'retrieve data from database using session

Hi I had read topics here and tried doing it in different ways but my problem still not solved. I tried storing session and use it to retrieve data again from the database. I used the session idmember and set it to a variable then used it to a query to echo his/her first and last name. I can get to the main page but the user's name doesn't echo it. To summarize here how it works. index > authenticate(validate) > student/index.php

functions.php

<?php 

function sec_session_start() {
        $session_name = 'sec_session_id'; // Set a custom session name
        $secure = true; // Set to true if using https.
        $httponly = true; // This stops javascript being able to access the session id. 

        ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. 
        $cookieParams = session_get_cookie_params(); // Gets current cookies params.
        session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
        session_name($session_name); // Sets the session name to the one set above.
        session_start(); // Start the php session
        session_regenerate_id(); // regenerated the session, delete the old one.     
}



?>

index.php (Main Page)

<?php 
include ('include/functions.php');
sec_session_start();
include ('header.php');
?>
<title>Students Portal</title>
<div id="upper_row"><b>Announcement:</b></div>
    <div id="l_column"></div>

      <div id="r_column">
      <form action="authenticate.php" method="POST" name="loginform">
  <table width="100%">
      <tr>
        <th colspan="3" align="left">USER LOGIN<br /><hr /></th>
      </tr>
      <tr>
        <td width="72">Username:</td>
        <td width="212">
             <script type="text/javascript">
            function blank(a) { if(a.value == a.defaultValue) a.value = ""; }
            function unblank(a) { if(a.value == "") a.value = a.defaultValue; }
            </script> 
        <input type="text" value="Enter your School ID here" onfocus="blank(this)" onblur="unblank(this)" name="id" />
        </td>

      </tr>
      <tr>
         <td>Password:</td>
         <td><script type="text/javascript">
        function blank(a) { if(a.value == a.defaultValue) a.value = ""; }
        function unblank(a) { if(a.value == "") a.value = a.defaultValue; }
        </script> 
        <input type="password" value="Password" onfocus="blank(this)" onblur="unblank(this)" name="password" /></td>
      </tr>
      <tr>
        <td></td>
      <td rowspan="3" align="center"><input type="submit" name="login" value="Login" /></td>
      </tr>
  </table>

      </form>
      </div>


  <?php 
include "footer.php";
?>

authenticate.php

<?php
include ('include/conn.php');
include ('include/functions.php');
sec_session_start();
// username and password sent from form
if(isset($_POST['login'])) {    
        $user=$_POST['id'];
        $pass=$_POST['password'];

        // To protect MySQL injection (more detail about MySQL injection)
        $user = stripslashes($user);
        $pass = stripslashes($pass);
        $user = mysql_real_escape_string($user);
        $pass = mysql_real_escape_string($pass);
        $crypt_pass=md5($pass);
        //query from database
        $result=mysql_query("SELECT username,user_pass,user_id FROM tbl_user WHERE username ='$user' and user_pass='$crypt_pass'");
        $result2=mysql_fetch_row($result);
        // Mysql_num_row is counting table row
        $count=mysql_num_rows($result);

        //First Step of Validation
        //get the ip address of the user then the attempts
        $iptocheck = $_SERVER['REMOTE_ADDR'];
        $iptocheck = mysql_real_escape_string($iptocheck);
        $resultip = mysql_query("SELECT ip_address,login_attempts,username FROM tbl_sec_login WHERE ip_address = '$iptocheck' AND username='$user'");
        $ipcount = mysql_num_rows($resultip);
        $rowx = mysql_fetch_row($resultip);

        if(mysql_num_rows($resultip) > 1) {
            //Already has some IP address records in the database
            //Get the total failed login attempts associated with this IP address
            if ($rowx['1'] > 3) {
                header("Location: index.php");
            }
        }
        //If none then insert it to the table
        else if ($ipcount == 0) {
            $loginattempts = 0;

            mysql_query("INSERT INTO tbl_sec_login (ip_address,login_attempts,username) VALUES ('$iptocheck','$loginattempts','$user')");
        }
        //Second step of validation
        //if count is equal to 1 then proceed to next condition
        if($count==1){
                //Third Step of Validation
                // If result matched $user and $crypt_pass, table row must be 1 row

                if ($user==$result2[0] AND $crypt_pass==$result2[1]){
                    $_SESSION['idmember'] = $_POST['id'];

                    $loginattempts = 0;
                    mysql_query("DELETE FROM tbl_sec_login WHERE ip_address = '$iptocheck' AND username='$user'");


                    if($result2[2]==3) {
                    header("Location: student/index.php?id=$user");
                    }elseif ($result2[2]==2) {
                    header("Location: epersonnel/index.php");
                    }elseif ($result2[2]==1) {
                    header("Location: admin/index.php");
                    }

                }else{
                    $loginattempts = $rowx['1'] + 1;

                    mysql_query("UPDATE tbl_sec_login SET login_attempts = '$loginattempts' WHERE ip_address = '$iptocheck' AND username='$user'");
                    header("Location: login.php");
                }

            } 
            else {
                $loginattempts = $rowx['1'] + 1;

                mysql_query("UPDATE tbl_sec_login SET login_attempts = '$loginattempts' WHERE ip_address = '$iptocheck' AND username='$user'");
                header("Location: login.php");
            }
        }

        else {
            header("Location: index.php");
            }


?>

student/index.php

<?php
session_start(); 

if(!empty($_SESSION['idmember'])){
    header("Location: login.php");
}
require 'include/conn.php';
$id = $_SESSION['idmember'];
$query="SELECT first_name,last_name FROM tbl_studentmasterlist WHERE sid ='$id'";
$result=mysql_query($query);
$row = mysql_fetch_array($result);

include "header.php";
?>
<div id="s_l_column">
    <div id="i_location">
    Welcome, <br />
    <center><img name="" src="" width="185" height="135" alt=""> <br />
    &raquo; <?php echo $row['first_name']." ".$row['last_name'];?> </center>
    <hr />
    </div>

    <div id="side_menubar">
    </div>
</div>

<div id="s_r_column">

    <div class="menubar">
        <ul>
            <li><a href="#" class="leftEdge clearBorder">Home</a></li>
            <li><a href="#">Account Setting</a></li>
            <li><a href="#">Enrollment Guide</a></li>
            <li><a href="#">Enroll</a></li>
            <li><a href="#" class="rightEdge">Logout</a></li>
        </ul>                
    </div>

    <div id="b_contianer">

    </div>

</div>


<?php 
include "footer.php";
?>


Solution 1:[1]

Why do you redirect to the login.php page, when you already have set the $_SESSION['idmember'] variable? That doesn't make much sense.

Your code does the following:

When you call the index.php site the first time your session variable 'idmember' isn't set and thus the first and last name isn't displayed, because your query doesn't return any results.

The problem here lies in the following lines of code (index.php):

if(!empty($_SESSION['idmember'])){
    header("Location: login.php");
}

Here you check, if your session variable 'idmember' is NOT empty. So, every time you call index.php with 'idmember' set you will be redirected to login.php.

To fix this just replace your code with the following one:

if (!isset($_SESSION['idmember'])){
    header("Location: login.php");
}

This checks, if the session variable 'idmember' is NOT set and redirects the user to the login.php page, if it is so. After the user logged in successfully, and the user calls index.php again your query will return a result (provided that a user with the 'idmember' value actually exists...). And finally, the first and last name should be displayed.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1