user account

Beginners - Learning PHP
#1

Hi I am having problem with user account once I log in is displaying every record from one of my database table, but I want to only display what is associated with this user account. Could you please take look at my code see what I have done wrong or missing please? Thanks

[PHP]

<?php session_start(); $con=mysqli_connect("localhost","","","") or die(); if(isset($_POST['submit'])) { $username = trim($_POST['username']); $password = trim($_POST['password']); $permission = trim($_POST['permission']); $query ="SELECT * FROM useraccount WHERE username='$_POST[username]'and password='$_POST[password]' and permission='$_POST[permission]'"; $result= mysqli_query($con,$query) or die(mysqli_error()); $num_row = mysqli_num_rows($result); $row = mysqli_fetch_array($result); if($num_row == 1){ if($_SESSION['account_id']=$row['username'] && $_POST['password']=="$password" && $_POST['permission']=="Student") { header("Location:studentAccount.php"); exit; } else if($_SESSION['account_id']=$row['username']&& $_POST['password']=="$password" && $_POST['permission']=="Staff") { header("Location:staffAccount.php"); exit; } else { echo "You got credentials wrong"; } } } ?>[/PHP]

User Account:
[PHP]

<?php session_start(); if($_SESSION['account_id'] == '') { header('location: registration.php'); exit; } $username = $_SESSION['username']; ?> <?php //include database connection $con=mysqli_connect("localhost","","","");//database connection $query = "select * from goal where account_id =".$_SESSION['account_id']; //execute the query $result= mysqli_query($con,$query); while($row = mysqli_fetch_assoc($result)){ ?> <?php echo $row['goalName'] ; ?> <?php echo $row['gdescription'] ; ?> <?php echo $row['progress'] ; ?> delete Edit <?php } ?>[/PHP]
#2

File 1

Why do this when you don’t use it in the rest of the code?
[php] $username = trim($_POST[‘username’]);
$password = trim($_POST[‘password’]);
$permission = trim($_POST[‘permission’]);[/php]

Never input user data into queries. Look into Mysqli prepared statements and use placeholders! Also notice you’ve forgotten the quotes for the post array keys, so this should throw a notice.

This[php]$query =“SELECT * FROM useraccount WHERE username=’$_POST[username]‘and password=’$_POST[password]’ and permission=’$_POST[permission]’”;[/php]

Should be[php]$query =“SELECT * FROM useraccount WHERE username= ? and password= ? and permission= ?”;[/php]

Also in this query you are missing a space between a variable and an “and”. This should have given you an error in the “or die” function you have going, didn’t you get anything?

Do you intend to set the session variable here, or do you want to check it? One = sign sets a variable…[php]if($_SESSION[‘account_id’]=$row[‘username’] && $_POST[‘password’]=="$password" && $_POST[‘permission’]==“Student”)[/php]

[hr]

File 2

Change to parameterized queries

[hr]

If you don’t get any errors or notices you should turn on all errors, you need to know what’s going on while developing.

Add this to the beginning of your file:[php]ini_set(‘error_reporting’, E_ALL);
ini_set(‘display_errors’, ‘1’);[/php]

#3

OK,I’ve been fooling around with mysqli for the last hour (I use PDO) ;D , I think the following might simplify your script or at least get you to look at it a little differently:

[php]// A nice password hashing library for PHP 5
// Find it here: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php
// Read the Documentation for further help:
require ‘includes/password.inc.php’;

if (isset($_POST[‘action’]) && $_POST[‘action’] == ‘login’) {

$username = $_POST[‘username’]; // Bind parameter:

/* This is where you setup your query */
$query = ‘SELECT id,
username,
password,
DATE_FORMAT(date_added, “%e %M %Y”) as date_added
FROM users
WHERE username = ?’;

$stmt = $mysqli->prepare($query);	// Prepare the query:

/* bind parameters for markers */
$stmt->bind_param("s", $username);

/* execute query */
$stmt->execute();

$result = $stmt->get_result(); // Grab the results from database:

// This variable tells us whether the user has successfully logged in or not.
// We initialize it to false, assuming they have not.
// If we determine that they have entered the right details, then we switch it to true.
$login_ok = false;		

// Retrieve the user data from the database.  If $row is false, then the username
// they entered is not registered.
$row = $result->fetch_assoc();

if($row)
{
	// Verify Stored Hashed Password:
	$result = password_verify($_POST['password'], $row['password']);
	
	if ($result) {
		$login_ok = true;	
	} else {
		$errMsg = '<p>Your credientials do not match!</p>';
	}
	
}

// If login is OK:
if ($login_ok) {
	
	// It's not wise to store the password in $_SESSION:
	unset($row['password']);	
	
    // This stores the user's data into the session at the index 'user'.
	// We will check this index on the private members-only page to determine whether
	// or not the user is logged in.  We can also use it to retrieve
	// the user's details.
	$_SESSION['user'] = $row;
	
	// The following output is just to prove that it works:
	echo '<pre>';
	print_r($_SESSION);
	echo '</pre>';
	
	// Redirect the user to the private members-only page.
	//header("Location: admin.php");
	//die("Redirecting to: admin.php");		
}[/php]

The query should be setup to the way you have your database, plus the code was written with my scripted in mind…meaning changes obviously will have to be made and I think $_POST[‘permission’] could be set in the $_SESSION[‘user’] that way you could do the test at the page you do or don’t want the user to have permission. Like I stated this something that might or might not help you.

Sponsor our Newsletter | Privacy Policy | Terms of Service