Session query

When I’ve reached the loggedin.php page or any other page that requires login do I need to put a session variable declaration in each page for the username or can I use the username anywhere in the session/pages after declaring at the start of the login.php page.

I’m connecting to the database and logging in ok but when I want to echo out the name of the user that’s logged in to the session by trying to echo it out using session variables nothing is printed. Any help would be great. Am I going about this in the right way to print out the name of user that’s logged in when the session is started.

The code so far is below. I’ve been looking at a few samples online:

login.php page

//database connection established and is working

if ($database_connected) {

		$username = quote_smart($username, $connected);
		$password = quote_smart($password, $connected);

		$SQL = "SELECT * FROM login_table WHERE username = $username AND password = ($password)";
		$result = mysql_query($SQL);
		$num_rows = mysql_num_rows($result);

if ($result) {
			if ($num_rows > 0) {
				session_start();
				$_SESSION['login'] = "1";

[COLOR="#FF0000"]//do i need to put this in a session variable here to use it throughout the pages
				$username = $_POST['username'];[/COLOR]

				header ("Location: loggedin.php");

			}
			else {
				session_start();
				$_SESSION['login'] = "";
				header ("Location: error.php");
			}	
		}
		else {
			$errorMessage = "Error logging on";
		}

loggedin.php

<?php

session_start();

if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) {

header ("Location: loggedin.php");

}

Are the passwords stored in a hash form or plain text in the database? User passwords should never be stored as plain text in any application.

Also please be aware that the mysql_* extension is now deprecated as of the current version of PHP and will very likely be removed from the next 5.x version and will likely not be in PHP 6.x (when it eventually is released). You should migrate over to either the mysqli_* extension or to PDO. PDO is a better choice as it doesn’t tie you down so much to a particular database server software.

Once you have migrated you should use Prepared Statements to prevent SQL Injection attacks. Have a read of this article from the PHP manual, it shows how to use prepared statements with PDO and also explains the principle.