So, I am kinda new to php and mysql, but I have found a login form and adapted it to my needs as I dont have the knowledge to make one my self yet. I added a firstname and surname column into the database and the register form adds the values into the database fine.
Now I want to be able to display the firstname and surname onto a restricted page, the reason why I need this is because I want it to say: Welcome Jo Blogs. Below is the register form.
<?php
session_start();
if( isset($_SESSION['user_id']) ){
header("Location: /");
}
require 'database.php';
$message = '';
if(!empty($_POST['email']) && !empty($_POST['password']) && !empty($_POST['firstname']) && !empty($_POST['surname'])):
// Enter the new user in the database
$sql = "INSERT INTO users (email, password, firstname, surname) VALUES (:email, :password, :firstname, :surname)";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':email', $_POST['email']);
$stmt->bindParam(':password', password_hash($_POST['password'], PASSWORD_BCRYPT));
$stmt->bindParam(':firstname', $_POST['firstname']);
$stmt->bindParam(':surname', $_POST['surname']);
if( $stmt->execute() ):
$message = 'Successfully created new user';
else:
$message = 'Sorry there must have been an issue creating your account';
endif;
endif;
?>
<!DOCTYPE html>
<html>
<head>
<title>Register</title>
<?php include '../header.php'; ?>
</head>
<body>
<?php if(!empty($message)): ?>
<p><?= $message ?></p>
<?php endif; ?>
<h1>Register</h1>
<span>or <a href="login.php">login here</a></span>
<form action="register.php" method="POST">
<input type="text" placeholder="Enter your email" name="email">
<input type="password" placeholder="and password" name="password">
<input type="password" placeholder="confirm password" name="confirm_password">
<input type="text" placeholder="Enter your first name" name="firstname">
<input type="text" placeholder="Enter your surname" name="surname">
<input type="submit">
</form>
</body>
</html>
And below here is the login form as im not really sure what you guys need to help me 🙂
<?php
session_start();
if( isset($_SESSION['user_id']) ){
header("Location: /");
}
require 'database.php';
if(!empty($_POST['email']) && !empty($_POST['password'])):
$records = $conn->prepare('SELECT id,email,password FROM users WHERE email = :email');
$records->bindParam(':email', $_POST['email']);
$records->execute();
$results = $records->fetch(PDO::FETCH_ASSOC);
$message = '';
if(count($results) > 0 && password_verify($_POST['password'], $results['password']) ){
$_SESSION['user_id'] = $results['id'];
header("Location: /");
} else {
$message = 'Sorry, those credentials do not match';
}
endif;
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
<?php include '../header.php'; ?>
</head>
<body>
<?php if(!empty($message)): ?>
<p><?= $message ?></p>
<?php endif; ?>
<h1>Login</h1>
<span>or <a href="register.php">register here</a></span>
<form action="login.php" method="POST">
<input type="text" placeholder="Enter your email" name="email">
<input type="password" placeholder="and password" name="password">
<input type="submit">
</form>
</body>
</html>
Also while I am here, I am currently using javascript to redirect to the homepage once you log out as i couldn’t find any information on how to do it with php
Restricted.php:
<!DOCTYPE html>
<html>
<head>
<title>Restricted Area</title>
<link rel="stylesheet" type="text/css" href="../assets/css/style.css">
<link href='http://fonts.googleapis.com/css?family=Comfortaa' rel='stylesheet' type='text/css'>
<?php
include '../header.php';
?>
</head>
<body>
<?php
session_start();
if(isset($_SESSION['user_id'])) { ?>
<h1>Restriced Area</h1>
<h2>You have sucessfully logged in with your credentials</h2>
<?php
} else { ?>
<script type="text/javascript">
window.location = "login.php";
</script>
<?php
exit;
}
?>
</body>
</html>
Just let me know if you guys need any more information/code.
Thanks.
Advertisement
Answer
As Qirel suggested…
Restricted.php should resemble this:
<?php
session_start();
if (!isset($_SESSION['user_id'])) {
header("Location: /login.php"); // no need to query
}
require('database.php'); // assumed to declare $conn=new PDO(...);
$loggedin = $conn->prepare('SELECT firstname,surname FROM users WHERE id=?');
$loggedin->execute([$_SESSION['user_id']]);
$results = $loggedin->fetch(PDO::FETCH_ASSOC);
if (!$results) {
header("Location: /login.php"); // unsuccessful query
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Restricted Area</title>
<link rel="stylesheet" type="text/css" href="../assets/css/style.css">
<link href='http://fonts.googleapis.com/css?family=Comfortaa' rel='stylesheet' type='text/css'>
<?php include '../header.php'; ?>
</head>
<body>
<h1>Restriced Area</h1>
<h2>You have successfully logged in with your credentials</h2>
<?php echo "Welcome {$results['firstname']} {$results['surname']}"; ?>
</body>
</html>
Edit:
This statement borders on too serious but I would like to mention, especially to inexperienced php coders, that SESSION data can be hijacked (this is outlined in Pro PHP Security: From Application Security Principles to the Implementation of XSS Defense – Chapter 7: Preventing Session Hijacking) and so it can be suggested to never store any personal information in $_SESSION. This would most critically include credit card numbers, government issued ids, and passwords; but would also extend into less assuming data like usernames, emails, phone numbers, etc which would allow a hacker to impersonate/compromise a legitimate user.
The internet is still very much in its “Wild West” era, and nothing is 100% safe. …and Internet Security is a rabbit hole / money pit. Every coder should devote some time to understanding known threats and preventing them, but just how far to go with this will differ from person to person.