PHP PDO，请求用户名

Question

I have php dpo request:

<?php
    include '../reg/db.php';
    $stmt = $db->query("SELECT * FROM users");
    while ( $row = $stmt->fetch() ) {
    $password_hashed = $row['password'];
    $username = $row['name'];
}

Then, when I need to echo name of user, which just logged in, but it shows wrong name ! (ex I am Alex, he write I am john (John is already in DB, dont understand why it chooses other name)

if ( password_verify( $_POST['password'], $password_hashed )  ) { ?>
   <div class="enterReg">
     <div class="frameworkForUser">
     <div class="usernameMargin">
     <? echo $username; ?>
   </div>
<? } ?>

How could I get name of the user which just logged in? Surfed the internet a bit but haven't found anything about it .-.

Answer 1

please reference the user properties that you want to select the SQL queries using their post variables.

something like:

$username =$_POST['username'];
$password = password=$_POST['password'];

 $stmt = $db->query("SELECT * FROM users where username='$username' and password= '$password'");

While this might solve your problem but Please do not use this code in production for fear of sql inject,html scripting Attack etc.

You can better use Mysqli Prepared statement or better use PDO.

to sanitize against html elements attack, you can use strip_tags() function

Example

$username =strip_tags($_POST['username']);
$password = strip_tags(password=$_POST['password']);

Updated Answer

Option 1 using sessions

<?php


    include '../reg/db.php';
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);


if ($username == ''){
echo "username is empty";
exit();
}


if ($password == ''){
echo "Password is empty";
exit();
}



$stmt = $db->prepare('SELECT * FROM users where username = :username and password = :password');

        $result->execute(array(
            ':username' => $username, ':password' => $password));

$count = $stmt->rowCount();
$row = $result->fetch();

if( $count == 1 ) {
echo "login sucessful";
// Redirect me to a Dasboard.php to display the login user
echo "<script>window.location='dashboard.php'</script>";


//Initialize a session
session_start()

//Prevent session Fixation Attack using session generated Id;
session_regenerate_id();

// pass users info in a session if things where ok.
// Prevent xss Attack using Htmlspecialchar or htmlentities() functions

$_SESSION['name'] = htmlspecialchars($row['name']);
$_SESSION['username'] = htmlspecialchars($row['username']);

// Do not pass users password in a session
//$_SESSION['password']=htmlspecialchars($row['password']);

}
else {

echo "<font color=red>Either Username or Password is Wrong</font>";
}


?>

on dashboard.php you can now have the code below depending on your implementations.....

// initialize sessions

session_start();

// the the authenticated users parameters

Name: <?php echo $_SESSION['name']; ?><br>
userName: <?php echo $_SESSION['username']; ?><br>

option 2 No session usage

<?php


    include '../reg/db.php';
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);


if ($username == ''){
echo "username is empty";
exit();
}


if ($password == ''){
echo "Password is empty";
exit();
}



$stmt = $db->prepare('SELECT * FROM users where username = :username and password = :password');

        $result->execute(array(
            ':username' => $username, ':password' => $password));

$count = $stmt->rowCount();
$row = $result->fetch();

if( $count == 1 ) {
echo "login sucessful";
// Redirect me to a Dasboard.php to display the login user
//echo "<script>window.location='dashboard.php'</script>";


$name = htmlspecialchars($row['name']);
$username = htmlspecialchars($row['username']);

echo "userame: $username </br>";
echo "Name: $name </br>";


}
else {

echo "<font color=red>Either Username or Password is Wrong</font>";
}


?>

Let me know if you are having any issue. Remember the password in the code is not hashed. it assumes plain text password is in your database..