PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
I am really new on PHP.
I am working a blog. When user logs in their session is turned in but at the same time, I want to store their user name on the session (Not binary, not Boolean) so I can compare their username with one which was created during posting blogs. Anybody has any idea. By the way I am using MYSQL. Here is a sample code that I have tried.
$result = mysql_query("SELECT * FROM users WHERE password='$userpass' AND username='$username'") or die("Couldn't query the user-database.");
$row = mysql_fetch_array($result);
$_SESSION['username'] = $row['username'];
This is just sample code not necessarily correct code.
Any body willing to help on this
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Last edited by kumarrana on Sat Sep 01, 2007 2:26 pm, edited 2 times in total.
- You didn't call session_start()
- Where are username and userpass coming from? (hopefully somewhere they're coming from $_POST['username'] and $_POST['userpass'], respectively)
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Thanks for all your help.
I don't think I explained what I meant to.
I am not really new on PHP however I don't have root knowledge.
I am trying to store (on Session) "String" like name of the user like "cody" if user is authenticated but I am getting boolean value like 1 or 0.
Is there any possibility I can do that on Session?
<?php
// start the session
session_start();
require_once('config.php');
$errorMessage = '';
if(isset($_POST['txtUserId']) && isset($_POST['txtPassword']))
{
// check if the username and password combination is correct
//#############################################################################################
require_once('mysql_login.php');
$username = $_POST['txtUserId'];
$userpass = md5($_POST['txtPassword']);
$result = mysql_query("SELECT * FROM users WHERE password='$userpass' AND username='$username'") or die("Couldn't query the user-database.");
$row_user = mysql_fetch_array($result);
$num = mysql_result($result, 0);
if(!$num)
{
$errorMessage = 'Sorry, wrong username / password';
}
else
{
// the username and password match,
// set the session
$_SESSION['username'] = $row_user['first_name'];
$_SESSION['userid'] = true;
// after login we move to the main page
header('Location: posts.php');
exit;
}
echo "Plese insert the valid username and password";
}
?>
session_start();
$uname=$_POST['XXX'];
$passwd=$_POST['XXX'];
//=======================
//sorry.
addslashes($_POST['XXX']);//string
intval($_POST['XXX']);//INT
require("db-connect.php");
$query="select count(*) from tb_user where uname='{$uname}' and passwd='{$passwd}'";
$result=mysql_fetch_array(mysql_query($query));
//this query mode will not return a error.and fastest speed.
if($result[0]<0){
echo "false";
}else{
$_SESSION['uname']=$uname;
//and other var
}
Last edited by playgames on Wed Sep 05, 2007 4:31 am, edited 2 times in total.
Never use unchecked variables from a user as they can never be trusted, especially with databases. To do so leads to the possibility of SQL Injection. All text should use mysql_real_escape_string.
/*
* Rather than use simple "uname" as variable name I put sql_ in front as the escaped value
* to indicate this is only to be used within an sql query.
* Not necessary though in this case as you don't use it anywhere else
*/
$sql_uname=mysql_real_escape_string($_POST['XXX']);
$sql_passwd=mysql_real_escape_string($_POST['XXX']);
require("db-connect.php");
$query="select count(*) from tb_user where uname='{$sql_uname}' and passwd='{$sql_passwd}'";
An example of an SQL Injection is shown in the manual page for mysql_real_escape_string.