using $_SESSION vars in a query

[gammaman]

I want to do something like this but I have an error message saying unexpected T_VARIABLE on line 27

I am trying to use the $_SESSIONS that are being carried over in a query.

 

<?php
$conn=mysql_connect("localhost","fierm","13183");

  if(!$conn){
    echo "failed";
}else{ 
   mysql_select_db(fierm);
     session_start();
  $_SESSION['student']['user'];


  
  

  $_SESSION['student']['pass'];

   
     $CourseID=$_POST['ci'];
     $CourseName=$_POST['cn'];

         



    $course=mysql_query("select CourseID,CourseName,StudentID,Password FROM Rcourse
             WHERE CourseID ='$CourseID' AND CourseName='$CourseName' AND StudentID = "$_SESSION['student']['user']" 
   AND Password = "$_SESSION['student']['pass']"");

     $count=mysql_num_rows($course);

     if ($count > 0 ){
        echo "Already took or currently taking this course";
     }

//    else{
  //     mysql_query("Insert into Rcourse (CourseID,CourseName,StudentID,Password) 
   //               Values ($CourseID,$CourseName,$USer,$Pass)");
//
   //}  
     
    }
?>   

[monkeypaw201]

what is line 27?

[DarkWater]

Enclose the session variable in curly braces inside the query. =)  {$_SESSION['whatever']}

 

It'll work then.

[Fadion]

Just use concatenation, dont complicate the string so much that u wont read it in the future:

 

<?php
mysql_query("SELECT * FROM table WHERE smth='" . $_SESSION['smth'] . "'");
?>

 

Note that $_SESSION['smth'] is inclosed also in single quotes.

[redarrow]

EDITED sorry..........

 

Remember session's might cause the select statement to go wrong be carefull........

 

also sessions in a database query asks for trouble...........

 

<?php session_start();

// set a session with an id.
$_SESSION['id']=301;

// set varable id as a session.
$id=$_SESSION['id'];

// post id
$id=$_POST['id'];

// select the session via the varable $id 
mysql_query("SELECT * FROM table WHERE id='$id'");
?>

[DarkWater]

 

  $course=mysql_query("select CourseID,CourseName,StudentID,Password FROM Rcourse
             WHERE CourseID ='$CourseID' AND CourseName='$CourseName' AND StudentID = '{$_SESSION['student']['user']}'
   AND Password = '{$_SESSION['student']['pass']}'");

 

That's it.  That query will work.

[dptr1988]

How could $_SESSION data in a SQL query cause trouble? I'm not wanting to argue, I honestly don't understand why.

 

 

[ohdang888]

if they session is hacked or something, they could delete tables from your system...

you need to you mysql_real_escape_string on them before putting them into the query

[DarkWater]

How could $_SESSION data in a SQL query cause trouble? I'm not wanting to argue, I honestly don't understand why.

 

 

 

I know, right?  If you're assigning it to a variable and then putting it in the query, that's essentially the same as using it directly, so I don't understand why you'd do it like that.  You can just enclose it in {} and be done.

[dptr1988]

How could sessions be hacked? the only way to hack a session is to use a different session id, which would still give you session data that was already approved by the server, although it may have been meant for a different user.

 

redarrow may have been confusing session with cookies where the data is stored on the user's computer and is subject to tampering.

[redarrow]

session's can be used via anyone via a form or even by the url all the peopl have to do is continue to

guess your session name and start to use it,

 

but in sayong that a session that has been valadated correctly is good and good code pratice...

 

but sessions in database querys are bad code pratice trust me............

 

imagine a people got your session and found a page where your deleting info to update the system

hay presto you got no database info now...

 

setting a session to a varable is much safer then just using the session RAW in a query............

[DarkWater]

session's can be used via anyone via a form or even by the url all the pp; have to do is continue to

guess your session name and start to use it,

 

but in sayong that a session that has been valadated correctly is good and good code pratice...

 

but sessions in database querys are bad code pratice trust me............

 

imagine a ppl got your session and found a page where your deleting info to update the system

hay presto you got no database info now...

 

You've obviously never used sessions before, or that much, anyway.  Even if they took another session from another user, what'd they do?  Ruin that user's account?  They can't change the username or password of the session to 'DROP TABLE xxxx'.  That query that he has right now is perfectly safe.

