Page 1 of 1

Session Value

Posted: Sat Sep 01, 2007 1:08 pm
by kumarrana
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I am really new on PHP. 
I am working a blog. When user logs in their session is turned in but at the same time, I want to store their user name on the session (Not binary, not Boolean) so I can compare their username with one which was created during posting blogs. Anybody has any idea. By the way I am using MYSQL. Here is a sample code that I have tried.

Code: Select all

$result = mysql_query("SELECT * FROM users WHERE password='$userpass' AND username='$username'") or die("Couldn't query the user-database.");

$row = mysql_fetch_array($result);
$_SESSION['username'] = $row['username'];
This is just sample code not necessarily correct code.
Any body willing to help on this


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Sat Sep 01, 2007 1:21 pm
by superdezign
You spelled mysql_fetch_array() incorrectly.

Posted: Sat Sep 01, 2007 2:28 pm
by kumarrana
superdezign wrote:You spelled mysql_fetch_array() incorrectly.
Thanks a lot, Is that the only one problem?

Posted: Sat Sep 01, 2007 8:57 pm
by s.dot
- You didn't call session_start()
- Where are username and userpass coming from? (hopefully somewhere they're coming from $_POST['username'] and $_POST['userpass'], respectively)

Posted: Wed Sep 05, 2007 3:38 am
by kumarrana
Thanks for all your help.
I don't think I explained what I meant to.
I am not really new on PHP however I don't have root knowledge.
I am trying to store (on Session) "String" like name of the user like "cody" if user is authenticated but I am getting boolean value like 1 or 0.
Is there any possibility I can do that on Session?

Here is PHP section of the code

Code: Select all

<?php
// start the session
session_start();
require_once('config.php');
$errorMessage = '';
if(isset($_POST['txtUserId']) && isset($_POST['txtPassword']))
 {
	// check if the username and password combination is correct
	//#############################################################################################
	require_once('mysql_login.php');
	$username = $_POST['txtUserId'];
	$userpass = md5($_POST['txtPassword']);
	$result = mysql_query("SELECT * FROM users WHERE password='$userpass' AND username='$username'") or die("Couldn't query the user-database.");
	$row_user = mysql_fetch_array($result);
	$num = mysql_result($result, 0); 
	if(!$num)
	 {
	$errorMessage = 'Sorry, wrong username / password';
	}
	 else
	  {
		// the username and password match, 
		// set the session
                $_SESSION['username'] = $row_user['first_name'];
		$_SESSION['userid'] = true;
		// after login we move to the main page
		header('Location: posts.php');
		exit;
	}
	echo "Plese insert the valid username and password";
}
?>

Posted: Wed Sep 05, 2007 3:44 am
by kumarrana
Never mind guys.
Made it to work. Just a stupid mistake that have been bothering me for long time. :evil:

Posted: Wed Sep 05, 2007 4:11 am
by playgames
the best code is below

Code: Select all

session_start();
$uname=$_POST['XXX'];
$passwd=$_POST['XXX'];

//=======================
//sorry.

addslashes($_POST['XXX']);//string

intval($_POST['XXX']);//INT



require("db-connect.php");

$query="select count(*) from tb_user where uname='{$uname}' and passwd='{$passwd}'";
$result=mysql_fetch_array(mysql_query($query));

//this  query mode will not return a error.and fastest speed.


if($result[0]<0){

echo "false";

}else{
$_SESSION['uname']=$uname;
//and other var
}

Posted: Wed Sep 05, 2007 4:21 am
by CoderGoblin
Never use unchecked variables from a user as they can never be trusted, especially with databases. To do so leads to the possibility of SQL Injection. All text should use mysql_real_escape_string.

Code: Select all

/*
 * Rather than use simple "uname" as variable name I put sql_ in front as the escaped value 
 * to indicate this is only to be used within an sql query. 
 * Not necessary though in this case as you don't use it anywhere else
 */
$sql_uname=mysql_real_escape_string($_POST['XXX']);
$sql_passwd=mysql_real_escape_string($_POST['XXX']); 
require("db-connect.php");

$query="select count(*) from tb_user where uname='{$sql_uname}' and passwd='{$sql_passwd}'";
An example of an SQL Injection is shown in the manual page for mysql_real_escape_string.

Posted: Wed Sep 05, 2007 4:30 am
by playgames
sorry.

addslashes($_POST['XXX']);//string

intval($_POST['XXX']);//INT

Posted: Wed Sep 05, 2007 12:20 pm
by feyd
addslashes() is not a good solution for escaping.

Posted: Tue Sep 11, 2007 12:10 am
by kumarrana
Thanks a lot guys. That make sense. I will rewrite my code with your suggestion once I have time. I am little busy on school.