How to echo out info from MySQL table in PHP when sessions are being used.

Question

Hello,

I am using sessions to pass user information from one page to another. However, I think I may be using the wrong concept for my particular need. Here is what I'm trying to do:

1. When a user logs in, the form action is sent to login.php, which I've provided below:

login.php

$loginemail = $_POST['loginemail'];     

$loginpassword = md5($_POST['loginpassword']);  

$con = mysql_connect("xxxx","database","pass");  
if (!$con)  
    {      
  die('Could not connect: ' .mysql_error());  
    }  

mysql_select_db("db", $con);  

$result = mysql_query("SELECT * FROM Members  
WHERE fldEmail='$loginemail'   
and Password='$loginpassword'");


//check if successful  
if($result){  
    if(mysql_num_rows($result) == 1){  
            session_start();  
            $_SESSION['loggedin'] = 1; // store session data  
            $_SESSION['loginemail'] = fldEmail;  
    header("Location: main.php"); } 
}  
mysql_close($con);  

1. Now to use the $_SESSION['loggedin'] throughout the website for pages that require authorization, I made an 'auth.php', which will check if the user is logged in.

The 'auth.php' is provided below:

session_start();        
if($_SESSION['loggedin'] != 1){  
header("Location: index.php"); }  

1. Now the point is, when you log in, you are directed BY login.php TO main.php via header. How can I echo out the user's fullname which is stored in 'fldFullName' column in MySQL on main.php? Will I have to connect again just like I did in login.php? or is there another way I can simply echo out the user's name from the MySQL table? This is what I'm trying to do in main.php as of now, but the user's name does not come up:

   $result = mysql_query("SELECT * FROM Members  
   WHERE fldEmail='$loginemail'     
       and Password='$loginpassword'");  
   
   
   //check if successful  
   if($result){  
       if(mysql_num_rows($result) == 1){  
           $row = mysql_fetch_array($result);  
             echo '<span class="backgroundcolor">' . $row['fldFullName'] .       '</span><br />' ;  
   

Thank you in advance.

Answer 1

Let me point out that the technique you're using has some nasty security holes, but in the interest of avoiding serious argument about security the quick fix is to just store the $row from login.php in a session variable, and then it's yours to access. I'm surprised this works without a session_start() call at the top of login.php.

I'd highly recommend considering a paradigm shift, however. Instead of keeping a variable to indicate logged-in state, you should hang on to the username and an encrypted version of the password in the session state. Then, at the top of main.php you'd ask for the user data each time from the database and you'd have all the fields you need as well as verification the user is in fact logged in.

Answer 2

Will I have to connect again just like I did in login.php?

Yes. This is the way PHP and mysql works

or is there another way I can simply echo out the user's name from the MySQL table?

No. To get something from mysql table you have to connect first.
You can put connect statement into some config file and include it into all your scripts.

How can I echo out the user's fullname which is stored in 'fldFullName' column in MySQL on main.php?

You will need some identifier to get proper row from database. email may work but it's strongly recommended to use autoincrement id field instead, which to be stored in the session.
And at this moment you don't have no $loginemail nor $loginpassword in your latter code snippet, do you?

And some notes on your code

1. any header("Location: "); statement must be followed by exit;. Or there would be no protection at all.

2. Any data you're going to put into query in quotes, must be escaped with mysql_real_escape_string() function. No exceptions.

so, it going to be like this

include $_SERVER['DOCUMENT_ROOT']."/dbconn.php";

$loginemail = $_POST['loginemail'];     
$loginpassword = md5($_POST['loginpassword']);  

$loginemail = mysql_real_escape_string($loginemail);     
$loginpassword = mysql_real_escape_string($loginpassword);  

$query = "SELECT * FROM Members WHERE fldEmail='$loginemail' and Password='$loginpassword'";
$result = mysql_query($query) or trigger_error(mysql_error().$query);

if($row = mysql_fetch_assoc($result)) {  
  session_start();  
  $_SESSION['userid'] = $row['id']; // store session data  
  header("Location: main.php"); 
  exit;
} 

and main.php part

session_start();
if(!$_SESSION['userid']) {
  header("Location: index.php"); 
  exit;
} 
include $_SERVER['DOCUMENT_ROOT']."/dbconn.php";

$sess_userid = mysql_real_escape_string($_SESSION['userid']);
$query  = "SELECT * FROM Members  WHERE id='$sess_userid'";  
$result = mysql_query($query) or trigger_error(mysql_error().$query);
$row = mysql_fetch_assoc($result));

include 'template.php';

Answer 3

Yes, you do have to reconnect to the database for every pageload. Just put that code in a separate file and use PHP's require_once() function to include it.

Another problem you're having is that the variables $loginemail and $loginpassword would not exist in main.php. You are storing the user's e-mail address in the $_SESSION array, so just reload the user's info:

$safe_email = mysql_real_escape_string($_SESSION['loginemail']);
$result = mysql_query("SELECT * FROM Members
  WHERE fldEmail='$safe_email'");

Also, your code allows SQL Injection attacks. Before inserting any variable into an SQL query, always use the mysql_real_escape_string() function and wrap the variable in quotes (as in the snippet above).