Reputation: 3416
mysql and php - Retrieving data from database based on user logged in
before I go ahead and attempt to create a website, I wanted to know if pulling a users content from a database depending on which user is logged in can be determined by a $_SESSION variable. So for example if I want all the messages for user 'example':
$_SESSION['username'] = $_POST['username'] // set when the user logs in
$username = $_SESSION['username']
$data = mysql_query("Select * from messagesTable where username = '$username'")
while($row = mysql_fetch_array($data)) {
echo $row['message']
}
I wanted to know if this would be the right way to do something like this and also if its safe to return (personal) data based on a session variable.
I haven't got that much experience in either of these languages but I like to learn with experience, please tell me if it's not clear. Thanks.
Upvotes: 2
Views: 7236
Answers (4)
Reputation: 1
<?php
session_start();
$username="";
if($_SESSION['username']==true){
$username=$_SESSION['username'];
$conn=mysql_connect('localhost','user','passwd') or die("Unable
to connect to database" .mysql_error());
mysql_select_db('DBName') or die(mysql_error());
$sql="SELECT * FROM tablename WHERE username='$username'";
$retval=mysql_query($sql, $conn) or die("Could not perform query"
.mysql_error());
while($row=mysql_fetch_array($retval)){
echo {$row['message']};
}
mysql_free_result($retval);
mysql_close($conn);
}
else{
return false;
header("Location:login.php");
}
?>
Upvotes: -2
Reputation: 4592
It wouldnt be the correct way to do it no.
May i suggest you go read the php/mysql docs and or a good book before attempting a website.
You also need to look into security(session hijacking, cross scripting, mysql attacks, form tokens, login systems, user roles/permissions). Google search is your friend...
Upvotes: 0
Reputation: 270775
It is safe to return user data based on a $_SESSION variable if you are certain of its validity because you set it yourself in code. It is not safe to return data based on a session variable that you get from $_POST.
You initially set
$_SESSION['username'] = $_POST['username'];
So unless you have verified with a password or otherwise that this user is who he claims to be, you should not use $_POST['username'] to return other information. If your login process (which we cannot see above) already verifies that $_POST['username'] is valid, you can use it as a source to retrieve additional information.
You will need also to filter against SQL injection:
$_SESSION['username'] = mysql_real_escape_string($_POST['username']);
Upvotes: 3
Reputation: 496
that isn't standard and probably not safe since phpsession stay open even when a browser tab maybe not be open to the site since the cookie isn't eased until the browser is shutdown and also you could just send a post parameter to the site and get the info too so login scripts are a little more advanced, you could something like have a unique key that is generate upon logging in and when they leave the site using javascript delete the cookie something like that
Upvotes: 0
Related Questions
- Selecting data from specific user in mysql database to PHP
- Get the data of specific user in PHP
- Trouble retrieving logged in user info from database with PHP and mySQL
- Trying to retrieve the logged in users information from mysql database
- Fetching data from mySql database for php user session
- display data from database based on user login
- Select data from logged in user with a mySQL query
- Query Row Depending on Login
- Getting specific data from Mysql database, based on user login
- calling information from the database for user