Page 1 of 1

passing session variables from one page to the next

Posted: Tue Jan 03, 2012 6:48 pm
by inosent1
I use the following login code, which works great:

Code: Select all

<?php
ob_start();
include("dbinfo.inc.php");
$tbl_name="users"; // Table name
mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE user_email='$myusername' and user_pass='$mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
session_register("myusername");
session_register("mypassword");
header("location:index.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

in the 'users' table i have a column that hold a user_type_id.

once someone logs in, i want to then identify what their user_type_id is and pass that variable along as long as the session is active.

in the above code, as you can see, it redirects to 'index.php'

once i get there i want to be able to say:

if user_type_id == X {
do this
}

but i need to have that user_type_id in memory somehow to use the if statement ...

Re: passing session variables from one page to the next

Posted: Tue Jan 03, 2012 10:32 pm
by Weiry
For you to use sessions, you must first initialize the session_start() function at the top of every page in which you want the session data to be accessible.

Also, there is no reason for you to be storing a password into session data, because that data could easily be retrieved by doing a simple javascript injection onto the site, in fact this is a very bad idea as it presents any number of security problems.

What you would want to do if you had to store user specific information into session data is to at the beginning of each page (similar to session_start() as you would always want the data to be available) is to run a query which selects your required data and then stores that data possibly into an Associative array making it easily accessible.

For example:

Code: Select all

if(<check if user already logged in>){
    $q = sprintf("SELECT `user_type_id`, `username`, <other relevant data> WHERE `username` = '%s'", mysql_real_escape_string($_POST['username']));
    $r = mysql_query($q);
    if(mysql_num_rows($r) == 1){
        $assoc = mysql_fetch_assoc($r); }
    if(!empty($assoc)){
        $_SESSION['userdata'] = $assoc; }
Once that $_SESSION['userdata'] variable has been populated, then you can start accessing that information as you need it, but you should, on every page, check to see if the person is logged in, possibly by utilizing a 'logged_in' variable. (NOTE:: For a secure system you should always store a sessionID and timestamp into a database to check sessions rather than relying on an actual session variable being set)

At this point you can then access your needed values by using $_SESSION['userdata']['dbfield'] where 'dbfield' is the name of your database field name, eg. user_type_id.

Please keep in mind that this is a very basic level of things for user accounts and session usage. Managing sessions and securing logins etc can get a lot more complicated very quickly :S


TL;DR
Include session_start() at the top of every page you want sessions to be accessed with. I would suggest including this on every page through some global include file.
Don't store passwords or sensitive information inside $_SESSION data, only store your REQUIRED data, everything else you can just query from the database later anyway.
Never trust the end user (especially when storing session data).

Hope this helps :)

Weiry.

Re: passing session variables from one page to the next

Posted: Wed Jan 04, 2012 1:43 pm
by inosent1

Code: Select all

if(<check if user already logged in>){
    $q = sprintf("SELECT `user_type_id`, `username`, <other relevant data> WHERE `username` = '%s'", mysql_real_escape_string($_POST['username']));
    $r = mysql_query($q);
    if(mysql_num_rows($r) == 1){
        $assoc = mysql_fetch_assoc($r); }
    if(!empty($assoc)){
        $_SESSION['userdata'] = $assoc; }
in the part "WHERE username = '%s'", what is '%s'? if it is the username, how do i place that into memory so i can use that variable?

or do i paste this code in the initial login page?

Re: passing session variables from one page to the next

Posted: Wed Jan 04, 2012 1:57 pm
by inosent1

Code: Select all

if($count==1){
    $q = sprintf("SELECT user_type_id, user_email WHERE user_email = $myusername", mysql_real_escape_string($_POST['user_email']));
echo $q;    
$r = mysql_query($q);
echo $r;
    if(mysql_num_rows($r) == 1){
        $assoc = mysql_fetch_assoc($r); }
    if(!empty($assoc)){
        $_SESSION['userdata'] = $assoc; }
}
$q says "SELECT user_type_id, user_email WHERE user_email = joe"

$r is blank

i dont think the syntax is right here

Code: Select all

$q = sprintf("SELECT user_type_id, user_email WHERE user_email = $myusername", mysql_real_escape_string($_POST['user_email']));
i am guessing this code is supposed to be in the initial login code ...

getting an error at

Code: Select all

$r = mysql_query($q);