-1

Here is my login process, I want a same dashboard but data will be different for each user. But I am stuck with creating uid variables to get data for each login user.

if(isset($_POST['login_btn']))
{
    $email_login=$_POST['email'];
    $password_login=$_POST['password'];
    $admin="admin";
    $co_admin="co_admin";

    $query = "SELECT * FROM registered_users WHERE email='$email_login' AND password='$password_login' AND usertype='$admin' ";
    $query_run = mysqli_query($connection, $query);

    $query_co = "SELECT * FROM registered_users WHERE email='$email_login' AND password='$password_login' AND usertype='$co_admin' ";
    $query_run_co = mysqli_query($connection, $query_co);

    if(mysqli_fetch_array($query_run))
    {
        $_SESSION['username'] = $email_login;
        $_SESSION['usertype'] = $admin;
        header('Location: index.php');
    }
    else if(mysqli_fetch_array($query_run_co))
        {
         $_SESSION['username'] = $email_login;
         $_SESSION['usertype'] = $co_admin;
         header('Location: company_view.php');
        }
       
    else
    {
        $_SESSION['status'] = 'Email ID / Password / User Type is Invalid';
        header('Location: login.php');
    }

    

    
}

Above source code is for separating Co-admin and Admin. Now Any Co-Admin login to the portal he should get his own details, I would like to know which function I have to call or how should I declare a uid variable to fetch data tables for each current logged in user. I found some other source codes but which is not related to me so i am confused with how I fix it with those code. Can anyone do it in my codes.

Feroz Ahmed
  • 1
  • 1
    You appear to be storing the user's passwords in `plain text` - please do not do that. You should use [password_hash](https://www.php.net/manual/en/function.password-hash.php) to generate a secure hash which can be stored in the database and then validate the user's posted password using [password_verify](https://www.php.net/manual/en/function.password-verify.php) – Professor Abronsius Aug 11 '20 at 10:51
  • 2
    _“Here is my login process”_ - throw that away, now. Apart from the plain text password issue, it is also open to SQL injection. – CBroe Aug 11 '20 at 10:52
  • 1
    Your code is wide open to [SQL Injection](https://en.wikipedia.org/wiki/SQL_injection) - you should use [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) – Professor Abronsius Aug 11 '20 at 10:53
  • Yes, I will be change it to hash password, as soon as I fixed the data tables issue. Any idea how can I call the function through current user id to fetch his details. – Feroz Ahmed Aug 11 '20 at 10:55
  • @Professor Abronsius Thank you for your help, I didn't know as I am new to coding. – Feroz Ahmed Aug 11 '20 at 10:59
  • See https://stackoverflow.com/questions/60741213/how-can-i-get-an-unknown-username-given-an-id – Dharman Aug 11 '20 at 13:34
  • I don't know where you got this code from, but basically you need to start over. Do not do it this way. I would also recommend to stay away from mysqli and use PDO, which is easier, especially for new developers like you. – Dharman Aug 11 '20 at 13:35

1 Answers1

0

I think you are asking how to get data for the current user from mysql tables. Yes, the standard way of doing this is via a unique ID for each user that is pulled from the registered_users table, storing this in the session, and then referencing this in the other tables and filtering by this ID. I would not suggest storing anything else from this table in the session as the ID is likely to have a stronger guarantee of imutibility.

For example if you have a table of recently visited pages per user, you would get this via:

$query = 'SELECT * from recently_visited WHERE user_id = ?';
$stmt = mysqli_prepare($query);
$stmt->bind_param("i", $_SESSION['user_id']);
$stmt->execute();

You can check the mysqli documentation for how to then extract what you need from the executed statement. I've shown this example of a prepared statement so you can see how to avoid SQL injection as well.

You may want to look into using foreign keys to enforce this connection.

Robert Egginton
  • 585
  • 6
  • 16