From my understanding, if I have a login system with a few pages, the $_POST will only work if I assigned a page in the signup form action correct? If I am on a page where no information is passed through, how would i get the information using either post or get? I guess that I can’t?
I think maybe I have to use a $_SESSION variable… Here is my code for my login page and I am trying to use some of the session variables in my primer.php page, which is one of the pages where the user can access for free videos…
session_start();
if (!isset($_POST['submit'])) {
header("Location: ../index.php?=error");
exit();
} else {
include 'dbh.php';
$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['password']);
// include error handlers:
// Check to see if the inputs are empty
//Check to see if user has activated his or her account before logging in
if(empty($uid) || empty($pwd)) {
header("Location: ../signup.php?signup=empty");
exit();
} else {
// Check to see if user has activated his or her account
$sql = "SELECT * FROM users WHERE user_activate='0' AND user_uid='$uid';";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if($resultCheck > 0) {
header("Location: ../signup.php?signup=notactivated");
exit();
} else {
// Check to see if the username exists in the database
$sql = "SELECT * FROM users WHERE user_uid='$uid' OR user_email='$uid'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1) {
header("Location: ../index.php?login=error");
exit();
} else {
// Does the password match the password in the database?
if ($row = mysqli_fetch_assoc($result)) { // insert database results into an array
// De-hasing the password
$hashedPwdCheck = password_verify($pwd, $row['user_password']);
if ($hashedPwdCheck == false) {
header("Location: ../signup.php=?empty");
exit();
} elseif ($hashedPwdCheck == true) {
// Log in the user here
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../index.php?login=success");
exit();
}
}
}
}
}
}
This is my primer.php page
<?php
include_once 'includes/dbh.php';
session_start();
echo $_SESSION['u_id'];
$sql = "SELECT * FROM users
";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if($resultCheck > 0) {
while($row = mysqli_fetch_assoc($result)) {
if( $row['user_access'] == 1) {
echo ' You have permission to access this page';
} else {
echo 'You do not have permission to access this page';
}
}
}
I don’t know why I can’t get it to echo the session variable…it says
Notice: Undefined index: u_id in C:\xampp\htdocs\loginsystem\primer.php on line 5
You have permission to access this page You have permission to access this page
I think it is working now…but the only problem is that it is echoing ‘welcome…etc’ twice because I have two records in my database…My current code is as follows:
<?php
include_once 'includes/dbh.php';
session_start();
echo $_SESSION['u_id'];
$sql = "SELECT * FROM users
";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if($resultCheck > 0) {
while($row = mysqli_fetch_assoc($result)) {
if( $row['user_access'] == 1 && $_SESSION['u_uid']) {
echo ' Welcome ' .$_SESSION['u_uid'];
} else {
echo 'You do not have permission to access this page';
}
}
}
But should I change the query to this?
$sql = "SELECT * FROM users WHERE user_uid = $_SESSION['u_uid']";
I get the following error:
Parse error: syntax error, unexpected ‘’ (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\xampp\htdocs\loginsystem\primer.php on line 6
I tried that line on my localhost and it only showed a blank screen
Try this:
// PROBLEM - PRODUCES BLANK SCREEN
// $sql = "SELECT * FROM users WHERE user_uid = $_SESSION['u_uid']";
// WORKS OK - single quotes and concatenate
echo ' ',
$sql = 'SELECT * FROM users WHERE user_uid = ' .$_SESSION["u_uid"];
echo '<br><br>',
// WORKS OK - {curly-brackets}
echo ' ',
$sql = "SELECT * FROM users WHERE user_uid = {$_SESSION['u_uid']}";
I never liked the idea of displaying variables inside double-quotes and far prefer to use single quotes and to concatenate variables.
Now you have it working, have a look at the post from @chorn above and convert it into a prepared statement. It’s a good habit to get into when you get further into your code.
In what way does it look weird? It’s a query with two conditions.
the final two conditions are a waste of code. Your query will only return rows where the user-id and user-email match, because those are the conditions you put in it. So there’s no point checking again, all you’re doing here is looking to see if MySQL has worked as it should.
Thanks… but I am trying to understand mysqli_real_escape_string first… would I need it for these lines of codes?
$sql = "SELECT * FROM users WHERE user_uid = mysqli_real_escape_string($conn, '".$_SESSION['u_uid']."') AND user_email = mysqli_real_escape_string($conn, '".$_SESSION['u_email']."'");
and here
if($row['user_access'] != 1 || $row['user_uid'] != mysqli_real_escape_string($conn, $_SESSION['u_uid']) || $row['user_email'] != mysqli_real_escape_string($conn, $_SESSION['u_email'])) {
echo 'Welcome ' mysqli_real_escape_string($conn, .$_SESSION['u_uid'].) ' To your primer level content. Feel free to learn at your own pace!';
As I said above, there’s no point even making those two final comparison checks. Because the query already only retrieves rows where the user-id and user-email match your specified values, there is no point checking again.
Can’t help on the other bit sorry, I use PDO. I believe, though, that if you use a prepared statement, then it will handle escaping characters for you. As a general rule, if I was doing something like that, I’d create some new local variables that have already been escaped and validated, and just use those in my queries and comparisons, not keep performing the same jobs. So something like