Session Value

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
kumarrana
Forum Commoner
Posts: 26
Joined: Sat Sep 01, 2007 12:55 pm

Session Value

Post by kumarrana »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I am really new on PHP. 
I am working a blog. When user logs in their session is turned in but at the same time, I want to store their user name on the session (Not binary, not Boolean) so I can compare their username with one which was created during posting blogs. Anybody has any idea. By the way I am using MYSQL. Here is a sample code that I have tried.

Code: Select all

$result = mysql_query("SELECT * FROM users WHERE password='$userpass' AND username='$username'") or die("Couldn't query the user-database.");

$row = mysql_fetch_array($result);
$_SESSION['username'] = $row['username'];
This is just sample code not necessarily correct code.
Any body willing to help on this


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Last edited by kumarrana on Sat Sep 01, 2007 2:26 pm, edited 2 times in total.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

You spelled mysql_fetch_array() incorrectly.
kumarrana
Forum Commoner
Posts: 26
Joined: Sat Sep 01, 2007 12:55 pm

Post by kumarrana »

superdezign wrote:You spelled mysql_fetch_array() incorrectly.
Thanks a lot, Is that the only one problem?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

- You didn't call session_start()
- Where are username and userpass coming from? (hopefully somewhere they're coming from $_POST['username'] and $_POST['userpass'], respectively)
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
kumarrana
Forum Commoner
Posts: 26
Joined: Sat Sep 01, 2007 12:55 pm

Post by kumarrana »

Thanks for all your help.
I don't think I explained what I meant to.
I am not really new on PHP however I don't have root knowledge.
I am trying to store (on Session) "String" like name of the user like "cody" if user is authenticated but I am getting boolean value like 1 or 0.
Is there any possibility I can do that on Session?

Here is PHP section of the code

Code: Select all

<?php
// start the session
session_start();
require_once('config.php');
$errorMessage = '';
if(isset($_POST['txtUserId']) && isset($_POST['txtPassword']))
 {
	// check if the username and password combination is correct
	//#############################################################################################
	require_once('mysql_login.php');
	$username = $_POST['txtUserId'];
	$userpass = md5($_POST['txtPassword']);
	$result = mysql_query("SELECT * FROM users WHERE password='$userpass' AND username='$username'") or die("Couldn't query the user-database.");
	$row_user = mysql_fetch_array($result);
	$num = mysql_result($result, 0); 
	if(!$num)
	 {
	$errorMessage = 'Sorry, wrong username / password';
	}
	 else
	  {
		// the username and password match, 
		// set the session
                $_SESSION['username'] = $row_user['first_name'];
		$_SESSION['userid'] = true;
		// after login we move to the main page
		header('Location: posts.php');
		exit;
	}
	echo "Plese insert the valid username and password";
}
?>
kumarrana
Forum Commoner
Posts: 26
Joined: Sat Sep 01, 2007 12:55 pm

Post by kumarrana »

Never mind guys.
Made it to work. Just a stupid mistake that have been bothering me for long time. :evil:
User avatar
playgames
Forum Newbie
Posts: 22
Joined: Tue Sep 04, 2007 4:28 am

Post by playgames »

the best code is below

Code: Select all

session_start();
$uname=$_POST['XXX'];
$passwd=$_POST['XXX'];

//=======================
//sorry.

addslashes($_POST['XXX']);//string

intval($_POST['XXX']);//INT



require("db-connect.php");

$query="select count(*) from tb_user where uname='{$uname}' and passwd='{$passwd}'";
$result=mysql_fetch_array(mysql_query($query));

//this  query mode will not return a error.and fastest speed.


if($result[0]<0){

echo "false";

}else{
$_SESSION['uname']=$uname;
//and other var
}
Last edited by playgames on Wed Sep 05, 2007 4:31 am, edited 2 times in total.
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

Never use unchecked variables from a user as they can never be trusted, especially with databases. To do so leads to the possibility of SQL Injection. All text should use mysql_real_escape_string.

Code: Select all

/*
 * Rather than use simple "uname" as variable name I put sql_ in front as the escaped value 
 * to indicate this is only to be used within an sql query. 
 * Not necessary though in this case as you don't use it anywhere else
 */
$sql_uname=mysql_real_escape_string($_POST['XXX']);
$sql_passwd=mysql_real_escape_string($_POST['XXX']); 
require("db-connect.php");

$query="select count(*) from tb_user where uname='{$sql_uname}' and passwd='{$sql_passwd}'";
An example of an SQL Injection is shown in the manual page for mysql_real_escape_string.
User avatar
playgames
Forum Newbie
Posts: 22
Joined: Tue Sep 04, 2007 4:28 am

Post by playgames »

sorry.

addslashes($_POST['XXX']);//string

intval($_POST['XXX']);//INT
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

addslashes() is not a good solution for escaping.
kumarrana
Forum Commoner
Posts: 26
Joined: Sat Sep 01, 2007 12:55 pm

Post by kumarrana »

Thanks a lot guys. That make sense. I will rewrite my code with your suggestion once I have time. I am little busy on school.
Post Reply