0

I'm trying to display a users email on an index page after they've successfully logged in here's the login code 

<?php

include("config.php");
if($_REQUEST['sub']){
    $id=$_REQUEST['t1'];
    $pass=$_REQUEST['p1'];
    $sel=mysql_query("select customer_email,customer_password, customer_fname from customers where   customer_email='$id'");
    $arr=mysql_fetch_array($sel);

    if(($arr['customer_email']==$id) and( $arr['customer_password']==$pass))
    {
        session_start();
        $_SESSION['loggedin'] = true; 
        $_SESSION['customer_email '] = $id ;
        echo "<script>location.href='index.php'</script>";
    }else{
        $er="Invalid email or password";
    }
}
?>

t1 is the textbox where the user enters their email and p1 is the passwod textbox where the user enters their password and sub in the id of the login button. Here's the code for displaying the email in the index page

<?php
error_reporting(1);
 session_start();
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {
   $us=  "Welcome , " . $_SESSION['customer_email'] . "!";
} else {
    $us= "Welcome guest.";
}
?>

I want it to be displayed next to the websites navigation links. So here the code that puts $us next to them

<div id="Top_menu"> 
<a class="kart" href="index.php?con=15"><span>CART</span></a>
<a class="contact" href="index.php?con=1"><span>CONTACT</span></a>
<a class="aboutus" href="index.php?con=2"><span>ABOUT US</span></a>
<a class="home" href="?page=home"><span>HOME</span></a>
<?php echo "<font color='green'>$us</font>";?>

Whenever I run the code it displays hello guest fine when the user isn't logged in but when a user is logged in it only displays Welcome,!

Lelio Faieta
  • 6,457
  • 7
  • 40
  • 74
phpdeveloper
  • 9
  • 1
  • 7
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 19 '17 at 16:02
  • 7
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 19 '17 at 16:02
  • 6
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 19 '17 at 16:02
  • Are you sure `$id=$_REQUEST['t1'];` has worked like you expect? – Jay Blanchard Jun 19 '17 at 16:04
  • 4
    `customer_email `(space in the end) and `customer_email` are __different__ keys – u_mulder Jun 19 '17 at 16:09
  • I've tested the login and the user appers to be logged in, the only problem is displaying the email – phpdeveloper Jun 19 '17 at 16:10
  • see the comment given by @u_mulder – Exprator Jun 19 '17 at 16:14
  • All of the above. This code is practically begging to be hacked. Meanwhile the actual problem stated in the question, as u_mulder notes, is likely just a typo. Voting to close since it's seemingly abandoned, and it's already quite old. – ADyson Jul 16 '18 at 13:43

0 Answers0