-1

I made a login and register option onto my website. Now i want to print the email on the profile page. Now when i try to print out the email data its empty. here is my server side code of loging in session. Note that this is a school project, so i only need to show an prototype so the security isnt a problem.I need to only show how is it going to look!

    <?php
session_start();

// initializing variables
$username = "";
$email    = "";
$errors = array(); 

// connect to the database
$db = mysqli_connect('localhost', 'root', '', 'registration');

// REGISTER USER
if (isset($_POST['reg_user'])) {
  // receive all input values from the form
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $email = mysqli_real_escape_string($db, $_POST['email']);
  $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
  $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);

  // form validation: ensure that the form is correctly filled ...
  // by adding (array_push()) corresponding error unto $errors array
  if (empty($username)) { array_push($errors, "Username is required"); }
  if (empty($email)) { array_push($errors, "Email is required"); }
  if (empty($password_1)) { array_push($errors, "Password is required"); }
  if ($password_1 != $password_2) {
    array_push($errors, "The two passwords do not match");
  }

  // first check the database to make sure 
  // a user does not already exist with the same username and/or email
  $user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
  $result = mysqli_query($db, $user_check_query);
  $user = mysqli_fetch_assoc($result);

  if ($user) { // if user exists
    if ($user['username'] === $username) {
      array_push($errors, "Username already exists");
    }

    if ($user['email'] === $email) {
      array_push($errors, "email already exists");
    }
  }

  // Finally, register user if there are no errors in the form
  if (count($errors) == 0) {
    $password = md5($password_1);//encrypt the password before saving in the database

    $query = "INSERT INTO users (username, email, password) 
              VALUES('$username', '$email', '$password')";
    mysqli_query($db, $query);
    $_SESSION['username'] = $username;
    $_SESSION['email'] = $email;
    $_SESSION['id'] = $id;
    $_SESSION['success'] = "Je bent nu ingelogd";
    header('location: index.php');
  }
}
//login user
if (isset($_POST['login_user'])) {
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $password = mysqli_real_escape_string($db, $_POST['password']);
  if (empty($username)) {
    array_push($errors, "Username is required");
  }
  if (empty($password)) {
    array_push($errors, "Password is required");
  }

  if (count($errors) == 0) {
    $password = md5($password);
    $query = "SELECT * FROM users WHERE username='$username' AND password='$password' AND email='$email'";
    $results = mysqli_query($db, $query);
    if (mysqli_num_rows($results) == 1) {
      $_SESSION['username'] = $username;
      $_SESSION['email'] = $email;
      $_SESSION['id'] = $id;
      $_SESSION['success'] = "You are now logged in";
      header('location: index.php');
    }else {
        array_push($errors, "Wrong username/password combination");
    }
  }
}

?>

and here is the code i used on the profile page. it prints out the username just fine

        <div class="col s6">username</div>
        <div class="col s6"><?php echo $_SESSION['username']; ?></div>
        <div class="col s6">E-Mail</div>
        <div class="col s6"><?php echo $_SESSION['email']; ?></div>
Tim Roering
  • 21
  • 5
  • 3
    Where is your $email var? And $id? You don't fetch them from your database. – AnTrakS Oct 02 '18 at 08:55
  • you're open to SQL injection and should address this imminently – treyBake Oct 02 '18 at 08:56
  • 1
    Please don't store password as plain text. Have a look at [password_hash()](http://php.net/manual/en/function.password-hash.php) on how to store passwords. Your query won't return a single row if the `email` field in the database is not empty – DarkBee Oct 02 '18 at 08:56
  • sorry i should note that this is for a school project, the website is only a demo so the security isnt a problem – Tim Roering Oct 02 '18 at 08:59
  • @D.Dimitrov i edited the page with the full serverside code. – Tim Roering Oct 02 '18 at 09:01
  • 1
    @TimRoering school project or not - security is always important – treyBake Oct 02 '18 at 09:01
  • 3
    But learning BAD PRACTICE is always a problem, and should in my opinion be marked down if it is a school project. Also you have made some attempt at protecting against SQL Injection by using `mysqli_real_escape_string()` but that is a false protection – RiggsFolly Oct 02 '18 at 09:02
  • @TimRoering as I said before, now your variable $email is empty. Your $email variable in register if construction lives only there. So you have to fetch email and id from database. – AnTrakS Oct 02 '18 at 09:03
  • @D.Dimitrov Where should i fetch the $email variable. sorry im usally not a coder so this is all new for me.. – Tim Roering Oct 02 '18 at 09:07
  • @RiggsFolly i dont want to send an email to the users. i only want to fetch data from the $email table from the database. i can printout the username just fine, but when i try to printout the email its empty. – Tim Roering Oct 02 '18 at 09:08
  • Then you should read some articles about **how to fetch data from databse**: https://stackoverflow.com/questions/24028697/how-to-fetch-data-in-php-with-mysqli – AnTrakS Oct 02 '18 at 09:08
  • Tim, yea sorry, got the wrong end of the stick there for a minute :) – RiggsFolly Oct 02 '18 at 09:10
  • @RiggsFolly yes i put this at the start of the Profile page. – Tim Roering Oct 02 '18 at 09:11
  • @RiggsFolly It doesnt work, but when i make a new account(with email information) i automaticly login.when i looked at the profile page it showed the e-mail. but when i logout and logged back in it dissapeared – Tim Roering Oct 02 '18 at 09:29
  • @RiggsFolly No only the username and password – Tim Roering Oct 02 '18 at 09:54
  • @RiggsFolly and how i do i implement that into the login section? help would be greatly apriciated – Tim Roering Oct 02 '18 at 10:00

