0

User login with user-Id and Mobile Number. After login I want to display more data about this user from database but when I go to next page it display data from all the Users in table.

Here is my PHP to Login: 

<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbnam = "adil";
try {
    $conn = new PDO("mysql:host=$servername; dbname=$dbnam", $dbusername, $dbpassword);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
    }
catch(PDOException $e)
    {
    echo "Connection failed: " . $e->getMessage();
    }


// new data

 if (isset($_POST["patientId"]))
    {$patientId = $_POST['patientId'];} 

if (isset($_POST["mobile"]))
    {$mobile= $_POST['mobile'];} 


// query
    $result = $conn->query("SELECT `patientId`, `mobile` FROM `inpatient` 
                        WHERE patientId= '$patientId' AND mobile= '$mobile' LIMIT 1 ");

    $rows = $result->fetch(PDO::FETCH_ASSOC);

    if($result->rowCount() > 0) {
        session_start();
        $_SESSION['login'] = true;
    header("location:../patient-detail.php");
    }
    else{
        header("location:index.php");
        $errflag = true;
    }
    ?>

How can I find some function to control specific data for user?

Patient Detail page

<div class="row">   
<div class="col-sm-10 col-sm-offset-1"> 
<div id="patientedit">
<div class="row pHead">
<div class="col-sm-2 phBorder">ID</div>
<div class="col-sm-2 phBorder">Patient Name</div>
<div class="col-sm-1 phBorder">Gender</div>
<div class="col-sm-1 phBorder">Age</div>
<div class="col-sm-2 phBorder">Date</div>
<div class="col-sm-2 phBorder">Mobile</div>
<div class="col-sm-2 phBorder">Action</div>
</div>

<script>
$('body').on('click', 'input.deleteDep', function() {
   $(this).parents('tr').remove();  
});
function data(id){
    $.post('data.php',{ id:id },function(r){
        $('#myModal').html(r);
    });
}
</script>

            <script>
            function getData(id,file_name,div_name){
                $.post(file_name,{ id:id },function(r){
                    $(div_name).html(r);
                });
            }
            </script>
<?php

        $servername = "localhost";
        $dbusername = "root";
        $dbpassword = "";
        $dbnam = "adil";

$conn = new PDO("mysql:host=$servername;dbname=$dbnam", $dbusername, $dbpassword);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $stmt = $conn->prepare("SELECT * FROM inpatient ORDER BY id DESC"); 
    $stmt->execute();

    while($result = $stmt->fetch(PDO::FETCH_ASSOC)){
    echo'
<div class="row pData" id="patient-'.$result['id'].'">
<div class="col-sm-2 pdBorder">'.$result["patientId"].'</div>
<div class="col-sm-2 pdBorder">'.$result["patientName"].'</div>
<div class="col-sm-1 pdBorder">'.$result["gender"].'</div>
<div class="col-sm-1 pdBorder">'.$result["age"].'</div>
<div class="col-sm-2 pdBorder">'.$result["date"].'</div>
<div class="col-sm-2 pdBorder">'.$result["mobile"].'</div>
<div class="col-sm-2 pdBorder">

<button type="button" class="btn btn-sm btn-info btn-block" data-toggle="modal" data-target="#myModal" onclick="data(\''.$result["patientId"].'\')">View More</button>

</div>
</div>';
    }

    ?>

    <script>
        function deletePatient(id){
            $('#patient-'+id).hide();
        }
    </script>

    <!-- Modal -->
<div id="myModal" class="modal fade" role="dialog">


  </div>
</div>
</div>
</div>
halfer
  • 19,824
  • 17
  • 99
  • 186
aadil asad
  • 13
  • 4
  • 3
    You are prone to an SQL injection on `$patientId` which is accepted from POST without controls. – Fabien Jul 14 '17 at 19:45
  • 4
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 14 '17 at 19:46
  • Apart from the poor security measures in your code, we need to see what you are doing in patient-detail.php – Yolo Jul 14 '17 at 19:55
  • Thank you for suggestion but As I mentioned I am bigener. So right now my problem is to control the specific data for user. – aadil asad Jul 14 '17 at 19:57
  • @Yolo I have added patient-detail.php code up there please check. – aadil asad Jul 14 '17 at 20:01
  • ok. you are obviously not using WHERE in your query on the patient-detail.php. In your db user table you should add a column to hold a session id for your user so you can identify him on other pages using the session variable. Create a session id when user logs in correctly. So `$_SESSION['login'] = "SomeRandomGeneratedString";`. Store that string to database and on the next page, find the user using this session id from `$_SESSION['login']`. Either fetch the id of the user with the session id and query another table holding additional user data or fetch the data directly with session id. – Yolo Jul 14 '17 at 20:11
  • Regarding your request for someone to write the code for you, that's not how Stack Overflow (or most other sites) work. I have removed this from your question. – halfer Jul 14 '17 at 20:35

1 Answers1

-1

As @Yolo said create a unique id for each user and store it in $_SESSION variable. On next page get user id from $_SESSION and get record from database by applying WHERE clause with this unique id.

Changes in Login.php

    // Create another session variable below the $_SESSION['login']
    $_SESSION['login'] = true;
    $_SESSION['patient_uid'] = $patientId;

Changes in Patient Detail page

   // First of all access patient_uid from session
   @session_start();
   $patientUID = $_SESSION['patient_uid'];

   // Replace the query 
   $stmt = $conn->prepare("SELECT * FROM inpatient ORDER BY id DESC");
   $stmt->execute();
   // with this
   $stmt = $conn->query("SELECT * FROM inpatient WHERE patientId = '$patientUID' ");
Azeem Haider
  • 1,443
  • 4
  • 23
  • 41
  • Azeem will u tell me to use this code. Thank You $_SESSION['login'] = true; $_SESSION['patient_uid'] = $patientId; – aadil asad Jul 15 '17 at 10:08