How to insert time of user's logout in database?

Question

I successfully made the code for logging in...when user logs in, the time of logging in is written in database.

session_start();
    $query = mysql_query("SELECT * FROM users");
    $result = mysql_fetch_array($query);


    if(!empty($_POST['username']) && !empty($_POST['password'])){           
        $username = ($_POST['username']);
        $password = ($_POST['password']);           
        $username = stripslashes($username);
        $password = stripslashes($password);            
        $username = mysql_real_escape_string($username);
        $password = mysql_real_escape_string($password);            
        $_SESSION['username'] = $username;
        $_SESSION['password'] = $password;

$result = mysql_query("SELECT * FROM users WHERE username = '$username' AND status = '1'"); 
 if(mysql_num_rows($result) == 1) {
                mysql_query("INSERT INTO entry(id, username_id, entry_time) VALUES ('', 'bkrpan', NOW()) "); 
                header("Location: admin.php"); 
                exit; }

        $result = mysql_query("SELECT username FROM users WHERE username = '$username' AND password = '$password'");
            if(mysql_num_rows($result) == 1) {
                mysql_query("INSERT INTO entry(id, username_id, entry_time) VALUES ('', '$username', NOW()) "); 
            $_SESSION['username'] = $username;
            $_SESSION['password'] = $password;
            header("Location: users.php");
            exit; }
            echo "Login failed! You will be redirected.";
            echo "<meta http-equiv=\"refresh\" content=\"2;URL=index.php\">";
            } 

    else {
        echo "Login failed! You will be redirected.";
        echo "<meta http-equiv=\"refresh\" content=\"2;URL=index.php\">";
    }

     session_destroy();

but...now I don't know how to make the code for logout. This is something that I made, but it's not working.

 <?php
 mysql_connect("localhost", "root", "") or die("cannot connect"); 
 mysql_select_db("zavrsni_rad") or die("cannot select DB");
 session_start();
 $username = $_SESSION['username'];
 $sql = "SELECT * FROM users WHERE username = ".$username." AND password = ".$password;
 $result = mysql_query($sql); 
 if(mysql_num_rows($result) == 1) {
$sql_2 = "INSERT INTO entry(username_id, entry_time) VALUES (".$username.", NOW()        )";
mysql_query($sql_2); 
 }
session_destroy();
 header("location: index.php");
 ?>

What does `it's not working` mean? Do you get a white screen? An error message? Nothing added? The wrong data added? The right data, to the wrong place? — andrewsi, Sep 06 '13 at 17:58
It means that the database is empty...the time is not added in database...(and I got redirected to index.php, which is good) — Biljana, Sep 06 '13 at 19:08

timgavin · Answer 1 · 2013-09-06T20:21:05.330

You forgot the single quotes in your queries and you're not getting the value of $password

$sql = "SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."'";

$sql_2 = "INSERT INTO entry(username_id, entry_time) VALUES ('".$username."', NOW())";

updated for clarity

<?php
session_start();

// check that the session exists first
if(isset($_SESSION['username'])) {

    // you should put your db connection in a config.php file and use mysqli or PDO - what you're using is depreciated
    mysql_connect("localhost", "root", "") or die("cannot connect"); 
    mysql_select_db("zavrsni_rad") or die("cannot select DB");

    // don't think I'd store password in a session...
    // also, is username UNIQUE in your database?
    // also, also, ALWAYS escape (sanitize) your database input to prevent agains SQL injection

    $sql = "SELECT username, password 
    FROM 
        users 
    WHERE 
        username = '".mysql_real_escape_string($_SESSION['username'])."' 
    AND 
        password = '".mysql_real_escape_string($_SESSION['password'])."'";
    $result = mysql_query($sql) or die('sql: '.mysql_error()); 

    if(mysql_num_rows($result) > 0) {
        $sql_2 = "INSERT INTO entry(username_id, entry_time) VALUES ('".mysql_real_escape_string($_SESSION['username'])."', NOW())";
        mysql_query($sql_2) or die('sql2: '.mysql_error()); 

        session_destroy();
        header("location: index.php");
    } else {
        echo 'There was an error. You have not been logged out.';
    }
}

"check that the session exists first" - it exists in login.php----- "also, is username UNIQUE in your database?" - it is------ I copied your code...it's the same as before...I don't get the time written in db — Biljana, Sep 06 '13 at 19:10
Checking for the session's existence is harmless and can avoid problems - good idea to do it before doing anything important. Is the password set? Try adding mysql_error() to both of your queries and see what your errors are: mysql_query($sql_2) or die(mysql_error()); — timgavin, Sep 06 '13 at 20:16
Oh, and the session was SET in login.php, that doesn't mean it's going to exist in other scripts. If the user quits the browser and then goes back to logout.php the session will NOT be set, yet you'll run the code. this is why you check if the session is set. — timgavin, Sep 06 '13 at 20:27

How to insert time of user's logout in database?

1 Answers1