www.webdeveloper.com
Results 1 to 4 of 4

Thread: Php session won't resume data

  1. #1
    Join Date
    Jun 2014
    Posts
    1

    Php session won't resume data

    Following are the two separate pages I have started session in login page and try to save data in session variable and then I printed the data to confirm that the variable holds the data. after that I have used header function to redirect it. when control goes to profile page the st











    ******************&Login_page&********************
    session_start();

    include "dbconnect.php";

    if($_POST['Email']!=""&&$_POST['Password']!="")

    {
    $name = mysql_real_escape_string($_POST["Email"]);

    $userpwd = mysql_real_escape_string($_POST["Password"]);

    $str= "SELECT * FROM books WHERE Email ='".$name."'"."AND Password = '".$userpwd."'";

    $result=mysql_query($str)or die(mysql_error());

    if($row = mysql_fetch_array($result))

    {
    $_SESSION["0"]=$row[0];

    $_SESSION["1"]=$row[1];

    $_SESSION["2"]=$row[2];

    $_SESSION["3"]=$row[3];

    $_SESSION["4"]=$row[4];

    $_SESSION["5"]=$row[5];

    $_SESSION["6"]=$row[6];

    $_SESSION["7"]=$row[7];

    echo $_SESSION["0"]." ".$_SESSION["1"]." ".$_SESSION["2"]." ".$_SESSION["3"]." ".$_SESSION["4"]." ".$_SESSION["5"]." ".$_SESSION["6"]." ".$_SESSION["7"];

    if(isset($_SESSION["0"]))
    {
    session_write_close();

    header("Location:Profile.php");

    }
    }
    else
    {

    echo "Invaid user name or password";

    }

    }

    else
    echo "Fields can't be Null";
    ?>
    ******************&Profile_page&*******************
    <?php

    session_start()
    ?>

    <h1> Profile</h1>

    <table id="csstable">

    <?php if(!isset($_SESSION["0"])){echo"not set";} ?>

    <tr><td>Name</td><td><?php echo "".$_SESSION["5"]; ?></td></tr>

    </table>





    </table>

    <?php echo $_SERVER['SCRIPT_FILENAME']; echo foot(); ?>

  2. #2
    Join Date
    Jul 2013
    Location
    Voorheesville NY USA
    Posts
    546
    ????
    JG
    PS - If you're posting here you should be using:

    error_reporting(E_ALL | E_NOTICE);
    ini_set('display_errors', '1');


    at the top of ALL php code while you develop it!

  3. #3
    Join Date
    May 2014
    Posts
    630
    Well, lemme run down what I'm seeing wrong here.

    1) you should never != a value that might not be set, that will fill your error log. The functions isset() exist to do that.

    2) This is 2014, not 2004 -- you shouldn't be using mysql_ functions, much less blindly dumping variables into queries -- hence the giant red warning boxes in the manual waving you off from using them?

    3) I'd suggest making your mysql fieldnames all lower case, since backup/restore functions can mangle case.

    4) I'd REALLY advise you NOT 'SELECT *' on a database that has a password in it. You should never run anything that retrieves the password and stores it permanently. Passwords are best sent monodirectional towards the database.

    5) I'd use an associative array instead of a numeric one.

    6) avoid string additions in echo, they're slower and force an usual execution order. Comma delimits would likely be far more useful.

    7) automate iterating the returned fields. That too should be simpler.

    8) I suggest regenerating the session ID on every access, makes MITM attacks harder. (though still not impossible, it just narrows the window)

    9) use a prefix on your session values just to reduce the odds of namespace collisions... or even better, just pass the entire row to $_SESSION.

    10) rather than wasting time on handshakes back and forth for nothing, instead of doing a redirect (a goofy method that I'm assuming some rubbish tutorial or book is out there telling people to do) just load the page to be run instead of

    11) there is rarely a reason to session_write_close.

    12) I assume your foot() routine is the page footer, if so why are you wasting memory passing a string instead of having it echo values? A more verbose name like say template_header and template_footer might be a bit more intelligible.

    13) Really might help if you encoded the password for storage AND removed it from memory as soon as you use it.

    Something more like:
    Code:
    <?php
    
    session_start();
    session_regenerate_id();
    
    include('dbconnect.php');
    // we'll assume the above makes a $db variable that's a connected PDO object
    
    if (isset($_POST['Email']) && isset($_POST['Password']) {
    
    	$statement = $db->prepare('
    		SELECT * FROM books
    		WHERE Email = :email
    		AND Password = :password
    	');
    
    	$statement->exec([
    		':email' => $_POST['Email'],
    		':password' => hash('sha256', $_POST['Password'])
    	]);
    	$_POST['Password'] = ''; // destroy it to increase security once we've used it!
    
    	if ($_SESSION['booksUser'] = $statement->fetch(PDO::FETCH_ASSOC)) {
    
    		for ($_SESSION['booksUser'] as $key => $data) {
    			echo $key, ' = ', $data, '</br />';
    		}
    		include('Profile.php');
    
    	} else echo '<p>Invalid user name or password</p>';
    
    } else echo '<p>You must enter a user name or password</p>';
    
    ?>
    Code:
    <?php
    
    session_start();
    session_regenerate_id();
    
    echo '
    	<h1>Profile</h1>';
     
    if (!isset($_SESSION['booksUser'])){
    	echo 'Guest';
    } else echo '
    	<table id="csstable">
    		<tr>
    			<th scope="row">Name</th>
    			<td>', $_SESSION['booksUser']['Name'], '</td>
    		</tr>
    	</table>';
    	
    echo $_SERVER['SCRIPT_FILENAME'];
    
    ?>
    THOUGH as sessions are stored in a database too, I probably would avoid making duplicates of existing data on the disk and only store the user ID (which I assume is index 0) in the session, and pull the user info as needed from the main database when you're actually going to use it for something.

    Also why when I'm doing this sort of thing my user database typically only has ID, username, and password in it, as those are the most frequently accessed values. I then have a userInfo table that has userID, field and data fields in it, allowing custom information about the user (the rarely accessed stuff) to be dynamic -- and a permissions table that can be accessed via a singleton. (with the setter being a database read, so the permissions are 'read only' via getters).

    Though some folks say I'm overly paranoid about security -- in a 'insecure by design' language, I say there's no such thing as being "too paranoid".
    Java is to JavaScript as Ham is to Hamburger.

  4. #4
    Join Date
    May 2014
    Posts
    1
    deathshadow pointed out good practises to use on login and good ethics on php coding.
    one thing I dont suggest is storing actual user table id to identify the user after logged in.what I suggest is create a new field to store unique session id for every login (something like random code),
    for every successful login generate a random code store in the session and use it to identify the logged user.I think it should be much secure.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles