Sorry if this is a duplicate question, but I am trying to make a login form and I cannot seem to add user session capability. What do I need to do to add this in? My code is already using session variables, but I do not know what else to do to use the session that’s being created.
This is my login authentication:
<?php
session_start();
// Change this to your connection info.
$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'root';
$DATABASE_PASS = '';
$DATABASE_NAME = 'ccrp_db';
// Try and connect using the info above.
$con = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
if ( mysqli_connect_errno() ) {
// If there is an error with the connection, stop the script and display the error.
die ('Failed to connect to MySQL: ' . mysqli_connect_error());
}
// Now we check if the data from the login form was submitted, isset() will check if the data exists.
if ( !isset($_POST['username'], $_POST['password']) ) {
// Could not get the data that should have been sent.
die ('Please fill both the username and password field!');
}
// Prepare our SQL, preparing the SQL statement will prevent SQL injection.
if ($stmt = $con->prepare('SELECT id, password FROM users WHERE username = ?')) {
// Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
$stmt->bind_param('s', $_POST['username']);
$stmt->execute();
// Store the result so we can check if the account exists in the database.
$stmt->store_result();
}
if ($stmt->num_rows > 0) {
$stmt->bind_result($id, $password);
$stmt->fetch();
// Account exists, now we verify the password.
// Note: remember to use password_hash in your registration file to store the hashed passwords.
if (password_verify($_POST['password'], $password)) {
// Verification success! User has loggedin!
// Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
session_regenerate_id();
$_SESSION['loggedin'] = TRUE;
$_SESSION['name'] = $_POST['username'];
$_SESSION['id'] = $id;
header('Location: ../index.php');
} else {
echo 'Incorrect password!';
}
} else {
echo 'Incorrect username!';
}
$stmt->close();
?>
And this is my registration authentication:
<?php
session_start();
// Change this to your connection info.
$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'root';
$DATABASE_PASS = '';
$DATABASE_NAME = 'ccrp_db';
// Try and connect using the info above.
$con = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
if (mysqli_connect_errno()) {
// If there is an error with the connection, stop the script and display the error.
die ('Failed to connect to MySQL: ' . mysqli_connect_error());
}
// Now we check if the data was submitted, isset() function will check if the data exists.
if (!isset($_POST['first_name'], $_POST['last_name'], $_POST['email'], $_POST['username'], $_POST['password'])) {
// Could not get the data that should have been sent.
die ('Please complete the registration form');
}
// Make sure the submitted registration values are not empty.
if (empty($_POST['first_name']) || empty($_POST['last_name']) || empty($_POST['email']) || empty($_POST['username']) || empty($_POST['password'])) {
// One or more values are empty.
die ('All fields are required for the form to be submitted');
}
if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
die ('The email address provided is invalid');
}
if (preg_match('/[A-Za-z0-9]+/', $_POST['username']) == 0) {
die ('The username provided is invalid');
}
if (strlen($_POST['password']) > 20 || strlen($_POST['password']) < 5) {
die ('Password must be between 5 and 20 characters');
}
if ($_POST['password'] != $_POST['confirm_pwd']) {
die ('The two password provided do not match.');
}
// We need to check if the account with that username exists.
if ($stmt = $con->prepare('SELECT id, password FROM users WHERE username = ?')) {
// Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
$stmt->bind_param('s', $_POST['username']);
$stmt->execute();
$stmt->store_result();
// Store the result so we can check if the account exists in the database.
if ($stmt->num_rows > 0) {
// Username already exists
echo 'Another account with this username already exists';
} else {
// Username doesnt exists, insert new account
if ($stmt = $con->prepare('INSERT INTO users (role_id, first_name, last_name, email, username, password) VALUES (?, ?, ?, ?, ?, ?)')) {
// We do not want to expose passwords in our database, so hash the password and use password_verify when a user logs in.
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$stmt->bind_param('ssssss', $_POST['role_id'], $_POST['first_name'], $_POST['last_name'], $_POST['email'], $_POST['username'], $password);
$stmt->execute();
header('Location: ../index.php');
} else {
// Something is wrong with the sql statement, check to make sure users table exists with all 3 fields.
echo 'There was a problem creating this account. Contact your Network Administrator.';
}
}
$stmt->close();
} else {
// Something is wrong with the sql statement, check to make sure users table exists with all 3 fields.
echo 'There was a problem creating this account. Contact your Network Administrator.';
}
$con->close();
?>