[redarrow]

your talking no sence mate...

 

it would delete that users account but by useing the session name you can do a lot more then that,

espacally when the session is directly in a query....

 

also now we no you got session in your query's your defently get hacked......

[dptr1988]

it would only delete the user account if you had previously configured the sessio data to be able to delete the account. And still that data couldn't be used in this instance. I.E. You probably won't be managing you tables with the same session variable that you use to store the login query.

[DarkWater]

your talking no sence mate...

 

it would delete that users account but by useing the session name you can do a lot more then that,

espacally when the session is directly in a query....

 

also now we no you got session in your query's your defently get hacked......

 

Really?  Explain to me how you could change $_SESSION['student']['user'] to a malicious query just by knowing the session ID.  Enlighten me. 

 

For the record, I'm sure about what I'm saying, I don't really need enlightenment.

[redarrow]

tell me what one easy to guess then the other...............

 

<?php session_start();

$_SESSION['student']['user']="redarrow";

echo " Changed session to: ".$_SESSION['student']['user']." <br><br>";


$suser=$_SESSION['student']['user']="paul";


echo " Set varable Changed session to: $suser <br><br>";
?>

 

[DarkWater]

tell me what one easy to guess then the other...............

 

<?php session_start();

$_SESSION['student']['user']="redarrow";

echo " Changed session to: ".$_SESSION['student']['user']." <br><br>";


$suser=$_SESSION['student']['user']="paul";


echo " Set varable Changed session to: $suser <br><br>";
?>

 

 

Excuse me, but how do you presume that a user who obtained someone else's session ID would be able to edit the script like that and change the variables? =/  Honestly, think it through before you try and show me that I'm wrong.

[Fadion]

redarrow has 8x my posts number, so i have to respect him. But really i cant think of a way to spoof a session stored server side, even if i have the sid. If there is such an option, scripts would be a lot less secure.

[DarkWater]

redarrow has 8x my posts number, so i have to respect him. But really i cant think of a way to spoof a session stored server side, even if i have the sid. If there is such an option, scripts would be a lot less secure.

 

I respect his post count, but he seems like he had no idea what he was talking about just a minute ago.  I have so little posts because I just joined PHPFreaks, but I've been coding PHP for years.

[dptr1988]

Post count does not always reflect you PHP knowledge. Up untill 3 days ago, I had been programming for 6 years and only had around 30 posts.

[redarrow]

All i am saying is a session in a query not set to  a varable is not secure mate..

 

The reason i say that is,

programmers use there sessions in a meanfull way then they hide the session info

with a set varable nothink indercating the session name making the varable unique .........

 

yes some programmers make there session unique but most dont...

 

be carefull that all.............

 

good luck............

[Fadion]

Post count does not always reflect you PHP knowledge. Up untill 3 days ago, I had been programming for 6 years and only had around 30 posts.

 

[OFFTOPIC] What i said is that i respect the thoughts of someone with so much posts. Having 5000+ posts means that he has been for some time here and here u can learn a lot in 1 day, imagine a year or 2. But that absolutely doesnt mean i dont respect the thoughts of someone with 2 posts.

[DarkWater]

All i am saying is a session in a query not set to  a varable is not secure mate..

 

The reason i say that is,

programmers use there sessions in a meanfull way then they hide the session info

with a set varable nothink indercating the session name making the varable unique .........

 

yes some programmers make there session unique but most dont...

 

be carefull that all.............

 

good luck............

But this is the exact same as just using the session variable...

$suser=$_SESSION['student']['user'];

 

...

[redarrow]

All read this please cheers make lots off scence..

 

http://en.wikipedia.org/wiki/Session_poisoning

 

edited this aswell

http://en.wikipedia.org/wiki/Session_fixation#A_simple_attack_scenario

 

 

To anyone dosent matter if you been programming for years there always somethink to learn in php.

 

Also the number off post via the forum web site dosent claim the power off a users programming skills...

 

Remember there wannabe programmers copy and past that earn thousands a day programming (fact not fiction)...

 

idears are the solution and using the php lanuage to it full pertental

 

 

[Fadion]

Only the shared host scenario could be a real session spoof, the others are by using get and request (who uses request anyway?). GET variables are dangeuros by themselves, so it still is generally not related to sessions.