Newbie Problems

[dark dude]

Hi,

I've recently started on php after html couldnt bear what I needed.

I need to know how to do some things. Here's a small explanation of my problems.

[b]Problem #1 - Sessions, Session IDs and Logins[/b]

Ok, I have a login page and a php script that processes it against the variables, and then confirms/declines the login onto a preview page.
Only problem is, when you click the link on the "login success/process!" screen i put in, I had it so you clicked a link to view the "Game overview.php". However, it doesnt show your variables, like username, planet etc. (I am coding an online game).
I need a basic description on how to store the login information into a session/session id, and send it across the other pages, so I can select specific variables on the database that are with the login information.
All I know at the moment is that you start a session with session_start() and end it with session_destroy(), and you do something with $_Session['Username/whatever'].

Putting it simple, I want a focused description on how to properly "login" and then pick up the users variables that exists in the database. I also want to store all this in a "Random Session Id" that can be shown in the URL.

Here are my two scripts at the moment:
The login form (login.php)
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]<body bgcolor='#000033' text='#CCFFFF'>
<h1>Server 1 Login Page</h1>
<i>Notice: Logins are currently bugged and unfinished. A "Session Id" is still to be created to enable full dynamic use of your account.</br>
Thank you, and enjoy our login</i>
<form name="authenticate" method="post" action="loginprocess.php">
Username: <input name="Username" type="text" value="Username" size="20"/><br>
Password: <input name="Password" type="text" value="Password" size="20"/><br>
<input type="submit" name="submit" value="submit"/>
<input type="reset" name="reset" value="reset"/>
</form>[/quote]

The login process + preview page (loginprocess.php)
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]<body bgcolor='#000033' text='#CCFFFF'>
<?
$username="Server1Main";
$password="nobodyloses";
$database="Server1";

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$query="SELECT * FROM Users";
$result=mysql_query($query);

$Status=mysql_result($result,"Status");


$sql="SELECT * FROM Users WHERE Username='$Username' and Password='$Password'";
$r = mysql_query($sql);
if(!$r) {
$err=mysql_error();
print $err;
exit();
}
if(mysql_affected_rows()==0){
print "Invalid Username/Password, Please try again.";
exit();
}
else{
print "Thank you for logging on, ".$Username.". ";
}
if($Status=="Banned"){
print "<br>You have been banned from the server for ".$BannedFor." by ".$BannedBy.".<br>";
print "Your ban will expire on ".$BannedUntil.".";
}
else{
print "Welcome to Adastra Extritium!";
}

?>[/quote]

(Also, it doesnt like the ban check)


[b]Problem #2 - SQL Injections[/b]

I am aware of major security holes with both Cookies and Sessions, but I chose to use sessions, for compatibility reasons.
Is there any way of closing the security hole to prevent people from Sql Injecting members Session Ids? Thanks for any help here.


[b]Problem #3 - Server Updating and Times[/b]

With this game, you need timers. I want to know how to set it so that when you click a "Build" button, it applies a timer delay. After that timer (it's also displayed to the user) reaches 0, the build is complete, and the build completion script runs. (ie. if ($Timer==00s) set $Woodmill=$Woodmill+1)

Also, I need to know how to set the server to refresh itself (so all the points update at the same time) on regular intervals, like every 4 hrs.



Thanks for any help,

~Dark dude~

[poirot]

1. Something like this:

[code]$query = mysql_query("SELECT * FROM users ...");
while ($row = mysql_fetch_array($query)) {
   $_SESSION['planet'] = $row['planet'];
   $_SESSION['weapon'] = $row'[weapon']...
[/code]

2. SQL Injection may or may not involve the session ID's. It's basically execution of arbitrary SQL queries by using exploits. To avoid them, you must not trust user input, ever. And escape data before querying:

[a href=\"http://www.php.net/mysql_escape_string\" target=\"_blank\"]http://www.php.net/mysql_escape_string[/a]

3. You can use cron jobs for that.

And finally a reminder, games like this usually hog a lot of resources. Be careful to not take down the server.

[dark dude]

1. Ok, so how do you convert the session id back? eg. Later on, you want to read the Session['Status'] to see if they should have access to a Moderator area?

2. Ooooh, ok, thanks for answering that for me =]

3. Cron jobs? You mean, like, somebody, say, a friend, goes onto the server database and refreshes the scores?


@Reminder: Yup, I am aware of that, it's text based, and the server I am using is rated one of the top 10 servers on the net. It's only a small game, but we will pay for bigger, better servers when needed.
And yeah, thanks for noting the dangers of it anyway :P

[.josh]

3. no. a cron job is a unix method of executing a script at regular intervals. you would setup a cron job through cpanel or from your server command line. the easier way is to do it through cpanel. you just enter in the path and name of the script you want to be executed and enter in the time interval you want it to be executed. the server will automatically run your script every x amount of time. the script itself would do the updating of your data, and the server will run it.

[dark dude]

Aaaaah, thanks a lot, and extra thanks for the super-efficient responses =P

I think I remember there being a tutorial here about session ids, so i'll find that to answer my other question =]



~Dark dude~