MySql select statement with echo variable - php

I have mysql database with two tables. The primary table contains the user login details and the secondary table contains user activities. The tables are linked by the account numbers.
I have created registration page and sign in page where users register and login. Users are displayed with a home page with two buttons.
When users clicked on the button, it is supposed to run a query based on the user login credentials. The query looks like this:
$result = mysql_query("select mydate, preamount, currentdeposit,
debit, currentinterest, totalamount, status from NormalAccount where
acctnumber = '$actno'n ORDER BY mydate DESC LIMIT 5");
Because I need to filter based on the user account number, I have design a form where they will need to enter their account number again. This makes the whole process looks like double work and users are complaining about the whole process of entering information twice.
WHAT I WANT:
How do I write the query such that the query will populate the user credentials automatically so that they need not to enter their account number again before viewing their account details?
I have a session on the pages already that enables me to pull and display the user details on the page using echo such as echo acctname where it display the account name of the user in any part of the page.
I used the php with echo below to automatically display a welcome message to the users using the account name automatically. How to I integrate this code below
<?php echo $userRow['acctname']; ?>
into the WHERE clause in the main query so that it automatically populate the account name for the users so that it will filter the record based on their acctname?
I have a session on each page with this code:
<?php
ob_start();
session_start();
require_once 'dbconnect.php';
if( !isset($_SESSION['user']) ) {
header("Location: index.php");
exit;
}
$res=mysql_query("SELECT * FROM userss WHERE userId=".$_SESSION['user']);
$userRow=mysql_fetch_array($res);
?>
Thanks.
Zollyzo

I'm not entirely sure that I understand the problem, but the first time that you ask for the account number, you could store it in the $_SESSION variable the first time you receive it from the user. Then, you could just retrieve it later, even if it's on a different page.
<?php
session_start();
...
//you get the account number somehow in $actno
$_SESSION['acctNr'] = $actno
...
//later in your code, or on another page that has had session_start() run
$actno = $_SESSION['acctNr']
//use it as you would before.

If the user has logged in successfully, save their account number (and maybe other details) in a session variable. You can use that session variable for your succeeding queries so you don't need to ask the users to enter their account number again.
Basic usage: https://www.w3schools.com/php/php_sessions.asp

Related

How to check if an user is an admin SECURE

I made a login function with bruteforce protection, different bot protection functions like honeypot.., input filtering, Argon2 encrypted password.
But in the end to identify the user i save the id inside a session after a successful login.
With this id until now i checked if the column "admin" has the value 1 or 0.
If this value is 1 the user can do everything.
How i could improve the security ?
How else i could check if a user is an admin ?
You should do as I will direct you
As long as you have user id in act so it's half of the way
I will assume that you have function.php which have all the functions you use in website
Also you have login function that check user account details and give access
You now need to improve that to restrict user access
First:
Create table in MySQL call it group this table will have two records or as you like so. Admin will have id 1 and members id 2 then you can make much modifications like make another column in that table called upload and set admin to yes while members to no
Second in your login function use the following
$res = mysql_query("SELECT * FROM users INNER JOIN group ON users.class=group.group_id WHERE users.enabled='yes' AND users.status = 'confirmed'") or die(mysql_error());
$row = mysql_fetch_array($res);
Users.class is the group id and users is the table users
Now you can check group credits as example if on upload page you do the following
if($row["can_upload"]=="no")
echo("admin only can upload ");
You can check credentials on group as you need also you can make much classes like admin , members, uploders, reviewers,authors and give every class special permissions as website content is viewed
On admin.php you can use
if($row["admin"]=="no")
ech("admin only can view this page ");
In both examples above Admin and can_upload is colum in group table and it's changed by user class .

SELECT rank FROM members WHERE?

