how can i share data between PHP pages?

Question

I have a PHP page and I want to share some data between pages like UserID, password.

I'm learning about sessions and I'm not sure if Im using it correctly.

<?php
require_once('database.inc');
$kUserID = $_POST['kUserID'];
$kPassword = $_POST['kPassword'];

if (!isset($kUserID) || !isset($kPassword)) { 
    header( "Location: http://domain/index.html" ); 
}

elseif (empty($kUserID) || empty($kPassword)) { 
    header( "Location: http://domain/index.html" ); 
} 
else { 
    $user = addslashes($_POST['kUserID']); 
    $pass = md5($_POST['kPassword']); 
    $db = mysql_connect("$sHostname:$sPort", $sUsername, $sPassword) or die(mysql_error()); 
    mysql_select_db($sDatabase) or die ("Couldn't select the database."); 
    $sqlQuery = "select * from allowedUsers where UserID='" . $kUserID . "' AND passwordID='" . $kPassword . "'";
    $result=mysql_query($sqlQuery, $db);
    $rowCheck = mysql_num_rows($result); 
    if($rowCheck > 0){ 
        while($row = mysql_fetch_array($result)){
            session_start();
            session_register('kUserID'); 
            header( "Location: link.php" );
       } 
    } 
    else { 
        echo 'Incorrect login name or password. Please try again.'; 
    } 
} 
?> 

Answer 1

Be aware that session_register() is deprecated in favor of assigning values to the $_SESSION superglobal, e.g.

<?php
    $_SESSION['hashedValue']= '437b930db84b8079c2dd804a71936b5f';
?>

Also be aware that anything stored in a session, especially in a shared-server environment, is fair game. Never store a password, regardless of whether it's hashed or encrypted. I would avoid storing a username as well. If you must use some authentication mechanism between pages using a session variable, I'd recommend using a second lookup table, e.g. logins, and store the username, login time, etc in that table. A hashed value from that table is stored in the session, and each page request checks the time in the table and the hashed value against the database. If the request is either too old or the hash doesn't match, force re-login.

All this and more is available to you in the PHP manual section on sessions.

Answer 2

First, you need to put session_start() at the very beginning of your script. It also needs to go at the start of every script that uses session data. So it would also go at the top of babyRegistration.php.

Second, I would strongly recommend against using session_register() as it relies on register_globals which is off by default for security reasons. You can read more here: http://php.net/manual/en/security.globals.php. You can add/access session variables by using the $_SESSION superglobal:

$_SESSION['kUserID'] = $kUserID;

Last, not really session related, just an observation, your isset check at the top is redundant; empty will return true for an unset/NULL variable, just as you might expect.

Answer 3

For the love of all that is holy, don't use addslashes to prevent SQL injection.

I just owned your site:

Edit: Even worse.

I just noticed that you're attempt at preventing injection via addslashes, isn't even being used!

<?php
$kUserID = $_POST['kUserID'];
$user = addslashes($_POST['kUserID']); // this isn't used
$sqlQuery = "select * from allowedUsers where UserID='"
  . $kUserID . "' AND passwordID='" . $kPassword . "'";

Answer 4

At the top of a page

session_start();
$_SESSION['yourvarname']='some value';

then on some other page to retrieve

echo $_SESSION['yourvarname'];
// some value

Oh and about injection,use this on everything going into your db http://us3.php.net/manual/en/function.mysql-real-escape-string.php

Answer 5

You might also wanna rename "database.inc" to "database.inc.php", or properly setup your host to treat ".inc" as PHP:

http://www.namemybabyboy.com/database.inc

<?php
    $sDatabase = 'shayaanpsp';
    $sHostname = 'mysql5.brinkster.com';
    $sPort     = 3306;
    $sUsername = 'shayaanpsp';
    $sPassword = 'XXXX';
    $sTable    = 'allowedUsers';
?>