PHP在页面上检索当前用户的用户名，然后在sql查询中使用它

Question

I am making a website where a user has to log in/create an account and then they can type in terms to search on twitter on their own personal dashboard.

To make sure they are logged in on every page I have this code:

<?php
session_start();

if (isset($_SESSION['loggedin']))
{
$_SESSION["username"] = $username;
    echo "(You are logged in)";
}
else
{

echo "(Not logged in)";
echo"<p><a href = 'login.php'>Log In</a>";
echo"<p><a href = 'createaccount.php'>Create Account</a>";

    exit();
}
?>

In the code I try and take the username they logged in with from the login page

    <?php

session_start();

    //connect to database
$db = mysqli_connect("number", "name",
"password");
//msg if not connected 
if (!$db)
{
echo "Sorry!I just can't connect to database";
}
if(isset($_POST['submit']))  {

$username =$_POST['username'];
$password = $_POST['password'];

if(empty($username) OR empty ($password)) {

echo "you missed something";
}

else {

if(!empty($username) && !empty($password)) {

mysqli_select_db ($db,"name");

$qry=" SELECT username FROM login WHERE username= '$username' AND password = '$password';";

$result = mysqli_query($db,$qry);
$num_rows = mysqli_num_rows($result);

if(($num_rows) == 1) {
            //username Successful
            header("Location:index.php");
$_SESSION['loggedin'] = 'yes';
    $username = $_SESSION['username'];

        }

        else {
            //username failed
print '<script type="text/javascript">';
print 'alert("Incorrect infomation. Try again.")';
print '</script>';              
        }


}


}

}

?>

And then finally on their dashboards they enter the terms they want but I can't figure out how to know who is logged in from there (im just trying with term 1 atm)

<?php   
session_start(); 

//connect to database
$db = mysqli_connect("number", "name",
"password");
//msg if not connected 
if (!$db)
{
echo "Sorry!I just can't connect to database";
}
$term1 =$_POST['term1'];
$term2 = $_POST['term2'];
$term3 = $_POST['term3'];
$_SESSION["username"] = $username;

if(isset($_POST['submit']))  {


mysqli_select_db ($db,"sarahpattison");

$query2 = "INSERT INTO terms (term) VALUES ('$term1') ;";

$result = mysqli_query($db,$query2);
$term1id = mysqli_insert_id($db);

echo $term1id;
if ($result){

$qry5="INSERT into userterms(userid,termid) SELECT login.userid, terms.termid FROM login, terms WHERE login.username = '$username' AND terms.termid='$term1id';";
$result8 = mysqli_query($db,$qry5);
}



}



?>

The $username variable isn't working and Im wondering is it that I shouldn't have the checklogin part as a different page. I don't know much about session variables.

Answer 1

Try

$username = $_SESSION["username"];

instead of

$_SESSION["username"] = $username;

In your third file

Answer 2

Disclaimer : This answer does not directly reply to your question/issue, but solves it by implementing a better architecture in your system.

You should not take the username from the login page, instead, query your DB for the user ID that you should be storing in the session.

Your login system architecture should follow this:

1. Get the username and password from the login form;
2. Query the DB looking for the ID of and user with the username and password above;
3. Store the user ID in the Session like $_SESSION['userId'] = (some id returned from DB)

Then everytime you need to know the username, just query the DB again. This will avoid issues when the user changes it's username and will keep your system more secure.

Then you can remove this code:

$_SESSION['loggedin'] = 'yes';
$username = $_SESSION['username'];

And just check if $_SESSION['userId'] isset() to know if the user is logged in or not.