I run our company website. I just noticed a weird thing happening: when a staff member in the same office as me logs in, they see "Hi, Matt!" on their page instead of their name. I can't test whether this is happening outside the office (I assume not), but is it possible for us all to be somehow sharing cookies since we're all on the same network with the same IP?
Before anyone suggests it, I've triple checked that my details/user ID aren't hardcoded in to the script. Basically, the way it works is like so:
- The user logs in. If their details are correct, we generate a hash containing their userID + a random unique string. This is stored in the database, and then set as their cookie.
- When the user edits their preferences (this is the problem page), we lookup their details from the database by retrieving the value of their cookie and looking their info up from the database based on this. This is where it goes wrong - I've checked, and their cookie has a different value to mine, but when the lookup happens, it's getting the wrong values back. I've printed the query that is happening to get their info, and when run against the database directly, it returns the right details (eg, theirs, not mine), but by the time it hits the page, it's displaying my info.
This is the function that returns the userID (which is returning mine, and not theirs) - can anyone see anything obviously wrong?
Code: Select all
function getUserID($cookiename)
{
if(isset($_COOKIE["$cookiename"])) {
$cookiehash = htmlentities($_COOKIE["$cookiename"]);
$query = "SELECT userID FROM users WHERE CookieHash = '$cookiehash'";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
$userid = $row['userID'];
return $userid;
} else {
return false;
}
}
Thanks
Matt