-1

How to get the value of the column 'ProfilePicture' for the current user (which is stored in a session) from a database and save it into a variable?

Here is an example of a possible structure for the query:

if($email="iahmedwael@gmail.com" show 'ProfilePicture' value for that username) //declare a variable to save the value of ProfilePicture

My sql table

<?php

$posted = true;

if (isset($_REQUEST['attempt'])) {

    $link = mysqli_connect("localhost", "root", "", 'new1') or die('cant connect to database');
    $email = mysqli_escape_string($link, $_POST['email']);
    $password = mysqli_escape_string($link, $_POST['Password']);
    $query = mysqli_query($link, " SELECT * 
                     FROM 360tery
                     WHERE Email='$email'
                     OR Username= '$email'
                     AND Password='$password' "

    ) or die(mysql_error());

    $total = mysqli_num_rows($query);

    if ($total > 0) {
        session_start();
        $_SESSION['email'] = $email;
        header('location: /html/updatedtimeline.html');
    } else {
        echo "<script type='text/javascript'>alert('Wrong username or Password!'); window.location.href='../html/mainpage.html';</script>";
    }
}
The Codesee
  • 3,503
  • 3
  • 27
  • 65
Ahmed Wael
  • 29
  • 10
  • 1
    You should use parameterized queries and connect to your database via something like PDO. Do not login as root for routine queries, create a separate user with just enough privileges. Validate and sanitise your input too before doing anything with it! – Juned Jan 08 '17 at 12:06
  • @juned I'm a beginner in using php and sql could you please give an example or a reference link so i can follow easily – Ahmed Wael Jan 08 '17 at 12:13
  • I have written my answer in PDO for you :) – The Codesee Jan 08 '17 at 13:28

1 Answers1

1

For security purposes, it's my recommendation that you use PDO for all your database connections and queries to prevent SQL Injection.

I have changed your code into PDO. It should also get the value from the column ProfilePicture for the current user and save it to the variable $picture

Note: you will need to enter your database, name and password for the database connection.

Login Page

<?php

session_start();

$posted = true;

if(isset($_POST['attempt'])) {
   $con = new PDO('mysql:host=localhost;dbname=dbname', 'user', 'pass');
   $email = $_POST['email'];
   $password = $_POST['Password'];

   $stmt = $con->prepare("SELECT * FROM 360tery WHERE Email=:email OR Username=:email");
   $stmt->bindParam(':email', $email);
   $stmt->execute();
   if($stmt->rowCount() > 0) {
      $row = $stmt->fetch();
      if(password_verify($password, $row['Password'])) {
         $_SESSION['email'] = $email;
         header('location: /html/updatedtimeline.html');
      }else{
         echo "<script type='text/javascript'>alert('Wrong username or Password!'); window.location.href='../html/mainpage.html';</script>";
     }
   }
}

?>

User Page

<?php

session_start();

$con = new PDO('mysql:host=localhost;dbname=dbname', 'user', 'pass');

$stmt = $con->prepare("SELECT ProfilePicture FROM 360tery WHERE username=:email OR Email=:email");
$stmt->bindParam(':email', $_SESSION['email']);
$stmt->execute();
if($stmt->rowCount() > 0) {
   $row = $stmt->fetch();
   $picture = $row['ProfilePicture'];
}

?>

Please let me know if you find any errors in the code or it doesn't work as planned.

Community
  • 1
  • 1
The Codesee
  • 3,503
  • 3
  • 27
  • 65
  • Thank you so much but i've solved my problem and i cant use this PDO because i dont understand it and my project is based on a small scale – Ahmed Wael Jan 08 '17 at 16:28