1 Answers1

1

Your issue is that you are not asking the email as part of the normal login, but were using it on the login query.

Initially you set $email = ''; so when you used that in the query you would not have been finding the User account with that query, as it was an empty string, so the login would always fail.

So query the database with just the Username. Then check the password rather than using it on the query.

The use the data returned by the query to setup your SESSION.

I have also amended this query to use a parameterised prepared query. To protect against SQL Injection Attack

<?php
session_start();

// initializing variables
$username = "";
$email    = "";
$errors = array(); 

// connect to the database
$db = mysqli_connect('localhost', 'root', '', 'registration');

// REGISTER USER
if (isset($_POST['reg_user'])) {
  // receive all input values from the form
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $email = mysqli_real_escape_string($db, $_POST['email']);
  $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
  $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);

  // form validation: ensure that the form is correctly filled ...
  // by adding (array_push()) corresponding error unto $errors array
  if (empty($username)) { array_push($errors, "Username is required"); }
  if (empty($email)) { array_push($errors, "Email is required"); }
  if (empty($password_1)) { array_push($errors, "Password is required"); }
  if ($password_1 != $password_2) {
    array_push($errors, "The two passwords do not match");
  }

  // first check the database to make sure 
  // a user does not already exist with the same username and/or email
  $user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
  $result = mysqli_query($db, $user_check_query);
  $user = mysqli_fetch_assoc($result);

  if ($user) { // if user exists
    if ($user['username'] === $username) {
      array_push($errors, "Username already exists");
    }

    if ($user['email'] === $email) {
      array_push($errors, "email already exists");
    }
  }

  // Finally, register user if there are no errors in the form
  if (count($errors) == 0) {
    $password = md5($password_1);//encrypt the password before saving in the database

    $query = "INSERT INTO users (username, email, password) 
              VALUES('$username', '$email', '$password')";
    mysqli_query($db, $query);
    $_SESSION['username'] = $username;
    $_SESSION['email'] = $email;
    $_SESSION['id'] = $id;
    $_SESSION['success'] = "Je bent nu ingelogd";
    header('location: index.php');
  }
}
//login user
if (isset($_POST['login_user'])) {
    if (empty($username)) {
        array_push($errors, "Username is required");
    }
    if (empty($password)) {
        array_push($errors, "Password is required");
    }

    if (count($errors) == 0) {

        $query = "SELECT * FROM users WHERE username=?";
        $stmt = $db->prepare($query);
        $stmt->bind_param('s', $_POST['username']);
        $stmt->execute();

        $row = $stmt->fetch_assoc();

        if ($row['password'] == md5($_POST['password']) {

            $_SESSION['username']   = $row['username'];
            $_SESSION['email']      = $row['email'];
            $_SESSION['id']         = $row['id'];
            $_SESSION['success']    = "You are now logged in";

            header('location: index.php');
            exit;
        }else {
            array_push($errors, "Wrong username/password combination");
        }
    }
}
?>

Please dont roll your own password hashing, specially not using MD5() or SHA1(). PHP provides password_hash() and password_verify() please use them. And here are some good ideas about passwords If you are using a PHP version prior to 5.5 there is a compatibility pack available here

But as that is not actually part of the question I will ignore that for now.

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149