In the login form processing code, you would set a session variable with the user’s id (which is what you are doing.) However, the session variable should be named as to what it is, $_SESSION[‘user_id’], or similar. You would then test for that session variable and query on each page request to get any other user data, such as the username or user permissions.
Your form and form processing code should be on the same page. This will result in the simplest and most secure code. What you are doing now with the - header(“Location: login.php?error=invalidusernameorpassword”) opens your site to a phishing attack, where someone can trick your users to enter their username/passwords on the phishing site, then redirect them to your site and make it look like they miss-typed their username/password.
The code for any page should be laid out in this general order -
- initialization
- post method form processing
- get method business logic - get/produce data needed to display the page
- html document
The only redirect you should have in this is upon successful completion of the post method form processing code to the exact same url of the current page to cause a get request for that page.
Some other points about the posted code -
- don’t copy variables to other variables for nothing. just use the original variables.
- use a prepared query when supplying external, unknown, dynamic values to a query when it gets executed.
- to get a form to submit to the same page it is on, leave out the entire action=‘…’ attribute.
- if you switch to the much simpler and more modern PDO database extension, about half of the database specific statements will go away.
- don’t use a loop to fetch data from a query that will at most match one row of data. just directly fetch the row of data.
- don’t use $_SERVER[‘HTTP_REFERER’] in your code. it is not secure.
- when you have a conditional branch with an exit/die statement in it, you don’t need an else conditional because the exit/die will stop code execution if that conditional branch is true.
- you should be using exceptions for database statement errors (this is the default setting in php8+ for both the mysqli and PDO extensions.) you should only catch and handle database exceptions in your code for user recoverable errors, such as when inserting/updating duplicate user submitted data. in all other cases, simply let php catch and handle and database exception, simplifying the code.
- a form’s action=‘…’ attribute is a url. you cannot put php code or a php function call as the target of the action attribute. http requests and responses do not work this way. php code is excuted on the web server when the page is requested. html/javascript/css is rendered/executed in the browser.
- you would NOT use a hidden field for the name in your comment form. this is not secure as anyone or anything can set the value to anything they want. if you want to allow Anonymous users to post comments, you would handle this in the server-side post method form processing code. if there is a logged in user, you would use the user_id from the session variable. if there is not a logged in user, you would use whatever value you want for the Anonymous user, but you do this in the code that is using the submitted data.