php session, value display dont work

523

I have made php session, and i have problems with how to display it.

Actually here's the whole code (but variables are in Slovenian language and its too much to change every one of it, so sorry about it).

My login.php file:

<?php
session_start();
if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) {
header ("Location: index1.php");
}

if ($_SERVER['REQUEST_METHOD'] == 'POST'){
    $uname = $_POST['uporabnisko1'];
    $pword = $_POST['geslo1'];

    $_SESSION['uporabniskoime1'] = $_POST['uporabnisko1'];

    $user_name = "root";
    $pass_word = "";
    $database = "spletnabaza";
    $server = "127.0.0.1";

    $db_handle = mysql_connect($server, $user_name, $pass_word);
    $db_found = mysql_select_db($database, $db_handle);

    if ($db_found) {

        $SQL = "SELECT * FROM uporabnik WHERE uporabnisko = '$_POST[uporabnisko1]' AND geslo = '$_POST[geslo1]'";
        $izpisImena ="SELECT '$ime' FROM uporabnik WHERE uporabnisko = '$_POST[uporabnisko1]' AND geslo = '$_POST[geslo1]'";
        $_SESSION['imeuporabnika'] = $izpisImena;
        $result = mysql_query($SQL);
        $num_rows = mysql_num_rows($result);

        if ($result) {
            if ($num_rows > 0) {
                session_start();
                $_SESSION['login'] = "1";
                header ("Location: Stranzaindexom.php");
            }
            else {
                session_start();
                $_SESSION['login'] = "";
                header ("Location: index1.php");
            }   
        }
        else {
            $errorMessage = "Napaka pri vpisu";
        }

    mysql_close($db_handle);

    }

    else {
        $errorMessage = "Napaka pri vpisu";
    }

}


?>

My signup.php file:

<?php
session_start();
if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) {
header ("Location: index1.php");
}

$uname = "";
$pword = "";
$errorMessage = "";
$num_rows = 0;

if ($_SERVER['REQUEST_METHOD'] == 'POST'){

    $name1 = $_POST['ime'];
    $surname = $_POST['priimek'];
    $uname = $_POST['uporabnisko'];
    $pword = $_POST['geslo'];

    $_SESSION['geslo1'] = $_POST['geslo'];
    $_SESSION['uporabniskoime'] = $_POST['uporabnisko'];

    $uLength = strlen($uname);
    $pLength = strlen($pword);

    if ($uLength >= 3 && $uLength <= 20) {
        $errorMessage = "";
    }
    else {
        $errorMessage = $errorMessage . "Uporabniško ime mora biti dolgo od 3 do 20 znakov". "<BR>";
    }

    if ($pLength >= 3 && $pLength <= 16) {
        $errorMessage = "";
    }
    else {
        $errorMessage = $errorMessage . "Geslo mora biti dolgo od 3 do 20 znakov" . "<BR>";
    }

    if ($errorMessage == "") {

    $user_name = "root";
    $pass_word = "";
    $database = "spletnabaza";
    $server = "127.0.0.1";

    $db_handle = mysql_connect($server, $user_name, $pass_word);
    $db_found = mysql_select_db($database, $db_handle);

    if ($db_found) {

        $SQL = "SELECT * FROM uporabnik WHERE uporabnisko = $uname";
        $result = mysql_query($SQL);
        $num_rows = mysql_num_rows($result);

        if ($num_rows > 0) {
            $errorMessage = "To uporabnisko ime že obstaja!";
        }       
        else {

            $SQL = "INSERT INTO uporabnik (id, ime, priimek, uporabnisko, geslo) VALUES (NULL, '$_POST[ime]', '$_POST[priimek]', '$_POST[uporabnisko]', '$_POST[geslo]')";

            $result = mysql_query($SQL);

            mysql_close($db_handle);

            session_start();
            $_SESSION['login'] = "1";

            header ("Location: ../index1.php");
        }
    }
    else {
        $errorMessage = "Database Not Found";
    }
    }
}
?>

And than my file in Stranzaindexom.php where i want to display the variables: At top:

<?php 
session_start();

?>

In middle: Pozdravljen/-a:

<?php
    echo $_SESSION['imeuporabnika'];
?>

And when i'm signed in my page with root i get printed:

Pozdravljen/-a: SELECT 'ime' FROM uporabnik WHERE uporabnisko= 'root' AND geslo= ''

Insted of Pozdravljen/-a, professor. (professor is the name of root username)

Did i miss something ?

509

Answer

Solution:

Before executing any of the above queries, check the user input ($_POST variables). This can be done easily with themysql_real_escape_string function. You might also want to usestrip_tags() andtrim() functions. For example:

$name = mysql_real_escape_string($_POST['name']);

The mysql_* functions are deprecated, I would recommend you to start using mysqli or, even better in my opinion, PDO. Also, your queries won't work, here is a working example:

$query = "SELECT `id` FROM `users` WHERE `name` = '{$name}'";

Don't store any session before actually loggin in or registering. Do this after the user has succesfully registered or logged in. Also don't store any valuable variables like a password, just the user_id would be enough for you. You could easily check if a user is logged in:

if(isset($_SESSION['user_id'])) {
    //User is logged in
} else {
    //User is not logged in
}

Also, only connect to the DB once and usesession_start() once per script. Even prettier would be to do this in a file namedconfig.php. Then simply do this in the beginning of your scripts:

require_once('config.php');

There are more things, but this will give you a good start and enough to work on :-). Good luck.

People are also looking for solutions to the problem: php - How to get list of friend in my circle in Google +

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.