i need urgent help to print $_SESSION['username'] beside the photo on top right of the page

i need to call session name in all pages

please if you can improve this code to be secure help!!!!!

please correct cookie code it is not working

note: my hosting godaddy , php 5.6

i am using check.php to check login and redirect to index.php again
<?php

session_start();

class mysql{
	
	private $localhost="localhost";
	private $db_users="****";
	private $db_password="*****";
	private $db_name="*****";

	function __construct(){
		
	mysql_connect($this->localhost,$this->db_users,$this->db_password);
	mysql_select_db($this->db_name);
		}
	
	function sql(){
		
		$username=$_POST['username'];
		$password=$_POST['password'];
		
		$sql="SELECT * FROM users WHERE username='$username' AND password='$password'";
		
		mysql_query("set character_set_server='utf8'");
		mysql_query("set names 'utf8'");

		$query=mysql_query($sql);
		$num=mysql_num_rows($query);
		
		if($num==1){
			$_SESSION['username']="username";
			$_SESSION['password']="password";
			
			//remember me
			@$remember_me=$_POST['rememberme'];
			if($remember_me==1){
			$cook_name="acpauth";
			$time=time()+3600*24*1000 ;//1000 days
			setcookie($cook_name,'usr='.$username.'&hash='.$password,$time);
			}
			
		header("location:packages.php");
		
			}
			else{
				echo "wrong password or username !!!";
			}
			
	}
}
$use=new mysql;
$use->sql();

Open in new window

?>
AHMED SAMYownerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Julian HansenCommented:
Ok before we go any further get off MySQL - this library is deprecated and removed from later versions of PHP. Convert to MySQLi - which is close enough to MySQL that the changes are not extensive.

Next - don't use your POST variables directly in your query - you are just asking for trouble.

1. Don't assume they exist
$username = isset($_POST['username']) ? $_POST['username'] : false;

2. Sanitize your variables before putting them in a query. This means, preferably, use a prepared statement and an escape string function to neutralise any unwanted malicious code in the variable.

A logon script is a prime target for a hacking attack so it is important you get this right.

3. It appears you are storing your password's in plain text - this is not a good idea - you should salt and hash your passwords password_hash() and password_verify() should be the default goto's here

4. This is not a good idea
setcookie($cook_name,'usr='.$username.'&hash='.$password,$time)

Open in new window

Consider using token based security - don't store the username and password in the cookie - store an unguessable token and use this to do your auto logins.

A token is a value that cannot be guessed and is unique (think UUID / GUID) that is associated with a user account and optionally a time period. The token is exchanged (in a cookie or a header) with each interaction with the server. The token is checked by the server to see it is valid (exists and has not expired) before any data is sent back to the client.

5. Then these lines had me scratching my head a bit
$_SESSION['username']="username";
$_SESSION['password']="password";

Open in new window

You are setting your session variables to the constant strings 'username' and 'password' - are you not meaning to save the values in the variables (which you will have verified and sanitized) $username and $password?
AHMED SAMYownerAuthor Commented:
can you tell me how to protect username and password texts

i know my fault i changed

$_SESSION['username']="username";
$_SESSION['password']="password";

to

$_SESSION['username']="$username";
$_SESSION['password']="$password";
AHMED SAMYownerAuthor Commented:
and how to save cookie for username and cookie for password two cookie

sorry for disturbing you
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

Julian HansenCommented:
Don't put username and passwords in a cookie.

Here is a simple solution
1. Create a field in your user table called sid char 40
2. When you create your users populate this field using the MySQL function UUID()
3. When the user logs in grab this value and store it in a cookie
4. When the user connects to the server check the cookie value and use the token you stored in there to validate the user

For instance
<?php
session_start();
$mysqli = mysqli_connect($this->localhost,$this->db_users,$this->db_password, $this->db_name);
// Sanity checks here to make sure DB is connected
// Assume user is not authenticated
$authenticated = false;
// Check if we have a session
$authenticated = isset($_SESSION['user']);
// No session so look for a cookie
if (!$authenticated) {
   $token = isset($_COOKIE['token']) ? $_COOKIE['token'] : false;
   // Found a token so lets validate it using a prepared statement
   if ($token) {
       $query = "SELECT * FROM users WHERE sid=?";
       $statement = $db->prepare($query);
       $statement->bind_param("s", $token);
       $statement->execute();
       // we don't actually need the data this little trick just checks
       // to see if we got anything back - which is all we are interested in
       if ($statement->fetch()) {
          $authenticated = true;
          $_SESSION['user'] = $token;
       }
   }
}
// If this evaluates true - user was not authenticated so send them
// to the login page
if (!$authenticated) {
   header('location: login.php');
}

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AHMED SAMYownerAuthor Commented:
thanks
Julian HansenCommented:
You are welcome.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.