I build a basic php authentication system for my web project. I just want to ask is it secure because i just worried about session hijacking and sql injection issues. The code is bellow.
user form field contain the user_email filed name for email and password field name for password
PHP user validation code
<?php
session_start();
// // check if user session is set or not
if(isset($_SESSION['user'])){
// session is set redirect to user home
header('Location: appointments.php');
}
// // checking if request method is post
if( $_SERVER['REQUEST_METHOD'] === "POST" ){
if(isset($_POST['user_email']) && isset($_POST['password']) ){
// including database file for database connection
include 'database_connection.php';
$stmt = $conn->prepare("SELECT * FROM user WHERE email = ? AND password = ?");
$stmt->execute([ $_POST['user_email'] , $_POST['password'] ]);
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if( $stmt->rowCount() > 0 ){
$_SESSION['user'] = $result['first_name'];
$_SESSION['user_first_name'] = $result['first_name'];
$_SESSION['user_last_name'] = $result['last_name'];
$_SESSION['user_email'] = $result['email'];
$_SESSION['user_contact'] = $result['contact'];
header('Location: user_appoinment_application.php');
die();
}
else{
header('Location: appointments.php');
die();
}
}
else{
header('Location: appointments.php');
die();
}
}
// request method get
else{
header('Location: appointments.php');
}
for checking is user authorized for particular pages i put the following code for checking user is logged in or not at the top of page
session_start();
// checking the user is logged in or not
if(!isset($_SESSION['user_first_name'])){
// session is set redirect to doctor home
header('Location: appointments.php');
}
i know for prevent sql injection attacks use sql prepared statements but i don't have a proper knowledge about how to prevent session hijacking. Now i just want to know the above code is secure or not. Thanks in advance
