Redirecting logged in users

Question

I have created profiles for users so that when a user logs in they are redirected to their own profile page.

login.php (relevant code only)

 $MemberID = user_id_from_username($username);
        $_SESSION['MemberID'] = $username;
        header('location: member.php?username='.$username);

member.php

if (logged_in () === true){
        echo "Welcome, ".$_SESSION['MemberID']. "!<br><a href='logout.php'>Logout</a>\n<a href='index.php'>Back to homepage</a></p>";
    }

    if(isset($_GET['username']) === true & empty ($_GET['username']) === false) {   
        $username = $_GET ['username'];
        //check if user actually exisits
        if (user_exists($username) === true) {
        //get username from user id
            $MemberID = user_id_from_username($username);
            $profile_data =user_data($MemberID,'Name','Address','Postcode','DOB','Mobile','CoinsAvailable','Email','profile','OddJobName','Description','CoinValue','DaysAvailable');//Need to pull out stuff from oddjob table
            echo $MemberID;
        }else{
            protect_page();
        }
}

relevant functions:

function user_data($MemberID){ //pass in memberid to get info about user
        $data = array();//data to be returned
        $MemberID =(int)$MemberID;//creating int from this input

        $func_num_args = func_num_args(); //count number of arguments from user data on init.php
        $func_get_args = func_get_args();

        if ($func_num_args >1) { //if more then 1, unset the first element of array 
            unset($func_get_args[0]);

            $fields = '`' . implode('`,`', $func_get_args) . '`';   //taking array and converting to string

            $data = mysql_fetch_assoc(mysql_query("SELECT $fields FROM `member`,`oddjob` WHERE member.MemberID = oddjob.MemberID AND member.MemberID = $MemberID"))or die (mysql_error());
                //echo $MemberID;
                return $data;

        }
}

function logged_in() {
    return (isset($_SESSION['MemberID'])) ? true : false; //Email
}



if (logged_in() ===true) {
    $session_MemberID = $_SESSION['MemberID'];//grabbing value from login
    $user_data= user_data($session_MemberID,'MemberID','Name','Address','Postcode','DOB','Mobile','CoinsAvailable','Email','Password','RepeatPassword','OddJobName','Description','DaysAvailable','profile');
    exit();
    }

All this code allows the user to be redirected to their own page, when they login their name is displayed along with other $profile_data information. Now I want the user to be able to update their own info by clicking on a link to update_info.php. But I don't know how to get the members username to appear in the URL when they visit update_info.php like it does when they log in.

In the member page (where the link is) I tried:

<a><?php header('location:update_info.php?username='.$username)?>">Update info</a></p>

But now when the user logs in they are redirected to update_info.php instead of member.php. Can anybody tell me how to fix this? Thanks.

Answer 1

Do you mean:

<a href="update_info.php?username=<?php echo $username; ?>">Update info</a>

This passes the $username to the update_info.php page

Answer 2

Maybe you wanted to write this?

<a href="update_info.php?username=<?php echo $username ?>">Update info</a></p>

Answer 3

All right.
Lets explain the basics on how to build a -basic- authentication. And then extend it to a safe one :)

1 - user logs in : You check the database if the credentials are allright.
If Yes -> $_SESSION['loggedIn'] = true;

2 - On every page you want to check if the person is logged in; you put a check:
if(!$_SESSION['loggedIn']) { header('location:login.php');}

Some food for thought: You don't want to store 'just' a boolean on the clientside to check if logged in. You better generate a random session-id-string. Store this in a database and store this id in the $_SESSION['loggedin']. Instead of the simple check of the value of $_SESSION['loggedIn'] you now look up the stored session ID in the database for existince and availability.

Post Scriptum:
Don't nest functions in functions in functions.
$data = mysql_fetch_assoc(mysql_query("SELECT $fields FROMmember,oddjobWHERE member.MemberID = oddjob.MemberID AND member.MemberID = $MemberID"))or die (mysql_error());

This is not readable for us, but especially not for you. You better write it like this:

$sql = "SELECT $fields FROMmember,oddjobWHERE member.MemberID = oddjob.MemberID AND member.MemberID = $MemberID";
$res = mysql_query($sql) or die(mysql_error());
$data = mysql_fetch_assoc($res);

Post Post Scriptum:
Stop using the mysql_* functions in php. See the red box on this website? These functions are not supported anymore. And you better start using PDO; which by the way has also some checking (mysql injection) standard build in; and much more!