views:

230

answers:

2

Hello everone,

I am buidling a small job application website, and i'm using a the basis of a login system taken from a Nettuts.com tutorial. The logging in works fine, but I am having trouble getting the details for the currently logged in user, for example if a user enters their personal details, i can process the data into the database but it's not linked to which user!

I ideally want the id put into a variable called $userID.

I need a way to identify the user currently logged in, so i can update my insert statements to something like ... 'UPDATE cv where userID = $userID'.

class Mysql {
private $conn;

function __construct() {
 $this->conn = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or
      die('There was a problem connecting to the database.');
}

function verify_Username_and_Pass($un, $pwd) {

 $query = "SELECT *
   FROM users
   WHERE username = ? AND password = ?
   LIMIT 1";

 if($stmt = $this->conn->prepare($query)) {
  $stmt->bind_param('ss', $un, $pwd);
  $stmt->execute();

  if($stmt->fetch()) {
  $stmt->close();
  return true;

  }
 }  
}

}

class Membership {

function validate_user($un, $pwd) {
 $mysql = New Mysql();
 $ensure_credentials = $mysql->verify_Username_and_Pass($un, md5($pwd));

 // if above = true
 if($ensure_credentials) {
  $_SESSION['status'] = 'authorized';
  $_SESSION['username'] = $un;
  $_SESSION['password'] = $pwd;
  header("location: ../myIWC.php");
 } else return "Please enter a correct username and password";

}

function log_User_Out() {
 if(isset($_SESSION['status'])) {
  unset($_SESSION['status']);
  unset($_SESSION['username']);
  unset($_SESSION['password']);
  if(isset($_COOKIE[session_name()])) 
   setcookie(session_name(), '', time() - 1000);
   session_destroy();
 }
}

function confirm_Member() {
 session_start();
 if($_SESSION['status'] !='authorized') header("location: ../login.php");
}


$currentUN = $_SESSION['username'];
$currentPWD = $_SESSION['password'];

$mysql = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or die('There was a     problem connecting to the database');
$stmt = $mysql->prepare('SELECT id FROM users WHERE username = ? AND password = ? LIMIT 1');
$stmt->bind_param('ss',$currentUN, $currentPWD);
$stmt->execute();
$stmt->bind_result($currentID);
}
A: 

Think of rewriting your verify_Username_and_Pass function so it return an array of user data, or writing a new function that gets it. Then in your validate_user function, save this data to session:

$_SESSION['user_data'] = $user_data; // got from database
Deniss Kozlovs
thx for the reply mate, i a bit of a OOP noob at the mo, how would i accomplish this?
Aaron Bentley
A: 

Well I would say the code given in the tutorial isn't a very good example. The database class should be just that and only handle database functions it shouldn't really have user functions in there (verify_Username_and_Pass). Also from a security point of view I would strongly recommend against storing unencrypted passwords in the session.

I appreciate however the code snippets you've provided are probably part of a wider implementation and as such you won't be able to play around with it too much. As such the code below will work in your context.

class Mysql {
private $conn;

function __construct() {
        $this->conn = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or
                                  die('There was a problem connecting to the database.');
}

function verify_Username_and_Pass($un, $pwd) {

        $query = "SELECT id
                        FROM users
                        WHERE username = ? AND password = ?
                        LIMIT 1";

        if($stmt = $this->conn->prepare($query)) {
                $stmt->bind_param('ss', $un, $pwd);
                $stmt->execute();
                $stmt->bind_result($id);

                if($stmt->fetch()) {
                $stmt->close();
                return $id;

                } else {
                    return false;
                }
        }               
}

Then in your user class

if($ensure_credentials !== false) {
                $_SESSION['id'] = $ensure_credentials;
                $_SESSION['status'] = 'authorized';
                $_SESSION['username'] = $un;
                $_SESSION['password'] = $pwd;
                header("location: ../myIWC.php");
        } else return "Please enter a correct username and password";
RMcLeod