2

before I go ahead and attempt to create a website, I wanted to know if pulling a users content from a database depending on which user is logged in can be determined by a $_SESSION variable. So for example if I want all the messages for user 'example':

$_SESSION['username'] = $_POST['username'] // set when the user logs in
$username = $_SESSION['username']

$data = mysql_query("Select * from messagesTable where username = '$username'")
while($row = mysql_fetch_array($data)) {
echo $row['message']
}

I wanted to know if this would be the right way to do something like this and also if its safe to return (personal) data based on a session variable.

I haven't got that much experience in either of these languages but I like to learn with experience, please tell me if it's not clear. Thanks.

Improve this question

4 Answers 4

Reset to default
3

It is safe to return user data based on a $_SESSION variable if you are certain of its validity because you set it yourself in code. It is not safe to return data based on a session variable that you get from $_POST.

You initially set

$_SESSION['username'] = $_POST['username'];

So unless you have verified with a password or otherwise that this user is who he claims to be, you should not use $_POST['username'] to return other information. If your login process (which we cannot see above) already verifies that $_POST['username'] is valid, you can use it as a source to retrieve additional information.

You will need also to filter against SQL injection:

$_SESSION['username'] = mysql_real_escape_string($_POST['username']);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

yea thanks sorry i just typed that out, my actual code includes all the other password checks and stuff lol
And also, unrelated to the question, you could look into mysqli or PDO, since the mysql functions are now deprecated. Hope it helps. =)
0

that isn't standard and probably not safe since phpsession stay open even when a browser tab maybe not be open to the site since the cookie isn't eased until the browser is shutdown and also you could just send a post parameter to the site and get the info too so login scripts are a little more advanced, you could something like have a unique key that is generate upon logging in and when they leave the site using javascript delete the cookie something like that

Improve this answer

Comments

0

It wouldnt be the correct way to do it no.

May i suggest you go read the php/mysql docs and or a good book before attempting a website.

You also need to look into security(session hijacking, cross scripting, mysql attacks, form tokens, login systems, user roles/permissions). Google search is your friend...

Improve this answer

3 Comments

u gona actually say why its the wrong way to do it or just tell me to read a book lol
Cleary reading the docs or a book is not an option :P Ive just given you 6/7 good reasons, or did you not read that either?
o right, i assumed there was more because you said 'also' lol
-2 
<?php
session_start();
    $username="";
    if($_SESSION['username']==true){
            $username=$_SESSION['username'];
            $conn=mysql_connect('localhost','user','passwd') or die("Unable   
                   to connect to database" .mysql_error());
            mysql_select_db('DBName') or die(mysql_error());
            $sql="SELECT * FROM tablename WHERE username='$username'";
            $retval=mysql_query($sql, $conn) or die("Could not perform query" 
              .mysql_error());
            while($row=mysql_fetch_array($retval)){
                echo {$row['message']};
            }
            mysql_free_result($retval);
            mysql_close($conn);
    }
    else{
        return false;
        header("Location:login.php");
    }
?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.