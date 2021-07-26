How do I fetch user details to profile page using PDO?

I recently upgraded to PHP 7 and PDO from mysql and I’ve managed to get register/login working with sessions but I’m having a hard time getting the session to work with other things like reviews not being posted with session users username but the main thing I want to fix is fetching the currently logged in users details for Profile.php, for some reason I am only able to view user1’s details even when I’m signed into user2’s account, which obviously I don’t want, Can anyone help? I will add my code in order.
I know it’s a kinda long one so I would be really grateful for some help…I managed to shorten a lot on the profile.html so its easier to read :slight_smile:
( Also I dont know why the session is “$_SESSION[‘email’];” I’m assuming it’s due to logging in with email rather than username and for some reason I can’t make it “$_SESSION[‘username’];” without changing the login form to username instead of email…is it possible to sign in with email but have session as username? )

1 - connect.php

<?php

$host = 'localhost';
$dbuser = 'mainuser';
$dbpwd = 'pass';
$dbname = 'admin_';

//set DSN//
$dsn = 'mysql:host=' . $host .';dbname=' . $dbname;

//Create PDO instance//
//Attempt MySQL server connection.//
$dbh = new PDO($dsn, $dbuser, $dbpwd);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>

2 - Register.php

<?php
session_start();
include("/var/www/vhosts/myweb.co.uk/httpdocs/PHP/connect.php");

if (isset($_POST['create'])) {

  $username = $_POST['username'];
  $email = $_POST['email'];
  $psw = $_POST['psw'];
  $pswrepeat = $_POST['pswrepeat'];

  $pdo = $dbh->prepare("SELECT count(*) from `users` WHERE `email` = ?");
  $pdo->bindParam(1, $email, PDO::PARAM_STR);
  $pdo->execute();
  $count = $pdo->fetchColumn();

  if($count > '0'){
    die("email already exists!");
  }else{

    if($psw == $pswrepeat){
      $hashPassword = password_hash($psw, PASSWORD_DEFAULT);
      $sql = $dbh->prepare("INSERT INTO `users` (username, email, psw) VALUES (?, ?, ?)");
      $sql->bindParam(1, $username, PDO::PARAM_STR);
      $sql->bindParam(2, $email, PDO::PARAM_STR);
      $sql->bindParam(3, $hashPassword, PDO::PARAM_STR);
      $sql->execute();

      header("location:https://www.myweb.co.uk/Account/signupcomplete.php");
      exit;
    }
  }
}
?>

3 - Login

<?php
session_start();

$_SESSION['email'] = "<?php echo {['$username']} ?>";

include('/var/www/vhosts/myweb.co.uk/httpdocs/PHP/connect.php');


if (isset($_POST['loginbtn']))
{
  $email = $_POST['email'];
  $psw = $_POST['psw'];


  $sql = $dbh->prepare("SELECT * FROM `users` WHERE `email` = ?");
  $sql->bindParam(1, $email, PDO::PARAM_STR);
  $sql->execute();
  $fetch = $sql->fetch();

  if ($fetch != null) {
    $passHash = $fetch['psw'];

    if(password_verify($psw, $passHash)) {
      header("location:https://www.myweb.co.uk/Account/loginsuccessful.php");
      exit;
    }else{
      echo('Password incorrect !');
    }
  }else{
    echo('Email does not exist !');
  }
}
?>

4 - Profile.html

<?php
session_start();

if(!isset($_SESSION['email'])){
   header("Location:../Account/login.php");
}
?>

<?php
date_default_timezone_set('Europe/London');
include('../PHP/connect.php');
?>

<html lang="en">
<head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <title>User Profile</title>
 <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
</head>

<body>

<?php require '../include/navbar.php';?>

<br><br>

<?php  
 include("/var/www/vhosts/myweb.co.uk/httpdocs/PHP/connect.php");
  //PDO QUERY//
  $stmt = $dbh->prepare('SELECT * FROM `users` WHERE `email` = '. $_SESSION['email'] .'');
  $stmt->execute();
  $fetch = $stmt->fetch();{
?>

<div class="mt-3">
     <h4><?php echo $fetch['username']; ?></h4>
     <p><?php echo $fetch['bio']; ?></p>
     <p><?php echo $fetch['country']; ?></p>
 </div>

</body>
</html>
Because that’s what you’ve told it to use.

But that begs the question, Whatever are you trying to do there? You’re already in PHP mode, so why attempt to open it again? Your session variable is always going to be that fixed string!

First, good job on switching to PDO.

I see many problems with the code you posted. Does the profile page actually have a .html extension as you have posted?

Starting with the connection, you have no error handling if the connection fails. This is one case where you should use a try/catch block to handle exceptions.

In register, I would suggest using a relative path instead of an absolute path and making the connection required instead of included.

Hoping for the name of a button to be submitted in order for your script to work can completely fail in certain cases. You should be checking the REQUEST METHOD instead. Do not create variables for nothing. Do not check for an existing email or username. Rather, set a unique constraint on those DB columns, attempt the insert and catch any duplicate errors. This would be the second suitable use case for a try catch block. As written the code will go nowhere if the password does not match the password confirm. Don’t hard code a URL in the redirect. Use a relative path. You don’t need the closing PHP tag in your files.

In login, why are you echoing in setting a session for email and on top of it setting the username to the email session? Makes no sense. Same comments apply to this file as previous. Specify the columns you want by name. Do not SELECT *.

In profile, the timezone setting does not belong there. That should be set in the php.ini. Stop mixing the file and directory case. Use all lowercase. You try to select where email equals Session email but you set it to the username so it will never match. I would suggest using the output tag instead of echoing all over the place.

Hi, thanks for the awesome reply! I shall change them from “include” to “required” :smiley: (little tips like that are really helpful lol) Also no the profile page has .php extension although its just a normal web page, and the part where I put the echo session tied to username is just something I was trying to test out lol I was suppost to revert that part before posting, my bad, The sessions are actually the thing I’m struggling with most, the thing is when I have it set email equals session email when I go to post review the name on review becomes “email” and not the actual email/name for some reason, I’m really new to PDO so I will try to follow your advice, thanks!

Yes but when I change it to $_SESSION[‘username’] it doesn’t actually use the username it just stops working completely, seems it only works with email

Also what do you mean by this? You are saying I’m echooing in something then have the username part ON TOP? on top of what? There is only one line of code? Also that line of coding was just for testing because I was trying to get it to work if I revert it I still have same problems…

There must be more to the problem than this - in general you can use whatever name you want for an array index, as long as it’s valid - and “username” is. You need to set it as part of your successful login code, and remember to use it in the “profile” query as well, and anywhere else that uses that same session variable. Personally I’d use the unique id column from the users table rather than the name, but as the username is also unique that probably doesn’t make any difference.

But I notice you have a black mark there in the profile.php - you’re not using a prepared statement like you do in the other queries. Maybe that’s part of the problem - if you used a prepared statement, the fact that you’re using a string in a query but haven’t put quotes around it wouldn’t matter.