[Btu]

Hey guys,

This shouldn't be too hard. I have a login page, when the user click submit it checks the login success:

<?php
ob_start();
$host="db";
$username="username";
$password="password";
$db_name="mydb";
$tbl_name="table";

mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);


$count=mysql_num_rows($result);

if($count==1){
session_register("myusername");
session_register("mypassword");
header("location:main.php");
echo "<h2>Welcome " . $sql['id'] . "</h2>";   // I want to use the contents of this var in main.php 
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

Upon login success it redirects to main.php

In main.php I want to read $sql['id'].

How do I go about doing this?

[Duckington]

Either send it in the URL querystring:

header('location:main.php?id='.$sql['id']);

And then access it via the GET or REQUEST arrays on main.php:

$id = $_GET['id'];

Or set it in a session variable:

But I feel I shold point out that your $sql variable is a string with the value: "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'". It's not an array, so $sql['id'] won't return anything.

I assume what you are trying to do is return the `id` field from the table you are querying?

In which case do something like:

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
$user = mysql_fetch_assoc($result);
$userid = $user['id']; // This would be the id you are after

[Btu]

Thank you for the response. That is what I was looking for.
One last question: main.php only contains:

<?
session_start();
if(!session_is_registered(myusername)){
header("location:http://www.mysite.com/");
}
?>

The rest is css/javascript and html. Is there a way to use js/jquery to get that variable? Maybe with $.get?
or do I put it in after the header location?

All I want to do is say "Welcome: (user)"

[Duckington]

Well assuming you are passing a userid in the URL, like: main.php?id=1

You could just do something like:

// Session bit here
$userid = mysql_real_escape_string($_GET['id']);
$query = mysql_query("SELECT username FROM users WHERE id = '$userid' LIMIT 1");
$user = mysql_fetch_assoc($query);
echo "Welcome " . $user['username'];

But honestly if you were going to go down that route, there would be no point passing it in the URL, you should just use a session. To be honest, I'm not sure why you'd want to go to the trouble of creating a php session, only to then rely on passing the id through the URL, as anyone could type any old userid into the URL, it doesn't mean anything.


You could use javascript to get the variable from the URL, but you wouldn't be able to do anything with it other than print it out really. If you wanted to go and get the relevant username for that userid, you'd still have to use PHP.

Though if you passed the username in the URL: main.php?username=test

You could easily print that out, but that would have nothing to do with any valid PHP session, it would literally just be printing out whatever the user puts into the URL like that.


Also, I should probably mention that using session_is_registered, session_register, etc... are depreciated functions, so you shouldn't rely on them. Another way to do that would be:

Assign a session variable:

session_start();
// Stuff here
$_SESSION['myusername'] = $somevalue;

Check if session variable is set:

session_start();
if(!isset($_SESSION['myusername'])){
header('location:buggeroff.php');
exit;
}

This post has been edited by Duckington: 09 December 2011 - 02:29 PM

[BetaWar]

I am just going to go ahead and bring up some security issues with passing user's ids around in the URL and then using them.

First, people can easily change that. "Oh, I am user 5133476, I wonder what user 1 can do that I can't..."

Instead of passing the user id around in the URL a more secure (though still inadequate) way of passing the user id around your pages is to use a session variable or cookie:

// to open a session, or retrieve a previously started one
session_start();

// set session variables
$_SESSION['id'] = $sql['id'];

// save a session
session_write_close();

Cookies:

// set cookie value
setcookie("TestCookie", $value);

// get cookie value
$_COOKIE['TestCookie'];

However, these can be modified by users if they care to do so.

Therefore, the approach that I personally use is to store a special hash in a session/ cookie variable that corresponds to a row in a database table that holds the user id associated with that login.

For instance:
users table:

+----------+----+-----+
|Username  |id  |...  |
+----------+----+-----+

sessions table:

+-----------+------------+--------------------------------------+
|session_id | user_id    | session_hash                         |
+-----------+------------+--------------------------------------+

Then, when a user views a page they have a session hash stored in a cookie or their session variables. That session hash is used to look up the user_id from the sessions table, and then you have the user id.

Hope that makes sense.

[CTphpnwb]

Btu, on 09 December 2011 - 04:14 PM, said:

<?
session_start();
if(!session_is_registered(myusername)){
header("location:http://www.mysite.com/");
}
?>

The rest is css/javascript and html. Is there a way to use js/jquery to get that variable? Maybe with $.get?

Look at what's happening here.

• Browser connects to your site. (HTTP traffic)
  
• Your script is started.
  
• Your script determines that no session has previously been set under an undefined username (problem 1)
  
• Your script sends a message to the browser to redirect it back to your site (More HTTP traffic — problem 2)
  
• Browser connects to your site (More HTTP traffic — problem 2 again)
  
• Go to step 2. (Infinite loop — problem 3)

Problem 2 and 3 could be avoided with an include instead of a redirect.

[Btu]

Thanks for pointing that out.
I'm quite new to PHP so I have to learn all this the hard way.