How to code the login user should only view not all inserted user in db using PHP?

Question

I am new in PHP so I'm still learning by trying codes available from the web. I created a login and its working . The problem is on the next page the login user should view his/her image, IDnumber and lastname,firstname, middlename but then it displays all the data in mysql: IDNumber and lastname,firstname, middlename of every column. -----It should only show the user who logged in

Onlineenrollment.php

CREATE TABLE IF NOT EXISTS `student` (
  `IDNumber` int(7) NOT NULL,
  `password` varchar(15) NOT NULL,
  `lastname` varchar(15) NOT NULL,
`firstname` varchar(20) NOT NULL,
`middlename` varchar(15) NOT NULL,
`course` varchar(7) NOT NULL,
`year` enum('1','2','3','4') NOT NULL,
`gender` enum('Male','Female') NOT NULL,
`address` varchar(45) NOT NULL,
`birthdate` varchar(45) NOT NULL,
`contactNumber` varchar(45) DEFAULT NULL,
`email` varchar(45) DEFAULT NULL,
`guardian` varchar(45) NOT NULL,
`image` blob NOT NULL,
PRIMARY KEY (`IDNumber`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

INSERT INTO `student` (`IDNumber`, `password`, `lastname`, `firstname`, `middlename`, `course`, `year`, `gender`, `address`, `birthdate`, `contactNumber`, `email`, `guardian`, `image`) VALUES
(2114567, 'pamisabel', 'Agpalo', 'Gianna', 'Casabar', 'BSIT', '1', 'Female', 'T. Alonzo St.', '12/20/93', '99999999', 'gian@gmail.com', 'you', '');

INSERT INTO `student` (`IDNumber`, `password`, `lastname`, `firstname`, `middlename`, `course`, `year`, `gender`, `address`, `birthdate`, `contactNumber`, `email`, `guardian`, `image`) VALUES
(2116782, 'jak', 'Batoon', 'Kai', 'Seo', 'BSIT', '1', 'Female', 'Alonzo St.', '12/20/93', '99999999', 'gian@gmail.com', 'you', '');

login.php

<?php
//Start session
session_start();    
//Unset the variables stored in session
unset($_SESSION['SESS_MEMBER_ID']);
unset($_SESSION['SESS_FIRST_NAME']);
unset($_SESSION['SESS_LAST_NAME']);?>
<html>
            <form name="loginform" action="login_exec.php" method="post">
<tr>
<td colspan="2">
        <!--the code bellow is used to display the message of the input validation-->
     <?php
        if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) {
        echo '<ul class="err">';
        foreach($_SESSION['ERRMSG_ARR'] as $msg) {
            echo '<li>',$msg,'</li>'; 
            }
        echo '</ul>';
        unset($_SESSION['ERRMSG_ARR']);
        }
    ?>
    </td>
     </tr>
        <aside class="sidebar big-sidebar right-sidebar">

                <ul>    
                    <h4>SIGN IN</h4>
                        <fieldset>
                            <form action="#" method="get">
                <td width="116"><div align="left">ID Number</div></td>
<td width="177"><input name="IDNumber" type="text" placeholder="ID Number"/>   </td>
<br>
</tr>
<tr>
<br>
        <td><div align="left">Password</div></td>
<td><input name="password" type="password" placeholder="Password" /></td>
</tr>
<tr>
<td><div align="left"></div></td>
<br>
<td><input name="" style="margin-left: 150px;" type="submit" value="login" class="formbutton"/></td>
 </tr>
</table>
 </html>

connection.php

<?php
$mysql_hostname = "localhost";
$mysql_user = "root";
$mysql_password = "";
$mysql_database = "onlineenrollment";
$bd = mysql_connect($mysql_hostname, $mysql_user, $mysql_password,$mysql_database ) or die("Could not connect database");
mysql_select_db($mysql_database, $bd) or die("Could not select database");?>

home.php - how will i make it get the login user only

    <?php 
    @mysql_connect('localhost','root','') or die(mysql_error());
    mysql_select_db('onlineenrollment')  or die(mysql_error());
    $strSQL = "SELECT * FROM student";

