I recently upgraded to PHP 7 and PDO from mysql and I’ve managed to get register/login working with sessions but I’m having a hard time getting the session to work with other things like reviews not being posted with session users username but the main thing I want to fix is fetching the currently logged in users details for Profile.php, for some reason I am only able to view user1’s details even when I’m signed into user2’s account, which obviously I don’t want, Can anyone help? I will add my code in order.
I know it’s a kinda long one so I would be really grateful for some help…I managed to shorten a lot on the profile.html so its easier to read
( Also I dont know why the session is “$_SESSION[‘email’];” I’m assuming it’s due to logging in with email rather than username and for some reason I can’t make it “$_SESSION[‘username’];” without changing the login form to username instead of email…is it possible to sign in with email but have session as username? )
But that begs the question, Whatever are you trying to do there? You’re already in PHP mode, so why attempt to open it again? Your session variable is always going to be that fixed string!
I see many problems with the code you posted. Does the profile page actually have a .html extension as you have posted?
Starting with the connection, you have no error handling if the connection fails. This is one case where you should use a try/catch block to handle exceptions.
In register, I would suggest using a relative path instead of an absolute path and making the connection required instead of included.
Hoping for the name of a button to be submitted in order for your script to work can completely fail in certain cases. You should be checking the REQUEST METHOD instead. Do not create variables for nothing. Do not check for an existing email or username. Rather, set a unique constraint on those DB columns, attempt the insert and catch any duplicate errors. This would be the second suitable use case for a try catch block. As written the code will go nowhere if the password does not match the password confirm. Don’t hard code a URL in the redirect. Use a relative path. You don’t need the closing PHP tag in your files.
In login, why are you echoing in setting a session for email and on top of it setting the username to the email session? Makes no sense. Same comments apply to this file as previous. Specify the columns you want by name. Do not SELECT *.
In profile, the timezone setting does not belong there. That should be set in the php.ini. Stop mixing the file and directory case. Use all lowercase. You try to select where email equals Session email but you set it to the username so it will never match. I would suggest using the output tag instead of echoing all over the place.
Hi, thanks for the awesome reply! I shall change them from “include” to “required” (little tips like that are really helpful lol) Also no the profile page has .php extension although its just a normal web page, and the part where I put the echo session tied to username is just something I was trying to test out lol I was suppost to revert that part before posting, my bad, The sessions are actually the thing I’m struggling with most, the thing is when I have it set email equals session email when I go to post review the name on review becomes “email” and not the actual email/name for some reason, I’m really new to PDO so I will try to follow your advice, thanks!
Yes but when I change it to $_SESSION[‘username’] it doesn’t actually use the username it just stops working completely, seems it only works with email
Also what do you mean by this? You are saying I’m echooing in something then have the username part ON TOP? on top of what? There is only one line of code? Also that line of coding was just for testing because I was trying to get it to work if I revert it I still have same problems…
There must be more to the problem than this - in general you can use whatever name you want for an array index, as long as it’s valid - and “username” is. You need to set it as part of your successful login code, and remember to use it in the “profile” query as well, and anywhere else that uses that same session variable. Personally I’d use the unique id column from the users table rather than the name, but as the username is also unique that probably doesn’t make any difference.
But I notice you have a black mark there in the profile.php - you’re not using a prepared statement like you do in the other queries. Maybe that’s part of the problem - if you used a prepared statement, the fact that you’re using a string in a query but haven’t put quotes around it wouldn’t matter.
Oh okay, yeah I thought there must be something else thats not right because within the login.php script the session only actually begins when I use $_SESSION['email'] = "['email']" lol, I have my navbar in a seperate file and within the navbar I have <?php if (isset($_SESSION['email'])): ?> which shows logout button when logged in but even when I change that to username and change the login script to username it doesn’t work either but I’m pretty sure it is just because I’m logging in with ‘email’ so it’s picking up on that, I woudn’t know how to include username into that script lol so prob just leave it as email for now.
Also when you mention the profile.php page and prepared statements…I was wondering about that, Is that where you do prepare->? and if I use that for one query do I have to use that for all queries throughout the website? Sorry for the basic questions, it’s very new to me and it seems pdo is quite fussy about how things work lol
Yes, that’s where you have placeholders in the query (? in yours, or you can used named placeholders) and call prepare() and bindParam() to get the values into the query (or pass the values in an array). It’s not a case that you have to, but it’s a good habit for all sorts of reasons. There’s no need to be doing it that way if there is no user-supplied data going into the query, of course.
If nothing else, you should be consistent.
You’d need to post the code for anyone to help with that. The code you posted for login.php only sets the session variable right at the start of the code, and sets it to a value that doesn’t make much sense. You should be setting the value after you’ve successfully found the user in the database, and before you redirect the user to the next stage. Again, there is no problem with calling the session variable pretty much anything you want, and it’s nothing to do with what you put in it. It’ll be easier to debug in a few years time if the variable names relate to the information they store.
Oh yeah sorry on the login script it’s not suppost to be… $_SESSION['email'] = "<?php echo {['$username']} ?>";
I actually have it as. $_SESSION['email'] = "['email']";and this seems to work but I don’t think it’s formatted correctly still. Then if I use just $_SESSION['email']; it doesn’t work either, So would it just be $_SESSION['email'] = "['?']"; ? As I’m using question marks in my register and login scripts?
All you’re doing there is assigning a string containing ['email'] to that session variable. I suspect you want to retrieve the email address from the database and put it in there. After you have fetched the value from the query in login.php, I think you need something like
$_SESSION['email'] = $fetch['email'];
Of course, you could just use the email address that the user typed into the form, as long as you do that after you have run the query to check that it’s valid and that the password matches, and not right at the start of the code where you have it.
? placeholders in queries only have their special meaning inside those queries.
Perhaps you could post the updated versions of the code - not just snippets and individual lines - so that people can comment on where you are assigning and checking the values.
Sure so this is how I’ve updated my login.php code…I moved the $_SESSION part to after the password verify before redirect happens, this code logs in AND I am also able to post review with username now! Thanks a lot for your help! Now I’m going to try get the profile.php working, I’ll report back let you know how it goes, thanks again!
<?php
session_start();
require('/var/www/vhosts/mywebsite.co.uk/httpdocs/PHP/connect.php');
if (isset($_POST['loginbtn']))
{
$email = $_POST['email'];
$psw = $_POST['psw'];
$sql = $dbh->prepare("SELECT * FROM `users` WHERE `email` = ?");
$sql->bindParam(1, $email, PDO::PARAM_STR);
$sql->execute([$email]);
$fetch = $sql->fetch();
if ($fetch != null) {
$passHash = $fetch['psw'];
if(password_verify($psw, $passHash)) {
$_SESSION['usr_name'] = $fetch['username'];
header("location:https://www.mywebsite.co.uk/Account/loginsuccessful.php");
exit;
}else{
echo('Password incorrect !');
}
}else{
echo('Email does not exist !');
}
}
?>
The only problem I have with this is that you’re trying to do the same thing twice. Choose either using bindParam()or putting it in the execute() method. Reduce redundancy as much as possible.
Also, this will fail if someone modifies the HTML elements of your page source. If they change the value of the button to something like randomButtonName, your whole if check fails. Use $_SERVER['REQUEST_METHOD'] as @benanamen had suggested and check that instead for a POST request.
Ohh okay thanks for that tip, I wasnt sure if it had to be included in the execute or not lol, thanks!
Also I’ll try look into this $_SERVER thing a bit more too, thanks!