Storing a database value as a SESSION VAR

Ask about general coding issues or problems here.

Moderators: egami, macek, gesf

Post Reply
XopieX20
New php-forum User
New php-forum User
Posts: 1
Joined: Mon Feb 11, 2019 12:18 pm

Mon Feb 11, 2019 12:23 pm

I have a form working where someone can login and it checks the username and password no issues, but my problem is, I have a value in the database I want to retrieve and store a session var. How can I do this?

My login form is ID and Password. My SQL query to check this is

Code: Select all

$sql = "SELECT * FROM Members WHERE KBTID='$username' AND Password='$pass'";
In that table I have a column called BowlerName. I want to use that column's value to display it when they log in so I figured a session var would be best. Any ideas?

User avatar
hyper
php-forum Fan User
php-forum Fan User
Posts: 785
Joined: Mon Feb 22, 2016 5:52 pm

Mon Feb 11, 2019 1:57 pm

Sessions can be used for storing a name or anything else you need, only store what you need. It's a bad practice to pull information from a database unless you need it. 'SELECT * FROM Members' will pull everything and storing it all in sessions will place a heavier un-necessary load on the server.

You might want to check how you store your passwords though as it looks as though you are storing them as plain text. If someone were able to access your database, then all the users passwords would be available to them.

PHP has some built in functions to help store and verify them in a more secure fashion:

password_hash is used to store the password.

password_verify is then used to verify the password stored matches.

This shows one way (un-tested as I don't have your database) to validate a password:

Code: Select all

<?php
/**
 * Validate user loggin
 * 
 * verifies password against hashed copy in database
 *
 * returns BowlerName on success or false if password does not match
 *
 */

function login ($username, $password) {
  $database->prepare('SELECT BowlerName, pwd FROM Members WHERE username = :username');
  $database->execute(['username' => $username]);
  $sql=$database->fetch(PDO::FETCH_ASSOC);
  if (password_verify($password ,$sql['pwd'])){
    return $sql['BowlerName'];
  }
  return false;
}
Note: the passwords must be stored using password_hash first otherwise this will not work.

The function does not return anything if there is a failure.

Post Reply