   // Execute the query (the recordset $rs contains the result)
$rs = mysql_query($strSQL);

// Loop the recordset $rs
// Each row will be made into an array ($row) using mysql_fetch_array
while($row = mysql_fetch_array($rs)) {

   // Write the value of the column FirstName (which is now in the array $row)
   echo $row['lastname'] ;
   echo $row['middlename'] ;
  echo $row['firstname'] . "<br />";
  echo $row['IDNumber'] . "<br />";
  }

// Close the database connection
mysql_close();
?>

You are echoing the whole row in home.php and we can't see your query. Comes from the query imho. — Answers_Seeker, May 06 '15 at 12:18
[Your script is at risk for SQL Injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and consider using [PDO](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, May 06 '15 at 12:20
Follow Jay Blanchard's advices and add a 'WHERE' clause to your query if you want to get only the connected user. — Answers_Seeker, May 06 '15 at 12:22
In addition [do not limit passwords](http://jayblanchard.net/security_fail_passwords.html) and make sure to [hash passwords properly](http://jayblanchard.net/proper_password_hashing_with_PHP.html). — Jay Blanchard, May 06 '15 at 12:28

score 0 · Answer 1 · answered May 06 '15 at 12:40

0

$strSQL = "SELECT * FROM student";

Instead of this use where condition Example.

$strSQL = "SELECT * FROM student where IDNumber=2114567";

Then those particular details will be coming ...in place of IDNumber=2114567(assign your textbox value here)

answered May 06 '15 at 12:40

chandrasekhar

31
7

Sak90 · Answer 2 · 2015-05-06T14:18:58.337

0

The problem is there in your home.php file.

You are querying the entire table named students. What you need to do is, just query the database for just one row corresponding to the loggined users unique ID number or any unique value ( Emails are a good way, but still using integers are more fast - as long as you have a unique ID field/Primary Key for the table ).

I will direct you to the solution.Here are the steps.

You should have access to the session variables in your home.php. For that, add session_start() at the first line ( after < ?php ).

Now, assuming that as per your login.php, $_SESSION['SESS_MEMBER_ID'] is the variable which holds the loggined user's ID. So let us assign it to a variable. $uid = $_SESSION['SESS_MEMBER_ID']; .

Let us just rewrite your query in home.php.

$strSQL = "SELECT * FROM student"; should become $strSQL = "SELECT * FROM student WHERE IDNumber=".$uid; [ I made a mistake in the above line. Forgot about the =. Edited as per the comments ] This query goes to your database and query for that single row, which contains your logged in user's IDNumber as the value of IDNumber field in the table.

On a serious note, DONT USE THIS CODE IN PRODUCTION PLEASE.

edited May 06 '15 at 14:18

answered May 06 '15 at 13:04

Sak90

600
6
19

I want to ask where will I assign the $uid=$_SESSION['SESS_MEMBER_ID']; in home.php? – Maecece Liz May 06 '15 at 13:28
Yes. Exactly. Start the session using session_start(), then assign $_SESSION['SESS_MEMBER_ID'] to $uid, in home.php – Sak90 May 06 '15 at 13:43
It says "Warning: mysql_fetch_array() expects parameter 1 to be resource, " an error occur – Maecece Liz May 06 '15 at 14:07
Done its already working I change the "." to "=" $strSQL = "SELECT * FROM student WHERE IDNumber = "uid"; – Maecece Liz May 06 '15 at 14:12
Oh. Sorry. I missed the '=' sign. Thanks for telling. I have edited the answer accordingly. – Sak90 May 06 '15 at 14:19

score 0 · Answer 3 · answered May 06 '15 at 13:06

0

You must set a WHERE clause in this query, you can use the information you created in the session variables.

$strSQL = "SELECT * FROM student WHERE IDNumber = 'your_session_value'";

answered May 06 '15 at 13:06

heliosk

1,113
3
23
45

How to code the login user should only view not all inserted user in db using PHP?

3 Answers3