP/Mysqli and over the course of the last week put together an internal data site for our company to make our jobs easier.

I have completed the user login process and it seems to be working quite well. If the user is not logged in, they can not see the PHP pages of the site and are redirected accordingly. Now that I have this part working. I am trying to incorporate a site identifier that shows their first and last name as well as a photo of them. The placeholders are already setup but I have not been very successful in getting this to work. I did, however, add a "Welcome "Email" message at the time by pulling the session data.

I will list the code that I am currently using below:

LOGIN PAGE:

<?php
require('../inc/db.inc.php');
session_start();
// If form submitted, insert values into the database.
if (isset($_POST['user_email'])){

    $email = stripslashes($_REQUEST['user_email']); // removes backslashes
    $email = mysqli_real_escape_string($con,$email); //escapes special characters in a string
    $password = stripslashes($_REQUEST['user_pwd']);
    $password = mysqli_real_escape_string($con,$password);

//Checking is user existing in the database or not
    $query = "SELECT * FROM `users` WHERE user_email='$email' and user_pwd='".md5($password)."'";
    $result = mysqli_query($con,$query) or die(mysql_error());
    $rows = mysqli_num_rows($result);
    if($rows==1){
        $_SESSION['user_email'] = $email;
        header("Location: ../index.php"); // Redirect user to index.php
        }else{
            echo "<div class='form'><h3>Username/password is incorrect.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
            }
}else{
?>

DB PAGE:

<?php

$con = mysqli_connect("localhost","root","","dbadmin");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

SECURITY ON EACH PAGE:

<?php
include("pages/auth.php"); //include auth.php file on all secure pages
?>

AUTH PAGE:

<?php
session_start();
if(!isset($_SESSION["user_email"])){
header("Location: login.php");
exit(); }
?>

CODE USED TO DISPLAY EMAIL: ( only code I was able to get working)

<p>Welcome <?php echo $_SESSION['user_email']; ?>

I hope that one of you Guru types see that and know exactly how to get what I am looking for, or at least point me in the right direction. I have been searching the internet fir what seems like days reading all of the tutorials that I can find but I have not been able to successfully make anything work. I have found the following code but each time I try to add it to my code, it breaks the site. 

$row = mysql_fetch_array($result);

Please assist if you are able. Thanks in advance.

Ashlou
  • 684
  • 1
  • 6
  • 21
Bigsease30
  • 3
  • 1
  • You are mixing MySQL APIs. Use `mysqli_fetch_array` instead. – Obsidian Age May 29 '18 at 03:33
  • Also, please be aware that your code is **vulnerable** to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**prepared statements**](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) to prevent this. Also ensure that your database user only has the [**required privileges**](https://en.wikipedia.org/wiki/Principle_of_least_privilege). And do **NOT** use `md5()` for password encryption. You can refer to [**this post**](http://stackoverflow.com/questions/60174) for further information on how to prevent SQL injection in PHP :) – Obsidian Age May 29 '18 at 03:33
  • Possible duplicate of [Can I mix MySQL APIs in PHP?](https://stackoverflow.com/questions/17498216/can-i-mix-mysql-apis-in-php) – Obsidian Age May 29 '18 at 03:34
  • As you have written you are storing the email in session, after logging in. You have to pull their first name, last name and image path(or image, if it is in db) from db and then store it in session and show on the header of each page – Penguine May 29 '18 at 03:53
  • @Obsidian Age. Thanks for the reply. As you can see from my original post. I have tried that but failed. Just when I thought md5 was safe. Figures. I will do more research from the links that you have provided. Thanks again. – Bigsease30 May 29 '18 at 23:03

2 Answers2

0

Go to your login page where you check if row is equal 1, do this, change this

$_SESSION['user_email'] = $email;

To this

$_SESSION['user'] = $result->fetch_assoc();

Then do this

<p>Welcome <?php echo  $_SESSION['user']['firstname']; ?></p>
samezedi
  • 621
  • 5
  • 15
  • Thanks for the assist Sam Ezedi. Your provided solution solved the dilemma that I was having. I also had to update the code in the "AUTH" file as well to: if(!isset($_SESSION["user"])){ From this, now I am able to pull first, last and image file from the DB without issues. Thanks again for your assistance. – Bigsease30 May 29 '18 at 22:58
0

Not a direct answer to your questions, but if are new to php, I would advise you to use one of the popular framework of php that already provide what you are looking for, and more, in a secure way, with secured libraries.

for example laravel or symfony.

Those are very well documented, and you will learn much more checking their documentation and tutorial than trying to reinvent the wheel here.

JulienV
  • 775
  • 7
  • 12
  • Thanks Julien for the reply. I heard of laravel but thought that it was something like wordpress. I will look into this a little further. Thanks again. – Bigsease30 May 29 '18 at 23:00