-2

I tried to create a login form from an example. I made it works but I don't understand.

Why $_SESSION['umsco'] is required and why should I assign the $username variable to it. I also do not understand if conn->close() required and what is the $result variable.

// I include the database file so we can get the information from there and apply it in here as well.
include "dbc.php";

// here we select the variables we want from the table 'members'.
$sql = "SELECT id, firstName, lastName FROM members";

// here we do something that I dont really know but this is standard procedure.
$result = mysqli_query($conn, $sql);

// declaring username
$username = $_POST["username"];
$password = $_POST["password"];


// my result thing, again, standard procedure.
$result = $conn->query($sql);

// we insert all values in row, standard procedure.
$row = $result->fetch_assoc();

// here we check if the username is the same as the database.
if ($username == $row["firstName"]) {
    // if it's correct then we start a session
    session_start();
    // we give a session some random letters or numbers and set it to $username, not exactly sure why, but it wont work without it.
    $_SESSION['umsco'] = $username; 
    // we change the location to secrect.php
    header("location: secret.php");
}

// we close the connection, not sure if this is needed, but it seems logical.
$conn->close();
Dot.
  • 188
  • 1
  • 11
Testin Jast
  • 39
  • 6
  • 1
    https://www.tutorialspoint.com/php/php_sessions.htm. the point of using the session here is to record the fact that the user is logged in successfully. That way when they try to go to another page which is private, you don't have to ask them their username and password again, you just check in their session to see if they logged in already – ADyson Apr 04 '19 at 22:32
  • `$result = mysqli_query($conn, $sql);` and `$result = $conn->query($sql);` are two ways of doing the same thing - they both execute your SQL query (i.e. they send the SQL text to the database, which runs it, and gives back the result. $result then contains the result of the query. But you don't need both these lines, otherwise you just pointlessly run the same query twice. one version is sufficient. https://www.php.net/manual/en/mysqli.query.php – ADyson Apr 04 '19 at 22:35
  • `$row = $result->fetch_assoc();` then fetches the first row from the query results and puts it into the $row variable so you can use the data from that row in your program. In cases where you expect the query to return many rows then you would enclose this line in a loop which causes it to fetch each row until there are no more rows left to process. https://www.php.net/manual/en/class.mysqli-result.php and https://www.php.net/manual/en/mysqli-result.fetch-assoc.php. All the links I'm giving have usage examples which you can study – ADyson Apr 04 '19 at 22:43
  • Another logical issue in your code above is that your SQL just returns all the members. You haven't attempted to match it to the username and password being entered. You need a WHERE clause to tell it to only return the row where the username matches the value entered by the user, and the password matches the value entered by the user. Then, if you get one row back, you know the user is valid. If you get no rows back, the user is not valid. – ADyson Apr 05 '19 at 05:17

4 Answers4

2

I advise you to always implement session_start()at the beginning of your code to avoid bad behavior.

What is a session

To understand, you must understand what a PHP session is.

A session is a way to keep variables on all pages of your site for a current user.

How it work

First you must ask PHP to initialize the session. For doing this, you must add session_start() at the beginning of your code.

When the server responds to the client, it append a cookie called PHPSESSID who contains the unique session identifier of the user.

At every request, the browser sends this cookie to the server so that php can recover the session from the hard disk of the server.

The most commun way to register a session variable is $_SESSION['key'] = $value;.

Final answer

To end, the line $_SESSION['umsco'] = $username; store the username of the user in his session until.

In secret.php you probably check whether this value is assigned or if the session exists to check if the user is logged in. That's why it's mandatory, otherwise a login form would have no meaning.

Another ressource : Is closing the mysql connection important?

Dot.
  • 188
  • 1
  • 11
0

The result thing is that next time you call

session_start();
$loggedUserName = $_SESSION['umsco'];

you will have that user (username) available for you wherever you need it.

Just read basics of SESSION and you should be able to understand that.

El El
  • 27
  • 5
0

Firstly, you need to query members where username and password match $_POST data.

Secondly, whatever is stored in $_SESSION variable will be available between requests. Typically, you want to "remember" user ID or similar so you do not need to submit username/password and repeat the member lookup with every request.

See more elaborate description here: https://www.johnmorrisonline.com/build-php-login-form-using-sessions/

Eriks Klotins
  • 4,042
  • 1
  • 12
  • 26
0

What others have said about the $_SESSION variable is correct. If using session_start(); those values can be persisted across multiple requests from the users browser. The $_SESSION value will be particular to the user visiting your site.

Regarding the $result object, $result->fetch_assoc(); will only fetch one row from your table. So your current code would only work if the username matches the 1st row of your members table. It'd be best to query only rows where the username matches what they've entered. Note there's a big security risk if you just concatenate strings together for the query, so you should use prepared statements (https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection)

khartnett
  • 831
  • 4
  • 14