For example, I have a form that passes the username, the year of birth and the password. Is there anyway I can retrieve information from the database(using an SQL query) if the user is an admin and then convert it to a $_SESSION;? How can I retrieve additional information about the user, about his day of birth, month of birth etc. without having variables passed from a form? :S
My form.
<div id ="body" >
<div id ='sidebar' > <form method='post' action='login.php'>
<label for = 'username'> Username:</label>
<input name='username' id='username'/><br/>
<label for = 'password'>Password:</label>
<input name='password' id='password'/><br/>
<label for ='yearofbirth'> Year of Birth:</label>
<input name='yearofbirth' id='yearofbirth' /><br/>
<input type='submit' value='Log in' /></form>
<!-- / end of login page -->
</div>
php script
<?php
//prevent sql injesctions
session_start();
ini_set('session.bug_compat_42',0);
ini_set('session.bug_compat_warn',0);
$uname = $_POST["username"];
$pword = $_POST["password"];
$ybirth = $_POST["yearofbirth"];
$num_rows = 0;
$errorMessage = "";
$uname = htmlspecialchars($uname);
$pword = htmlspecialchars($pword);
$ybirth = htmlspecialchars($ybirth);
$admin = htmlspecialchars($admin);
if(!ctype_alnum($uname))
{
echo "ERROR: Input contains characters other than letters and numbers.";
}
$conn = mysql_connect("localhost", "root", "") or die("cannot connect");
mysql_select_db("something") or die (mysql_error());
$sql = ("SELECT * FROM sc_users WHERE username = '$uname' and password = '$pword' and yearofbirth = '$ybirth'");
$result = mysql_query ($sql);
if ($result)
{
}
else {
$errorMessage = "Error logging on";
}
if(mysql_num_rows($result)==0)
{
echo "ERROR - No mactching rows from the database!<br/>";
}
else
{
$_SESSION['gatekeeper'] = $_POST["username"];
$_SESSION['password'] = $_POST["password"];
$_SESSION['agez'] = $_POST["yearofbirth"];
// Redirect to the main menu
header ("Location: mainpage.php");
$errorMessage = "logged on";
}
?>