Customer log in help

Hi, I’m hoping someone can help me with my problem. Basically what I am trying to create is a log in system, whereas customers can log in to view their package details (address, billing number etc.) But i’m confused on how I can display a customers results based upon who has logged in.

So far I have 2 tables, one called userlogin and one called userinfo. Userlogin simply contains username and password data, whereas userinfo will contain all of the the customers information (address, billing number etc.). These two tables share a row with the same value, user_id. I have tryed to use MYSQL inner join and such, but i’m unsure where I am going wrong, and why I can’t return one users information, and it instead shows me all results, or none.

Here is the code for my 2 pages, first the log in page.

[php]<?php
// Use session variable on this page. This function must put on the top of page.
session_start();
$_SESSION[‘username’] = ‘Root’;

////// Login Section.
$Login=$_POST[‘Login’];
if($Login){ // If clicked on Login button.
$username=$_POST[‘username’];
$password=$_POST[‘password’]; // Encrypt password with md5() function.

// Connect database.
//connect
$con = mysql_connect(“","”,"******");
if (!$con)
{
die('Could not connect: ’ . mysql_error());
}
//datebase
mysql_select_db("******", $con);

// Check matching of username and password.
$result=mysql_query(“select * from userlogin where username=’$username’ and password=’$password’”);
if(mysql_num_rows($result)!=‘0’){ // If match.
session_register(“username”); // Craete session username.
header(“location:home.php”); // Re-direct to main.php
exit;
}else{ // If not match.
$message="— Incorrect Username or Password —";
}

} // End Login authorize check.
?>[/php]

and here is the home page (the page which will display the customers information).

[php]<?php
session_start();
if(isset($_SESSION[‘username’]))
?>

<?php // Connect database. //connect $con = mysql_connect("******","******","******"); if (!$con) { die('Could not connect: ' . mysql_error()); } //datebase mysql_select_db("*****", $con); //select $user_id = $_GET['user_id']; $result = mysql_query("SELECT userinfo.name as name, userinfo.address as address, userlogin.username as username FROM userinfo INNER JOIN userlogin ON userlogin.user_id = userinfo.user_id WHERE userlogin.user_id = $user_id;"); while($row = mysql_fetch_array($result)) { echo $row['name'] . ' '; echo $row['username'] . ' '; echo $row['address'] . ' '; } ?>[/php]

I understand that I might not have explained this well, or my code might not be very clean, but please any feedback, or questions you have for me will be greatly appreciated! Thank you!

When doing the select user query on login you should insert the user id into the session. Then you can later get the id with $_session [‘user’][‘id’] and use that in queries where you want that users data

Something like this
[Php]$result=mysql_query(“select * from userlogin where username=’$username’ and password=’$password’”);
if(mysql_num_rows($result)!=‘0’){ // If match.
$_SESSION [‘user’][‘id’] = $ result [‘id’];[/php]

[hr]

The mysql_* functions are deprecated and should not be used anymore. Your code is also highly vulnerable to sql injection.

Hi Jiml, thank you for your feedback. I’ve altered my code accordingly, however i’m still having the same problem. Upon logging in all information from my table is displayed to me . I’ve also tidied up my code slightly, and regarding mysql i’m currently in the process of changing to mysqli_ to help with security.

Below is the updated code for my pages

// Use session variable on this page. This function must put on the top of page.
session_start();
$_SESSION[‘username’] = ‘Root’;

[php]////// Login Section.
$Login=$_POST[‘Login’];
if($Login){ // If clicked on Login button.
$username=$_POST[‘username’];
$password=$_POST[‘password’]; // Encrypt password with md5() function.

// Connect database. 
//connect
$con = mysql_connect("*****","*****","*****");
if (!$con){
    die('Could not connect: ' . mysql_error());
}
//datebase
mysql_select_db("*****", $con);

// Check matching of username and password.
$result=mysql_query("select * from userlogin where username='$username' and password='$password'");
if(mysql_num_rows($result)!='0'){ // If match.
$_SESSION ['user']['id'] = $result ['id'];
    session_register("username"); // Craete session username.
    header("location:home.php"); // Re-direct to main.php
    exit;
}
else { // If not match.
    $message="--- Incorrect Username or Password ---";
}

} // End Login authorize check.
[/php]

[php]session_start();
if (isset($_SESSION[‘username’])){}

$con = mysql_connect(“","”,“");
if (!$con){
die('Could not connect: ’ . mysql_error());
}
//datebase
mysql_select_db("”, $con);
//select
$user_id = $_GET[‘user_id’];
$result = mysql_query(“SELECT userinfo.name as name, userinfo.address as address, userlogin.username as username
FROM userinfo
INNER JOIN userlogin ON userlogin.user_id = userinfo.user_id
WHERE userlogin.user_id = userinfo.user_id”);

while($row = mysql_fetch_array($result)){
echo $row[‘name’] . ’ ';
echo $row[‘username’] . ’ ';
echo $row[‘address’] . ’ ';
}[/php]

Another way of doing it ([size=14pt]Like JimL already stated you really should be using mysqli or PDO[/size])
[php]$result=mysql_query(“select * from userlogin where username=’$username’ and password=’$password’”);
$row = mysql_fetch_row($result);

if ($row) { // You know that if there is no match then the if statement is false and doesn’t set the username:
$_SESSION[‘user’][‘username’] = $row[‘username’];
// And if you are paranoid about security either unset the password:
unset($row[‘password’]); // OR DON"T USE THE * AND ONLY RETRIEVE WHAT YOU NEED
}[/php]

And you should also being using some kind of Password Hashing Library preferably from a reliable source: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php

and if you want further idea how to do a login/registration system, then look at my signature.