0

I'm relatively new to PHP and mySQL, and I'm trying to create user sessions with fields from a mySQL database.

The way I've set it up means that I am getting a session with the two fields entered into the login form (username and password) by checking these against the database, but I cannot retrieve any other data from the database and add it to the session.

How can I retrieve other data from the database and add this to the new session?

<?php
require('db.php');
session_start();

// If form submitted, insert values into the database.
if (isset($_POST['username'])){
    // removes backslashes
    $username = stripslashes($_REQUEST['username']);
    //escapes special characters in a string
    $username = mysqli_real_escape_string($con,$username);
    $password = stripslashes($_REQUEST['password']);
    $password = mysqli_real_escape_string($con,$password);
    //Checking is user existing in the database or not
    $query = "SELECT * FROM `users` WHERE username='$username' and password='".md5($password)."'";
    $result = mysqli_query($con,$query) or die(mysql_error());
    $rows = mysqli_num_rows($result);
    if($rows==1){
        //This one works
        $_SESSION['username'] = $username;

        //This one doesn't
        $_SESSION['email'] = $rows ['email'];

        // Redirect user to index.php 
        header("Location: index.php");
    }else{
        echo "<div class='form'>
        <p>Username/password is incorrect.</p>
        <br/>Click here to <a href='login.php'>Login</a></div>";
    }
}else{
}
?>
Improve this question
1
  • Just using a hash function such as MD5 is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use a function such as PBKDF2, Rfc2898DeriveBytes, password_hash, Bcrypt, passlib.hash or similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. Commented Jul 21, 2017 at 10:22

1 Answer 1

Reset to default
3

$rows is counter variable (having count of number of records) there that's why not working.

Do like below:-

....previous code as it is
$result = mysqli_query($con,$query) or die(mysql_error());
$row = mysqli_fetch_assoc($result); //fetch record
$rows = mysqli_num_rows($result);
if($rows==1){
        $_SESSION['email'] = $row['email'];
        header("Location: index.php");
    }...rest code as it is

Note:-

1.Don't use md5 password encryption, use password hashing technique.

2.Use prepared statements of mysqli_* to prevent your code from SQL Injection

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks! That's worked for me. I'll look into the password encryption and prepared statements, thanks for the advice!
@PhillipMitchell GLAD TO HELP YOU :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.