[RESOLVED] php SESSION - How do I handle SQL data for logged in user??

Copenhagener

This ought to be so obvious and essential, but I don't understand how I retrieve and update SQL data for a logged-in user with php SESSION.

I have searched and read, but the tutorials only explain how I register and start a session for a user, but not the most important part: How do I extract SQL data for this user, and update his data in the SQL database?

I have made a registration form and a login page. Now: How do I know who is logged in, and how do I read and write data to and from my SQL database for this user?

For a start, I want to put the user's name on the welcome page, after the user logged in. I do not know which user it is, or what his or her name is, so I need to pull out the name from my SQL database and display the user's name on the welcome page. How do I do that with php SESSION?

Here is my script from login.php registering the session:

	if(isset($_POST['login'])) {
		if($signature == "" | $userpw == "") {
			$notice = "<br><i><font color='#B80000;'><i>Please enter signature and password.</font></i><br>";
			$onload = " onload='document.loginForm.signature.focus()';";
		}

	else if(preg_match("/^[A-Za-zÆØÅæøå -]+$/",$signature)) {
		if(checkLogin($signature,$encpw)) {

			if(verifyAccount($signature)) {

				session_start();
				session_register('user');

				header("Location: welcome.php");

	function checkLogin($sig,$pass) {
		include("archive/file.inc");

	$connection = mysql_connect($host, $account, $password)
		or die("Error: ".mysql_error());

	$db = mysql_select_db($dbname, $connection);

	$query = "SELECT * FROM users WHERE signature = '$sig' AND userpw = '$pass'"
		or die("Error: ".mysql_error());

	$result = mysql_query($query)
		or die("Error: ".mysql_error());

	mysql_close($connection);

	if(mysql_num_rows($result)) {
		return true;
	}
	else return false;
}

	function verifyAccount($testSig) {
		include("archive/file.inc");

	$connection = mysql_connect($host, $account, $password)
		or die("Error: ".mysql_error());

	$db = mysql_select_db($dbname, $connection);

	$query = "SELECT * FROM users WHERE signature = '$testSig' AND verified = 1"
		or die("Error: ".mysql_error());

	$result = mysql_query($query)
		or die("Error: ".mysql_error());

	mysql_close($connection);

	if(mysql_num_rows($result)) {
		return true;
	}
	else return false;
}

The login.php page is tested and working. Now, after login, I take the user to the welcome.php page. Here is my script for that page:

<?php

session_start();

if(!session_is_registered('user')) {
	header("Location: login.php");
}

$logged_in = 1;

echo "

<html>

<head>

<title>Welcome</title>

<script language='javascript'>

welcome_bw = new Image();
welcome_rgb = new Image();

welcome_bw.src = 'images/welcome_bw.jpg';
welcome_rgb.src = 'images/welcome_rgb.jpg';

";

include("archive/file.inc");

$connection = mysql_connect($host, $account, $password)
	or die("Error: ".mysql_error());

	$db = mysql_select_db($dbname, $connection);

	$query = "SELECT * FROM users WHERE user = '$_SESSION[user]'"
		or die("Error: ".mysql_error());

	$result = mysql_query($query)
		or die("Error: ".mysql_error());

	mysql_close($connection);

	$row = mysql_fetch_array($result);

	$name = $row['name'];


include("begin_page.inc");

echo "

<img border='0' src='graphics/welcome.gif' width='140' height='45' alt='Welcome'><br>

<i>Welcome, ".$name."</i><br>


";

include("end_page.inc");

?>

The code above does not generate any error, but no name is displayed for the user, either.

How do I pull out the user's name after login, and how can I let the user update e.g. his e-mail address and update that information for that user in my SQL database accordingly? What am I missing?

This must be essential for php SESSION, but it is a big mystery to me, and not explained very well anywhere. How come?

Thank you very much in advance for your help.

Kudose

First, PHP's session's is used to store data across multiple page requests. It doesn't have anything to do with the database. It simply holds values in an array for you.

Second, you need to call session_start() before any content is generated to the browser, which means people generally put it near the very top of the script.

Third, you need to call session_start() before any calls to the $_SESSION superglobal.

Forth, you should use if(isset($_SESSION['user'])) as [man]session_is_registered[/man] is deprecated.

Finally, you should be able to simple store the user's ID in a session variable, say $SESSION['userId'] and check if the user is logged in later by using

if(!isset($_SESSION['userId'])) // login

and getting the information about the user via a database call

mysql_query("SELECT `userName` FROM `users` WHERE `userId` = ".$_SESSION['userId']);

None of this takes data validation into account.

Hope that helps.

Copenhagener

Thank you, Kudose, I will try out your hints when I come back home from work today.

What do you mean with "None of this takes data validation into account" ? That I should check the data being passed in through the session too, or?

I will be returning with my results later.

Thanks again.

Kudose

You should validate the data before you put it into a session. i.e. [man]strip_tags[/man], [man]htmlentities[/man] Session data is inaccessible to the end user.

Copenhagener

A very big THANK YOU for spelling it out for me. I can know that you may sometimes be rolling your eyes over us newbies asking questions all the times, but so far I have had very good response from this forum, which is much appreciated.

Here is my final script, where I assign the user index as the session variable, making it possible for the user to change his alias later (could I as well just be using the alias as variable without losing it, if he changes his alias in the middle of a session?) :

login.php

. . .

	else if(preg_match("/^[A-Za-zÆØÅæøå -]+$/",$signature)) {
		if(checkLogin($signature,$encpw)) {

			if(verifyAccount($signature)) {


				include("archive/file.inc");

				$connection = mysql_connect($host, $account, $password)
					or die("Error: ".mysql_error());

				$db = mysql_select_db($dbname, $connection);

				$query = "SELECT * FROM users WHERE signature = '$signature'"
					or die("Error: ".mysql_error());

				$result = mysql_query($query)
					or die("Error: ".mysql_error());

				mysql_close($connection);

				$row = mysql_fetch_array($result);

				$user = $row['user'];

				session_start();
				session_register('user');

				header("Location: welcome.php");

welcome.php

<?php

session_start();

if(!isset($_SESSION['user'])) {
	header("Location: login.php");
}

. . .

include("archive/file.inc");

$connection = mysql_connect($host, $account, $password)
	or die("Error: ".mysql_error());

	$db = mysql_select_db($dbname, $connection);

	$query = "SELECT * FROM users WHERE user = ".$_SESSION['user']
		or die("Error: ".mysql_error());

	$result = mysql_query($query)
		or die("Error: ".mysql_error());

	mysql_close($connection);

	$row = mysql_fetch_array($result);

	$name = $row['name'];

include("begin_page.inc");

echo "

<img border='0' src='graphics/welcome.gif' width='140' height='45' alt='Welcome'><br>

<i>Welcome, ".$name."</i><br>


";

include("end_page.inc");

?>

Tested and WORKING.

I was tired after spending 40+ hours over the weekend coding and coding, and this was the last building block I needed.

kudos, Kudose

Kudose

You are free to change the session data as often as you'd like, but it is temporary storage. To really change the users alias, you would need to write it down somewhere, presumably the database.

Glad you are making progress. That's what we're here for. 🙂