My login system woes

lukeurtnowski · December 7, 2012, 6:14am

I am using php/mysql to create a login system. I have the following users table

CREATE TABLE users (
id smallint unsigned NOT NULL auto_increment,
username varchar(100) NOT NULL default ‘’,
password varchar(100) NOT NULL,
session_id varchar( 32 ) NULL,
email varchar(75) NOT NULL default ‘’,
regdate date NOT NULL,
regip varchar(30) NOT NULL default ‘’,
active tinyint NOT NULL,
isAdmin tinyint NOT NULL default ‘0’,
UNIQUE (email),
PRIMARY KEY (id)
);

to hold the data of each registered user (who fills out)
http://fixmysite.us/masterasp/register.php
Once the form is filled out, the database is updated. I want a welcome message so the user is welcomed by name once they are logged in, This is t he code I have so far, but I dont know how to retrieve the username


<?php
// Run a quick check to see if we are an authenticated user or not  
// First, we set a 'is the user logged in' flag to false by default.  
$isUserLoggedIn = false;  
$session = session_id();
$query = "SELECT * FROM users WHERE session_id = '".$session."' LIMIT 1";  
$userResult = mysql_query($query) or die ("Error in query: $query. ".mysql_error()); 
if(mysql_num_rows($userResult) == 1){  
    $_SESSION['user'] = mysql_fetch_assoc($userResult);  
    $isUserLoggedIn = true;
    echo "Welcome";
    echo "<ul>";
    echo "<li><a href=\\"/masterasp/logout.php\\">Logout</a></li>";
    echo "</ul>";
} else {  
    echo "<ul>";
    echo "<li><a href=\\"/masterasp/login.php\\">Login</a></li>";
    echo "<li><a href=\\"/masterasp/register.php\\">Register</a></li>";
    echo "</ul>";
}
?>

DarthGuido · December 7, 2012, 7:25am

If the users table contains the username, then you already retrieved it.
Do a var_dump of $_SESSION[‘user’] and see what it contains.

thruska · December 7, 2012, 3:44pm

That code seems ripe for abuse. You should look into using PDO for its input sanitization features. Dumping SQL queries onto the wire is also not a good idea except on a temporary basis to quickly diagnose an issue.

var_dump($_SESSION[“user”]) will output what you have stored in the variable, but I’d wager a guess that you want to output htmlspecialchars($_SESSION[“user”][“username”]). Don’t forget to sanitize output to the browser from the database just in case something bad gets in your database like Javascript.

lukeurtnowski · December 7, 2012, 6:36pm

ok, thanks

Lemon_Juice · December 7, 2012, 6:46pm

There’s no need switch to PDO for any ‘sanitization’ features since the standard mysql library also has them. It’s correct that the OP doesn’t use them but in this particular case his query is pretty safe because there’s no need to sanitize session_id().