0

i am new in php and still learning session in php. i want to display user profile after login. i use session. so, when user login, user can see and her profile. i have try but still cant. please help me.

this is login process.php

<?php 

    session_start();

        require_once("connection.php");

        $email = $_POST['email'];
        $password = $_POST['password'];
        $name = $_POST['name'];
        $nname = $_POST['nname'];
        $bln = $_POST['bln'];
        $gender = $_POST['gender'];


        $cekuser = mysql_query("SELECT * FROM user WHERE email = '$email'");
        $jumlah = mysql_num_rows($cekuser);
        $hasil = mysql_fetch_array($cekuser);


        if($jumlah == 0) {
            echo "<script>alert('Email belum terdaftar!'); window.location = 'index.php'</script>";
        } else {
            if($password > $hasil['password']) {
            echo "<script>alert('Password Salah!'); window.location = 'index.php'</script>";
            } else {

            $_SESSION['email'] = $email;
            $_SESSION['password'] = $password;
            $_SESSION['name'] = $name;  
            $_SESSION['nname'] = $nname;    
            $_SESSION['bln'] = $bln;    
            $_SESSION['gender'] = $gender;  

            header('location:index.php');
            }
        }
    ?>

this is index.php

<?php 

if (session_status() == PHP_SESSION_NONE  || session_id() == '') {
        session_start();
    }

    require_once("connection.php");
    include("lib_function.php");
?>

<---header--->

<?php 
     include "connection.php";
     $sql = "SELECT name, email, nname, bln, gender e FROM user WHERE email = '" . $_SESSION['email'] . "'";
     $result = mysql_query($sql);
     if ($result !== false) {
         $row = mysql_fetch_array($result);
         echo "Hello, " . $row['name'] . " <br> " . $row['nname'] ."<br> " . $row['bln'] . " <br> " . $row['gender'] . "(" . $row['email'] . ").";
     } else {
       // an error has occured
       echo mysql_error();
       die;
             }
?>
Saurabh
  • 776
  • 1
  • 5
  • 15
fflime
  • 25
  • 1
  • 1
  • 6
  • Where do u set the $_SESSION['email'] ? – Gayan Hewa May 26 '16 at 04:36
  • Why do you set a window.location and a header redirect? Password Check looking weired as well. Are you sure you get into the "Else" block? – nv1t May 26 '16 at 05:37
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 01 '17 at 12:28
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 01 '17 at 12:28
  • **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 01 '17 at 12:28

3 Answers3

1

There was something wrong with your if() statement. It was telling if $password is greater than $hasil['password']. But it have to be equal and you also trying to collect it from an array. So this statement should be:

Process.php:

if($password != $jumlah["password"]) {

This line says: if $password is not equal to $jumlah["password"]

For the second file, you have defined the $_SESSION variables, so there is no need to collect the information again with MySQL (Unless you need the realtime details, than the only thing you need to remove is the include line, this is a double line. Also replace mysql_fetch_array with mysql_fetch_assoc).

You may want to check if the sessions exists, so I have write a little example to check that.

index.php would look like: 

<?php 
if(session_status() == PHP_SESSION_NONE  || session_id() == '') {
    session_start();
}
require_once("connection.php");
include("lib_function.php");
?>

<---header--->

<?php
# Check if session 'name' exists
if(isset($_SESSION["name"])) {
    echo "Hello, " . $_SESSION['name'] . " <br> " . $_SESSION['nname'] ."<br> " . $_SESSION['bln'] . " <br> " . $_SESSION['gender'] . "(" . $_SESSION['email'] . ").";\

}else{
    // Do an action to show the user that there is no session.
}
?>

I hope this will solve your problem :-)

Note that MySQL is deprecated in the newer versions of PHP, use PDO or MySQLi instead. Also your code looks vulnerable to SQL and XSS injections, it's important to learn about security too while learning in PHP :-)

node_modules
  • 4,790
  • 6
  • 21
  • 37
0

it should work

Remove the extra blank lines between session_start() function in your process.php & index.php like this 

<?php 
session_start();

//codes here 

?> 

<?php 
if (session_status() == PHP_SESSION_NONE  || session_id() == '') {
    session_start();
}


// codes here 

?>
Vikrant Kashyap
  • 6,398
  • 3
  • 32
  • 52
Siddharth
  • 99
  • 10
0

Use this

<?php
$cekuser = mysql_query("SELECT * FROM user WHERE email = ".mysql_real_escape_string($email) "AND password = ".mysql_real_escape_string($password));
$jumlah = mysql_num_rows($cekuser);
if($jumlah > 0) {
    $_SESSION['email'] = $email;
    $_SESSION['password'] = $password;
    $_SESSION['name'] = $name;  
    $_SESSION['nname'] = $nname;    
    $_SESSION['bln'] = $bln;    
    $_SESSION['gender'] = $gender;  

    header('location:index.php');
} else {
    echo "<script>alert('Password Salah!'); window.location = 'index.php'</script>";
}
?>

It Prevents to you from mysql injections

Try Something like this

Hope it will work

Thanks

Ravi Kumar
  • 443
  • 3
  • 10
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 01 '17 at 12:27
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 01 '17 at 12:27
  • Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Jun 01 '17 at 12:28