/    Sign up×
Community /Pin to ProfileBookmark

Php session won’t resume data

Copy linkTweet thisAlerts:
Jun 28.2014

Following are the two separate pages I have started session in login page and try to save data in session variable and then I printed the data to confirm that the variable holds the data. after that I have used header function to redirect it. when control goes to profile page the st

******************&Login_page&********************
session_start();

include “dbconnect.php”;

if($_POST[‘Email’]!=””&&$_POST[‘Password’]!=””)

{
$name = mysql_real_escape_string($_POST[“Email”]);

$userpwd = mysql_real_escape_string($_POST[“Password”]);

$str= “SELECT * FROM books WHERE Email ='”.$name.”‘”.”AND Password = ‘”.$userpwd.”‘”;

$result=mysql_query($str)or die(mysql_error());

if($row = mysql_fetch_array($result))

{
$_SESSION[“0”]=$row[0];

$_SESSION[“1”]=$row[1];

$_SESSION[“2”]=$row[2];

$_SESSION[“3”]=$row[3];

$_SESSION[“4”]=$row[4];

$_SESSION[“5”]=$row[5];

$_SESSION[“6”]=$row[6];

$_SESSION[“7”]=$row[7];

echo $_SESSION[“0″].” “.$_SESSION[“1″].” “.$_SESSION[“2″].” “.$_SESSION[“3″].” “.$_SESSION[“4″].” “.$_SESSION[“5″].” “.$_SESSION[“6″].” “.$_SESSION[“7”];

if(isset($_SESSION[“0”]))
{
session_write_close();

header(“Location:Profile.php”);

}
}
else
{

echo “Invaid user name or password”;

}

}

else
echo “Fields can’t be Null”;
?>
******************&Profile_page&*******************
<?php

session_start()
?>

<h1> Profile</h1>

<table id=”csstable”>

<?php if(!isset($_SESSION[“0″])){echo”not set”;} ?>

<tr><td>Name</td><td><?php echo “”.$_SESSION[“5”]; ?></td></tr>

</table>

</table>

<?php echo $_SERVER[‘SCRIPT_FILENAME’]; echo foot(); ?>

to post a comment
PHP

3 Comments(s)

Copy linkTweet thisAlerts:
@ginerjmJun 29.2014 — ????
Copy linkTweet thisAlerts:
@deathshadowJun 29.2014 — Well, lemme run down what I'm seeing wrong here.

1) you should never != a value that might not be set, that will fill your error log. The functions isset() exist to do that.

2) This is 2014, not 2004 -- you shouldn't be using mysql_ functions, much less blindly dumping variables into queries -- hence the [url=http://www.php.net/manual/en/function.mysql-connect.php]giant red warning boxes[/url] in the manual waving you off from using them?

3) I'd suggest making your mysql fieldnames all lower case, since backup/restore functions can mangle case.

4) I'd REALLY advise you NOT 'SELECT *' on a database that has a password in it. You should never run anything that retrieves the password and stores it permanently. Passwords are best sent monodirectional towards the database.

5) I'd use an associative array instead of a numeric one.

6) avoid string additions in echo, they're slower and force an usual execution order. Comma delimits would likely be far more useful.

7) automate iterating the returned fields. That too should be simpler.

8) I suggest regenerating the session ID on every access, makes MITM attacks harder. (though still not impossible, it just narrows the window)

9) use a prefix on your session values just to reduce the odds of namespace collisions... or even better, just pass the entire row to $_SESSION.

10) rather than wasting time on handshakes back and forth for nothing, instead of doing a redirect (a goofy method that I'm assuming some rubbish tutorial or book is out there telling people to do) just load the page to be run instead of

11) there is rarely a reason to session_write_close.

12) I assume your foot() routine is the page footer, if so why are you wasting memory passing a string instead of having it echo values? A more verbose name like say template_header and template_footer might be a bit more intelligible.

13) Really might help if you encoded the password for storage AND removed it from memory as soon as you use it.

Something more like:
&lt;?php

session_start();
session_regenerate_id();

include('dbconnect.php');
// we'll assume the above makes a $db variable that's a connected PDO object

if (isset($_POST['Email']) &amp;&amp; isset($_POST['Password']) {

<i> </i>$statement = $db-&gt;prepare('
<i> </i> SELECT * FROM books
<i> </i> WHERE Email = :email
<i> </i> AND Password = :password
<i> </i>');

<i> </i>$statement-&gt;exec([
<i> </i> ':email' =&gt; $_POST['Email'],
<i> </i> ':password' =&gt; hash('sha256', $_POST['Password'])
<i> </i>]);
<i> </i>$_POST['Password'] = ''; // destroy it to increase security once we've used it!

<i> </i>if ($_SESSION['booksUser'] = $statement-&gt;fetch(PDO::FETCH_ASSOC)) {

<i> </i> for ($_SESSION['booksUser'] as $key =&gt; $data) {
<i> </i> echo $key, ' = ', $data, '&lt;/br /&gt;';
<i> </i> }
<i> </i> include('Profile.php');

<i> </i>} else echo '&lt;p&gt;Invalid user name or password&lt;/p&gt;';

} else echo '&lt;p&gt;You must enter a user name or password&lt;/p&gt;';

?&gt;

&lt;?php

session_start();
session_regenerate_id();

echo '
&lt;h1&gt;Profile&lt;/h1&gt;';

if (!isset($_SESSION['booksUser'])){
echo 'Guest';
} else echo '
&lt;table id="csstable"&gt;
&lt;tr&gt;
&lt;th scope="row"&gt;Name&lt;/th&gt;
&lt;td&gt;', $_SESSION['booksUser']['Name'], '&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;';

echo $_SERVER['SCRIPT_FILENAME'];

?&gt;

THOUGH as sessions are stored in a database too, I probably would avoid making duplicates of existing data on the disk and only store the user ID (which I assume is index 0) in the session, and pull the user info as needed from the main database when you're actually going to use it for something.

Also why when I'm doing this sort of thing my user database typically only has ID, username, and password in it, as those are the most frequently accessed values. I then have a userInfo table that has userID, field and data fields in it, allowing custom information about the user (the rarely accessed stuff) to be dynamic -- and a permissions table that can be accessed via a singleton. (with the setter being a database read, so the permissions are 'read only' via getters).

Though some folks say I'm overly paranoid about security -- in a 'insecure by design' language, I say there's no such thing as being "too paranoid".
Copy linkTweet thisAlerts:
@rashodJun 30.2014 — [B]deathshadow[/B] pointed out good practises to use on login and good ethics on php coding.

one thing I dont suggest is storing actual user table id to identify the user after logged in.what I suggest is create a new field to store unique session id for every login (something like random code),

for every successful login generate a random code store in the session and use it to identify the logged user.I think it should be much secure.
×

Success!

Help @jimmi spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...