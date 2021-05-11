MySQL displays every user's information instead of the logged in one

Hello everyone! I’m new in back-end and I’m currently working on a project where I’ve created a user registration and sign in form with sessions. I’m building a profile page where I will display the logged in user information but my PHP code displays every user’s information on a page, I tried to add session to data fetching but I’m always getting a lot of erros, could someone please help me out on this? It’d be greatly appreciated! Thanks in advance, Here is my code:

At the very top:

<?php

session_start();

if (!isset($_SESSION['loggedin'])) {
	header('Location: login.php');
	exit;
}
?>

Before the section where I want to display the data:

<?php
       include_once 'php/connection.php';
       
        $sql = "SELECT id, firstname, lastname FROM users";
        $result = $conn->query($sql);
        // output data of each row
        while($row = $result->fetch_assoc()) {   
    ?>

<h1><?php echo $row["firstname"]; ?></h1>

After the section where I want to display data:

<?php
            
}

$conn->close();
            
?>
You’ve asked MySQL for all records in the users table. If you only want the entry for a single user then you need to use a WHERE clause in the query

Welcome to the Sitepoint forums.

This query is asking for id, firstname, lastname from the users table but has not specified which row you want. In such a query you could add something like WHERE id=97 - this would find you the user with id 97. But I don’t think that is how you want this to work.

Your login routine has probably already assigned these values to session variables eg _SESSION['id'], _SESSION[‘firstname’], $_SESSION[‘lastname’]. Have a look through the login script and see if you can see this. If so then you can then just use the variables to say, for instance

echo "Hello, {$_SESSION['firstname']} {$_SESSION['lastname']} - welcome to my website.";

Btw, don’t put this site on a live Internet site until you have learned about secure SQL queries using prepared statements.

Get back to us if you can’t figure things out.

Thank you guys for the answers and yes, the problem was that I didn’t specify which entry I needed but after adding

WHERE email='".$_SESSION['name']."'

to the SQL statement it worked as I wanted it to work.
Here is the full statement:

$sql = "SELECT firstname, lastname FROM users WHERE email='".$_SESSION['name']."'";

Although I believe that this will be SQL injection vulnerable?

Yes. You need to use a prepared statement rather than putting $_SESSION['name'] in your query string.

I’m very new in PHP and SQL so I tried to do this:

        $sess = $_SESSION['name'];
    
        $stmt = $conn->prepare("SELECT firstname, lastname, email, phone, birthday, gender FROM users WHERE email=$sess)
        values(?, ?, ?, ?, ?, ?)");
        $stmt->bind_param("ssssss", $firstname, $lastname, $email, $phone, $birthday, $gender);
        $stmt->execute();
        $result = $conn->query($sql);

But it’s giving me this error:

Fatal error : Uncaught Error: Call to a member function bind_param() on bool in C:\xampp\htdocs\profile.php:80 Stack trace: #0 {main} thrown in C:\xampp\htdocs\profile.php on line 80

I think you need:

$sql="SELECT firstname, lastname, email, phone, birthday, gender FROM users WHERE email?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("s", $email);
$stmt->execute();

where $email is the variable that is the email. Although you seem to be asking for the email when you already know the email. I may have misunderstood what you are trying to do here. Presumably the user has logged by this stage. You can obtain all this info when they log on and store it in the

$_SESSION
variable (eg
$_SESSION['lastname'], $_SESSION['email']