PHP / MYSQL how to give name to _SESSION

Question

I'm new to PHP and I'm trying to make a website with member login (without members panel). I have a simple webpage where some pages can be viewed only if you are logged in.

Could you please tell me how to give a temporary name to a _SESSION ?

This is the login script:

if (isset($_POST['formsubmitted'])) {
// Initialize a session:
session_start();
$error = array();//this aaray will store all error messages


if (empty($_POST['e-mail'])) {//if the email supplied is empty 
    $error[] = 'You forgot to enter  your Email ';
} else {


    if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {

        $Email = $_POST['e-mail'];
    } else {
         $error[] = 'Your EMail Address is invalid  ';
    }


}


if (empty($_POST['Password'])) {
    $error[] = 'Please Enter Your Password ';
} else {
    $Password = $_POST['Password'];
}


   if (empty($error))//if the array is empty , it means no error found
{ 



    $query_check_credentials = "SELECT * FROM members WHERE (Email='$Email' AND password='$Password' AND Aprobat='DA') AND Activation IS NULL";



    $result_check_credentials = mysqli_query($dbc, $query_check_credentials);
    if(!$result_check_credentials){//If the Query Failed 
        echo 'Query Failed ';
    }

    if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successful 
    { // A match was made.




        $_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable
        $_SESSION['start'] = time(); // taking now logged in time
        $_SESSION['expire'] = $_SESSION['start'] + (30 * 60) ;
        header("Location: about.php");


    }else
    { 

        $msg_error= 'Either Your Account is inactive or Email address /Password is  Incorrect';
    }

}  else {



echo '<div class="errormsgbox"> <ol>';
    foreach ($error as $key => $values) {

        echo '  <li>'.$values.'</li>';



    }
    echo '</ol></div>';

}


if(isset($msg_error)){

    echo '<div class="warning">'.$msg_error.' </div>';
}
/// var_dump($error);
mysqli_close($dbc);

}

and this is the script for pages that can be viewed only by logged in users.

ob_start();
session_start();
if(!isset($_SESSION['Username'])){
     header("Location: login.php");
session_destroy();
}

and this is the logout script:

session_start();
unset($_SESSION["username"]);  // where $_SESSION["nome"] is your own variable. if you do not have one use only this as follow **session_unset();**
session_destroy();
header("Location: index.php");

I would really apreciate if somebody would help me to improve this script. Another thing I want is whether I've setup the _SESSION expire correctly.

Im trying to use Prepared statement and I dont know how to use it.

This is the code with Prepared statement and I recieve this error: Fatal error: Call to a member function bind_param() on a non-object in /home/siteseby/public_html/login.php on line 38

if (isset($_POST['formsubmitted'])) {
// Initialize a session:
session_start();
$error = array();//this aaray will store all error messages


if (empty($_POST['e-mail'])) {//if the email supplied is empty 
    $error[] = 'You forgot to enter  your Email ';
} else {


    if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {

        $Email = $_POST['e-mail'];
    } else {
         $error[] = 'Your EMail Address is invalid  ';
    }


}


if (empty($_POST['Password'])) {
    $error[] = 'Please Enter Your Password ';
} else {
    $Password = $_POST['Password'];
}


   if (empty($error))//if the array is empty , it means no error found
{ 

$qstmt = "SELECT * FROM users WHERE (Email = ? AND password = ? AND Aprobat='DA') AND Activation IS NULL";
$stmt = $dbc->prepare($qstmt);
$stmt->bind_param($Email, $Password);
$query_check_credentials = $stmt->execute();
$result_check_credentials = $query_check_credentials;
    if(!$result_check_credentials){//If the QUery Failed 
        echo 'Query Failed ';
    }

    if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull 
    { // A match was made.




        $_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable
        $_SESSION['start'] = time(); // taking now logged in time
        $_SESSION['expire'] = $_SESSION['start'] + (2 * 60) ;
        $_SESSION['email'] = $Email;
        header("Location: about.php");
        exit;


    }else
    { 

        $msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
    }

}  else {



echo '<div class="errormsgbox"> <ol>';
    foreach ($error as $key => $values) {

        echo '  <li>'.$values.'</li>';



    }
    echo '</ol></div>';

}


if(isset($msg_error)){

    echo '<div class="warning">'.$msg_error.' </div>';
}
/// var_dump($error);
mysqli_close($dbc);

} // End of the main Submit conditional.

score 0 · Answer 1 · answered Jun 17 '13 at 23:04

Everything seems fine... (for a newbie, at-least)

As far as how you are handling the sessions, I would advice you to check session hijacking/fixation related Q/A here in stackoverflow. Or better yet, using SSL to encrypt your data. That being said, I think you are better off, handling your mysql queries using a prepared statements, and named parameters, instead of the clumsy way (Email='$Email' AND password='$Password Again, you will find tutorials very easily here.

Last but not least, a good formatting of your codes, avoiding error suppressions like if (@mysqli_ and not using exit after a header-redirect i.e just using header("Location: login.php"); are generally thought of bad ideas.

I don`t know if I understand. It is right this prepared statements: $query_check_credentials = $dbh->prepare("SELECT * FROM users WHERE (Email = ? AND password = ? AND Aprobat='DA') AND Activation IS NULL"); $query_check_credentials->execute(array($Email, $Password)); to replace this: $query_check_credentials = "SELECT * FROM members WHERE (Email='$Email' AND password='$Password' AND Aprobat='DA') AND Activation IS NULL"; $result_check_credentials = mysqli_query($dbc, $query_check_credentials); — , Jun 17 '13 at 23:50

score 0 · Answer 2 · answered Jun 17 '13 at 23:52

0

First thing, you must call session_start() right at the beginning of your code, since the cookie associated with session creation is sent in an HTTP header. Next thing, at the end of your login script, set a session thus:

$_SESSION['email'] = $email;

Now that the session has been set, you should check for it in each page a user needs to be logged in to see (remember to begin with session_start() before outputting anything):

session_start();
if (isset($_SESSION['email'] {

//whatever should happen with a logged-in user
}

Remember you can only use a custom session if it has been set before, I'm saying this because I see you passing if(!isset($_SESSION['Username'])) without first setting a 'username' session.

answered Jun 17 '13 at 23:52

Cedric Ipkiss

5,662
2
43
72

Thank you, I have fixed this. Now I`m trying some prepared statements and I`m not sure how to use it. I will post here in few minute after a short verification, and tell me if is fine. Best regards – Jun 18 '13 at 00:04
@user2476097 instead of changing you original question to something completely different, you should accept this answer as the correct one and post a new question if you face a new problem. – 1615903 Jun 18 '13 at 05:18

PHP / MYSQL how to give name to _SESSION

2 Answers2