Persistent data across pages

When you start a session, you need to call the session_start(); function, not using $_SESSION; which means nothing.

EDIT: I was incorrect on this second part.

Ah gotcha ;) I thought I mentioned session start!

I admit, it is my personal preference to apply multidimensional arrays to the session because:

<?php

$_SESSION['user']['id']
$_SESSION['user']['name']
$_SESSION['user']['address']['line1']

$_SESSION['cart']['id']
$_SESSION['cart']['businessID']

//etc

feels slightly more object orientated than

<?php

$_SESSION['userID']

So it's more than possible. I'm yet to find somewhere where this is discouraged, but maybe you can pass some knowledge along!

As a side note $_POST can also contain multidimensional arrays i.e. if you were to have form inputs with names like:

<input type="text" name="address['line1']">
<input type="text" name="address['line2']">
<input type="text" name="address['town']">

and so on

No, you are correct. It seems that we both made mistakes! lol I went ahead and edited my comment so that no one will get confused. Apologies!

If you're going to have users log in, you need to be worried about data persisting after the browser is closed, especially the user's data that they use to log in. This means you need to use, at the very least, some sort of database so that you can retrieve/set data combined with an SSL certificate so that you can keep the user's sensitive data secure. You can then use session variables to retrieve data from the database and then use that to authenticate the user whenever they do anything that involves a modification of their own data or the data they post.

You should do some research on MySQL injection prevention, session hijacking prevention, and other user authentication security methods.

Session variables will definitely allow you to do that. In any case, best of luck to you, Ben! I hope your project is a smashing success :)

If you're using PDO to interact with your database (please tell me you're using PDO!) then you shouldn't have to worry too much about sql injection - the object handles this pretty well.

re: session hijacking - I would suggest considering how secure your application really needs to be before going down a long road of internet security, but I agree more of a problem.

Applications frameworks (I know Laravel does) have built in functionality to handle a lot of the security stuff that's been mentioned. If you're up for it, dive into the Wordpress or Laravel codebase to see if you can find out how they do it ;) If it was me I would have a play with sessions locally then migrate to a framework as you suggested :-)

Hope this helps

I just found this thread, as I was looking for information about PHP sessions. I am also working on a project that involves users logging in, editing their profile, and so on. I remember watching a video or two that touched on PDO but I'd like to get more familiar with it. So, I will try digging through some of the tracks to see what I can find.

Just in case I don't find what I need, would any of you be able to provide tracks (or other sites) containing good information about sessions and/or PDO? Thanks in advance for any help you can offer!

eddie I don't know your level of experience so sorry if some of the following is already known to you, however:

If you haven't already considered it perhaps you should also look at using WordPress (or Joomla or Drupla) as a CMS as they will handle the fiddly bits of managing users securely. There is a series of videos on WordPress that I can recommend.

If you want to learn how to do it by hand (which is worth it for the educational experience alone - plus it gives you more flexibility) then I would recommend mastering mySQL first. Then set up a simple database to hold usernames and passwords and get that to work. Extend this by storing data in the db and associating it with a specific user - so only that user can access it. After that you can look at implementing user sessions to log in users and keep them logged in between pages.

Finally and most importantly, if you are making a real project you will need to have some security. You will need to hash the user passwords so they cannot be hacked. It isn't the easiest thing to do but it is possible with some patience. Let me know where to begin and I can link to some websites and tracks on Treehouse to help.

Hope that helps, and good luck!

Ben, thank you for responding.

You're right. I would like to code everything myself so that I know exactly what's going on behind the scenes. I'm familiar enough with MySQL and PHP that I have already created a database to hold user data, and a working log-in page (it matches up the name and password correctly). However, I have never worked with sessions before.

My site is nothing major. The only real piece of sensitive information anyone will have stored on the database is their password. No SS#, CC#, or anything like that will ever be used. Sure, I'd like to make it as hackproof as possible but it's something I can worry about after everything is up and running.