When you do post your actual code in the forum, identify the filename of each piece of code.
The code for any page should be laid out in this general order -
- post method form processing
- get method business logic - get/produce data needed to display the page
- html document
The post method form processing code and post method form for any operation should be on the same page. The only redirect you should have anywhere in your code is upon successful completion of the post method form processing code and it should be to the exact same URL of the current page. If you want to display a one-time success message, store it in a session variable, then test, display, and clear that session variable at the appropriate location in the html document. To allow the user to go to any other page, provide navigation links.
The only piece of user related data that should be stored in a session variable upon successful login is the user id (which is one of the pieces of data you are storing.) You should query on each page request to get any other user related data, and store it in an approximately named array variable, not a session variable.
A session variable is an input to the code on a page. If it is a ‘required’ input, you must validate that it is at least set before using it. If a ‘required’ input is not valid, you would setup and display an error message, instead of running code that’s dependent on that input.
The only database exceptions you should catch and handle in your code are for user recoverable errors, such as when inserting/updating duplicate user submitted data. In all other cases, simply let php catch and handle any database statement exception, where php will use its error related settings to control what happens with the actual error information, via an uncaught exception error (database errors will ‘automatically’ get displayed/logged the same as php errors.)
A post method form is used when performing an action on the server, such as inserting, updating, or deleting data, sending an email, … What action is the first piece of code performing?
htmlspecialchars() is an output function. Do NOT apply it to values being put into variables, because it changes the meaning of the data. Apply it only to values that are being used in a html context, right before using them.
Data that is an input to a function should be supplied as a call-time parameter. This makes the function general-purpose, i.e. you can call it with data gotten from anywhere. For your display_user() function, since it is hard-coded to get the data from a session variable, it cannot do anything else. What if you have a page that allows an administrator to edit user data. If the display_user() function accepted its input data as a call-time parameter, you can use it to either display the current user’s data or any user’s data.
Functions should return the result they produce to the calling code. This allows the result to be used in any context - web page, email body, api response, …
There’s generally no need to free-up prepared query statements, result sets, or close database connections in your code since php destroys all resources when your script ends.