So, I am kinda new to php and mysql, but I have found a login form and adapted it to my needs as I dont have the knowledge to make one my self yet. I added a firstname and surname column into the database and the register form adds the values into the database fine.
Now I want to be able to display the firstname and surname onto a restricted page, the reason why I need this is because I want it to say: Welcome Jo Blogs. Below is the register form.
<?phpsession_start();if( isset($_SESSION['user_id']) ){ header("Location: /");}require 'database.php';$message = '';if(!empty($_POST['email']) && !empty($_POST['password']) && !empty($_POST['firstname']) && !empty($_POST['surname'])): // Enter the new user in the database $sql = "INSERT INTO users (email, password, firstname, surname) VALUES (:email, :password, :firstname, :surname)"; $stmt = $conn->prepare($sql); $stmt->bindParam(':email', $_POST['email']); $stmt->bindParam(':password', password_hash($_POST['password'], PASSWORD_BCRYPT)); $stmt->bindParam(':firstname', $_POST['firstname']); $stmt->bindParam(':surname', $_POST['surname']); if( $stmt->execute() ): $message = 'Successfully created new user'; else: $message = 'Sorry there must have been an issue creating your account'; endif;endif;?><!DOCTYPE html><html><head> <title>Register</title> <?php include '../header.php'; ?></head><body> <?php if(!empty($message)): ?> <p><?= $message ?></p> <?php endif; ?> <h1>Register</h1> <span>or <a href="login.php">login here</a></span> <form action="register.php" method="POST"> <input type="text" placeholder="Enter your email" name="email"> <input type="password" placeholder="and password" name="password"> <input type="password" placeholder="confirm password" name="confirm_password"> <input type="text" placeholder="Enter your first name" name="firstname"> <input type="text" placeholder="Enter your surname" name="surname"> <input type="submit"> </form></body></html>And below here is the login form as im not really sure what you guys need to help me 🙂
<?phpsession_start();if( isset($_SESSION['user_id']) ){ header("Location: /");}require 'database.php';if(!empty($_POST['email']) && !empty($_POST['password'])): $records = $conn->prepare('SELECT id,email,password FROM users WHERE email = :email'); $records->bindParam(':email', $_POST['email']); $records->execute(); $results = $records->fetch(PDO::FETCH_ASSOC); $message = ''; if(count($results) > 0 && password_verify($_POST['password'], $results['password']) ){ $_SESSION['user_id'] = $results['id']; header("Location: /"); } else { $message = 'Sorry, those credentials do not match'; }endif;?><!DOCTYPE html><html><head> <title>Login</title> <?php include '../header.php'; ?></head><body> <?php if(!empty($message)): ?> <p><?= $message ?></p> <?php endif; ?> <h1>Login</h1> <span>or <a href="register.php">register here</a></span> <form action="login.php" method="POST"> <input type="text" placeholder="Enter your email" name="email"> <input type="password" placeholder="and password" name="password"> <input type="submit"> </form></body></html>Also while I am here, I am currently using javascript to redirect to the homepage once you log out as i couldn’t find any information on how to do it with php
Restricted.php:
<!DOCTYPE html><html><head> <title>Restricted Area</title> <link rel="stylesheet" type="text/css" href="../assets/css/style.css"> <link href='http://fonts.googleapis.com/css?family=Comfortaa' rel='stylesheet' type='text/css'> <?php include '../header.php'; ?></head><body> <?php session_start(); if(isset($_SESSION['user_id'])) { ?> <h1>Restriced Area</h1> <h2>You have sucessfully logged in with your credentials</h2> <?php } else { ?> <script type="text/javascript"> window.location = "login.php"; </script> <?php exit; } ?></body></html>Just let me know if you guys need any more information/code.
Thanks.
Advertisement
Answer
As Qirel suggested…
Restricted.php should resemble this:
<?phpsession_start();if (!isset($_SESSION['user_id'])) { header("Location: /login.php"); // no need to query}require('database.php'); // assumed to declare $conn=new PDO(...);$loggedin = $conn->prepare('SELECT firstname,surname FROM users WHERE id=?');$loggedin->execute([$_SESSION['user_id']]);$results = $loggedin->fetch(PDO::FETCH_ASSOC);if (!$results) { header("Location: /login.php"); // unsuccessful query}?><!DOCTYPE html><html><head> <title>Restricted Area</title> <link rel="stylesheet" type="text/css" href="../assets/css/style.css"> <link href='http://fonts.googleapis.com/css?family=Comfortaa' rel='stylesheet' type='text/css'> <?php include '../header.php'; ?></head><body> <h1>Restriced Area</h1> <h2>You have successfully logged in with your credentials</h2> <?php echo "Welcome {$results['firstname']} {$results['surname']}"; ?></body></html>Edit:
This statement borders on too serious but I would like to mention, especially to inexperienced php coders, that SESSION data can be hijacked (this is outlined in Pro PHP Security: From Application Security Principles to the Implementation of XSS Defense – Chapter 7: Preventing Session Hijacking) and so it can be suggested to never store any personal information in $_SESSION. This would most critically include credit card numbers, government issued ids, and passwords; but would also extend into less assuming data like usernames, emails, phone numbers, etc which would allow a hacker to impersonate/compromise a legitimate user.
The internet is still very much in its “Wild West” era, and nothing is 100% safe. …and Internet Security is a rabbit hole / money pit. Every coder should devote some time to understanding known threats and preventing them, but just how far to go with this will differ from person to person.