PHP get the email of a user currently logged in

Question

I have a problem. I want to get the email of a user, the email is a special column in a table called users in my database. I created a login-system that is working well, but I still want to get the e-mail of the user who is currently logged in.

I am really new to php and mysql. :(

This is my code in login.php:

<?php

require 'Mysql.php';

class Membership {

//Check if input is correct
function validate_user($un, $pwd) {
    $mysql = New Mysql();
    $ensure_credentials = $mysql->verify_Username_and_Pass($un, $pwd);

    //input correct
    if($ensure_credentials) {
        $_SESSION['status'] = 'authorized';
        $_SESSION["username"] = $un;
        $_SESSION["email"] = $ensure_credentials['email'];
        header("location: ?status=authorized");
    } 




function log_User_Out() {
    if(isset($_SESSION['status'])) {
        unset($_SESSION['status']);

        if(isset($_COOKIE[session_name()])) 
            setcookie(session_name(), '', time() - 10000);
            session_destroy();
    }

    if(isset($_SESSION["username"])) {
        unset($_SESSION["username"]);
    }

    if(isset($_SESSION["email"])) {
        unset($_SESSION["email"]);
    }
}
}

and here from Mysql.php:

<?php

require "/data/logindata/constants.php";

class Mysql {

private $conn;


function __construct() {
    $this->conn = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or 
                  die('There was a problem connecting to the database.');
}

function verify_Username_and_Pass($un, $pwd) {

    $query = "SELECT *
    FROM users
    WHERE username = ? AND password  = ?
    LIMIT 1";

    if($stmt = $this->conn->prepare($query)) {
        $stmt->bind_param('ss', $un, $pwd);
        $stmt->execute();
        $stmt->bind_result($username, $email); // the columns fetched with SELECT *

        if (!$stmt->fetch()) {
            return false;
        }

        return array(
            'username'    => $username,
            'email'     => $email
        );
    }
    return false;
}

}

Answer 1

Instead of returning a boolean, you may return some user data with verify_Username_and_Pass function. There you can include authenticated user's email:

function verify_Username_and_Pass($un, $pwd) {

  $query = "SELECT username, password
    FROM users
    WHERE username = ? AND password  = ?
    LIMIT 1";

  if($stmt = $this->conn->prepare($query)) {
    $stmt->bind_param('ss', $un, $pwd);
    $stmt->execute();
    $stmt->bind_result($username, $email); // the columns fetched with SELECT *

    if (!$stmt->fetch()) {
      return false;
    }

    return array(
      'username'    => $username,
      'email'     => $email
    );
  }
  return false;
}

....

$ensure_credentials = $mysql->verify_Username_and_Pass($un, $pwd);

//input correct
if($ensure_credentials) {
    $_SESSION['status'] = 'authorized';
    $_SESSION["username"] = $un;
    $_SESSION["email"] = $ensure_credentials['email'];
    header("location: ?status=authorized");
} 

Answer 2

First of all be sure to sanitize every variable inserted by final users. It's very important to sanitize your variable to avoid SQL injection.

Then on the Session variable user I'm gonna save the user Id and to get his/her email I'm gonna make a function that should receive the session id to return an email.

Now I'm gonna write a couple of functions that could be useful:

function logged() {
return (isset($_SESSION['id_user'])) ? true : false;
}

function getEmail($userId) {
    $userId = sanitize(userId);
    $query = "SELECT userEmail FROM users WHERE id_user =" . $userId;
    $name = mysql_result(mysql_query($query), 0);
    return $name;
}

function sanitize($data) {
    return mysql_real_escape_string($data);
}