How to SESSION get information from the database

hain127 · May 31, 2020, 8:32pm

I have these two files and I need to solve the problem that I need the user data in the role column to be taken when logging in. I have written it so that the data can be extracted from the database, but it does not work for me that it is “forwarded” from process.php to admin.php . Please don’t know what the error is that the admin.php file doesn’t want to load $ _SESSION['Role'] from process.php ? Thanks to everyone for helping and here is the code:

process.php

<?php 
require_once('connect.php');
session_start();
    if(isset($_POST['Login']))
    {
       if(empty($_POST['Username']) || empty($_POST['Password']))
       {
            header("location:index.php?Empty= Please Fill in the Blanks");
       }
       else
       {
            $query="select * from role_test where Username='".$_POST['Username']."' and Password='".md5($_POST['Password'])."'";
            $result=mysqli_query($con,$query);

            if(mysqli_fetch_assoc($result))
            {
                $_SESSION['User']=$_POST['Username'];

                while($row = mysqli_fetch_array($result) ){
                $_SESSION['Role']=$row['role'];
                }

                header("location:admin.php");
            }
            else
            {
                header("location:index.php?Invalid= Please Enter Correct User Name and Password ");
            }
       }
    }
    else
    {
        echo 'Not Working Now Guys';
    }

?>

admin.php

<?php
    session_start();

    if(!(isset($_SESSION['User'])))
    {
        header("Location: index.php");
        exit(0);
    }	  

?>
<!DOCTYPE html>
<html>
<head>
<title>Role</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<?php
$_SESSION['Role']=$role;

echo $role;

?>

</body>
</html>

astonecipher · May 31, 2020, 8:56pm

You are reassigning role in the next page when the value doesn’t appear to exist, rather than echoing what was already assigned.

astonecipher · May 31, 2020, 8:59pm

This is incredibly problematic and a security risk. Md5 has been cracked for a while and should not be used for passwords. You want password_hash().

You should also look at parameterized and prepared statements to prevent sql injection attacks that compromise your data and database.

hain127 · May 31, 2020, 9:34pm

Thanks a lot for the information, but I’m still learning to use PHP so I don’t deal with security much. I only have it for myself and not for commercial use. I just need advice on what I’m wrong with aren’t the roles, and best if someone fixes it for me.

astonecipher · May 31, 2020, 11:22pm

If someone fixes it for you, you don’t learn anything.

And I gave the issue you are facing about too

hain127 · June 1, 2020, 7:31am

I’m sorry, but I just need to know why I can’t load $ _SESSION [‘Role’] from process.php in admin.php so that the logged-in user can know his role on the web. I just need that, please.

phdr · June 1, 2020, 4:05pm

You should query on every page request to get the current user’s permissions. This will allow any change in the permissions to take effect on the very next page request after they have been changed. Doing this will actually solve the current problem.

Your login logic is messed up, beyond just the usage of the md5() hash. You are fetching the row of data from the SELECT query, then trying to loop to fetch the data again. Since the query will match a maximum of one row of data, none of this logic works.

Your login form processing code should -

Be on the same page as the login form. This will reduce the amount of logic and provide a better User eXperience (UX.) You can display unique validation errors for every input and you can re-populate appropriate form fields with the submitted form data so that the user doesn’t need to keep reentering the same value(s) over and over.
Have the session_start() before any other logic, in case any of that logic produces output that would prevent the session_start from working.
If the current user is already logged in, don’t run any of the login form processing or form code.
Don’t attempt to detect if a form’'s submit button isset(). There are cases where it won’t be. You should instead detect if a post method form was submitted.
Trim and validate all inputs, storing validation errors in an array, using the form field name as the array index.
Any header() redirect needs an exit/die statement after it to stop code execution.
The only redirect you should have in form processing code is to redirect to the exact same url of the page upon successful completion, with no errors, of the form processing code, to cause a get request for the page.
As already mentioned, use password_hash() when storing the password and use password_verify() to test if the submitted password matches the hashed value.
Fetch and test if the query matched a row, only once.
Don’t use a loop to fetch a single row of data, just execute the fetch statement without a loop.
The only thing you should store in a session variable upon successful login is the user’s id (auto-increment integer primary index.)
You should have error handling for all statements that can fail. For database statements, just use exceptions for errors and in most cases let php catch and handle the exception, where it will use its error related settings to control what happens with the actual error information (database statement errors will ‘automatically’ get displayed/logged the same as php errors.)