I have written an SQL query and a $_SESSION cookie called "username" basically what I am trying to do is query the database for the "logged in" users rank that is contained in the "rank" column in the "members" table of my database.
Here is my header code to check that they are actually logged in (otherwise it redirects them to the login page)
session_start();
if (!isset($_SESSION['username'])) {
header("location:login/main_login.php");
}
AND Here is what I have so far for my query but I have absolutely no clue how to proceed in only selecting the user that is logged in. Note: I am aware that the query is not completed
$result = $conn->query("SELECT rank FROM members WHERE ");
$userrank = $result->fetchAll(PDO::FETCH_OBJ);
I've also set a variable for MyRank so that I can check the users rank to display specific content. (Not sure if that really matters in terms of my query but hopefully you get the idea.)
$MyRank = $userrank[1]->rank;
EDIT: additional information.
So basically I am trying to display content based on what the users rank is in my database. IE) if they are an administrator I want to show specific html. If they are a user I want to show a different set of html. How I'm doing it currently (that isn't working) is by a php if statement like so:
if ($MyRank == "Administrator"){
echo adminpanel();
}else if ($MyRank == "User") {
echo userpanel();
}
Basically the problem I'm having is that my User or Admin panels wont display unless ALL the users in my database are "Administrator" or "User". If there is an Administrator and a User in that table it will show nothing at all.
Based on guesses:
$authUser = $_SESSION['username']; // get the logged in user from session, guess this is the username
$result = $conn->query("SELECT rank FROM members WHERE username='$authUser';");
// if its userid then userid=$authUser without single quotes
$userrank = $result->fetchAll(PDO::FETCH_OBJ);

Mysql and Sessions , PHP

I currently have a website that users log in and uses sessions.
The currently login and use the " users " table and it directs them to the appropriate page. I have another table that stores other details about the user.
I wish to display information to them from this other table, but they are controlled by their username in a session, Can I link the second table?
You can add a column on your table to set who is allowed to view that link by adding a user type definition to your table of users.
user_privilege = set(admin, customer, stupid)
Then check user privileges

Move details from one table to another one when confirmation is done [sql]

I'v got a registeration code which inserts user details into the table that I chose.
The problem is that I added a "confirm code" to the user, so every account is needed to verify his user through his mail. After the confirmation is done, the Column "confirmation" changes to "confirmed". If the user does not verify his account, the confirm code will stay in the "confirmation" Column.
The problem is that I made a table in html, which uses the DB in order to show the active users.
I don't want that the not-confirmed users will appear in the tbale, so I tried to add some conditions:
$cu = mysql_query("SELECT * FROM `users` where uname='$uname' && confirmation='confirmed'");
$cu = mysql_fetch_array($cu);
and another one :
$select2 = mysql_query("SELECT * FROM `users` WHERE uname='$uname' && confirmation='confirmed'");
It's working.. but only half way. I mean, when the not-confirmed user tries to log in, it shows him a blank page. It's ok, cuz I don't want the non-confirmed users will log in.
But... the confirmed users still see the not-cofirmed users in the active users table..
It's like the table doesn't even checks if the user is confirmed or not, it's just shows him either way.
So I thought about a way in which users will move to another table, called "hold", which will consist of all the non-confirmed users. Then, every user who will verify his account, the sql will recognize it and when the confirmation columm is changed to "confirmed", it's going to move the user to the "users" table, so his name will appear in the active user table.
How can I do it? How can I "make" the sql table to auto recongize if the user is confirmed or not, and move him to another table..
or.. if is there any way to "hide" the not-confirmed users from the active users table, it's also fine.
Thanks alot :)
Basically either you need to setup a cron which check if the user is not confirmed then move to hold tabe or write a trigger in mysql whenever any user got confirmed.
You can get the last result and insert after the last result.
See this example:
$sql = mysql_query("
INSERT INTO tabel_name(col1, col2,col3) values('foo','bar','some');
INSERT INTO table_name2(col,col2) SELECT col2,col3 FROM tabel_name
ORDER BY id DESC LIMIT 1;
");

Getting values from a table based on Session data

I have an admin section to one of my websites I am building.
The variables it logs in by is email address and password.
Obviously each email address is unique to each admin, although I do have an 'admin_id' column which increments automatically per row.
The other columns stored within my admin table are - First Name (String), Last Name(String), Level(int).
I have tried -
$_SESSION['admin_id']=$_GET['admin_id'];
But when I try and simply echo the id, nothing is displayed.
Yet this line of code:
if(!isset($_SESSION['admin_email']))
die("<meta http-equiv='refresh' content='0; url=login.php'> ");
Manages to get the 'Admin_email' column from the table.
I am confused as to how to add other columns into my session data.
Many thanks in advance.
I have figured out why the 'admin_id' was not successful in been retrieved from the database.
The login.php where the admin first must authenticate themselves from is where the session data is saved - for it to be used in the admin session once logged in.
In order to solve this, I added the following line within the login.php (whilst the email address were been retrieved from the database):
$dblevel = $row['level'];
and then to save it to a session:
$_SESSION['admin_level']=$dblevel;
I logged out and then back in to reinitiate the session and it worked.

Categories