[SOLVED] Select Certain Fields From Table Based on Session

[twilitegxa]

I have a page that I am displaying the user's information from the users table. Now I would like to display additional information about the user from a different table and display only one field (identity) based on the username.

 

The username is a field in both tables and I have the userName set as a session as well. Here is my script for displaying the user's information:

 

<?php

session_start();

if(!isset($_SESSION['loggedIn'])) {
header("Location: login.php");
}

//Access Tracking Snippet

//set up static variables
$page_title = "account.php";
$user_agent = getenv("HTTP_USER_AGENT");
$date_accessed = date("Y-m-d");

//connect to server and select database
$conn = mysql_connect("localhost", "root", "")
or die(mysql_error());
$db = mysql_select_db("smrpg", $conn) or die(mysql_error());

//create and issue query
$sql = "insert into access_tracker values
('', '$page_title', '$user_agent', '$date_accessed')";
mysql_query($sql,$conn);

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Sailor Moon RPG - <?php echo $_SESSION['userName'] ?>'s Account</title>
<style type="text/css" media="screen">
/*<![CDATA[*/
@import url(global.css); 
/*]]>*/
</style>
</head>

<body>
<!-- HEADER -->
<h1 class="logo">Sailor Moon RPG</h1>
<!-- /HEADER -->
<?php include("topnav.php"); ?>
<div id="main">
<?php include("includes/log.php"); ?>
<?php include("mainnav.php"); ?>
<h1>Your Account Information:</h1>
<div id="account">
<table>
<tr>
<td><strong>Username:</strong></td>
<td><?php echo $_SESSION['userName'] ?></td>
</tr>
<tr>
<td><strong>Name:</strong></td>
<td><?php echo $_SESSION['name'] ?></td>
</tr>
<tr>
<td><strong>E-mail:</strong></td>
<td><?php echo $_SESSION['userMail'] ?></td>
</tr>
<tr>
<td valign=top><strong>Your Characters:</strong></td>
<td valign=top>

<?php
$get_characters = "select * from scouts";
$get_characters_res = mysql_query($get_characters, $conn) or die(mysql_error());
while ($list_characters = mysql_fetch_array($get_characters_res)) {
$identity = $list_characters['identity'];
$topic_id = $list_characters['id'];
echo "<a href=\"showprofile.php?id=$topic_id\">$identity ";
}
?></td>
</tr>
</table>
<p>Click <a href="edit_info.php">here</a> to edit your personal information.</p>
</div>
</div>
<?php include("bottomnav.php"); ?>
<!-- FOOTER -->
<div id="footer_wrapper">
<div id="footer">
<p>Sailor Moon and all characters are<br>
trademarks of Naoko Takeuchi.</p>
<p>Copyright © 2009 Liz Kula. All rights reserved.<br>
A product of <a href="#" target="_blank">Web Designs By Liz</a> systems.</p>
<div id="foot-nav"><!-- <ul>
<li><a href="http://validator.w3.org/check?uri=http://webdesignsbyliz.com/digital/index.php" target="_blank"><img src="http://www.w3.org/Icons/valid-xhtml10-blue" alt="Valid XHTML 1.0 Transitional" height="31" width="88" /></a></li>
<li><a href="http://jigsaw.w3.org/css-validator/validator?uri=http://webdesignsbyliz.com/digital/global.css" target="_blank"><img class="c2" src="http://jigsaw.w3.org/css-validator/images/vcss-blue" alt="Valid CSS!" /></a></li>
</ul> --></div>
</div>
</div>
<!-- /FOOTER -->
</body>
</html>

 

Right now it is displaying all rows in the identity field, but I want it to only display those where the username matches the username that is logged in. How can I do this?

[HPWebSolutions]

change

"select * from scouts"

to

"select * from scouts where username = '".$_SESSION['userName']."'"

[HPWebSolutions]

I should also mention that you will probably want to use mysql_real_escape_string before performing any DB query to prevent possible SQL injection attacks. Note that you may experience conflicts if you have magic_quotes turned on in your PHP configuration file, which automatically escapes certain characters. It has been recommended by the PHP devs not to rely on magic_quotes, which is officially deprecated as of PHP 5.3.

 

[twilitegxa]

That worked! Thank you so much! I was on the right track when I was trying to use the session, I was just typing it wrong. Thank you so much for the help!

 

Where do you mean I should use the mysql_real_escape_string? I thought I needed to use it on input fields. Where else should I be using it?

[HPWebSolutions]

You are very welcome, glad I could help.  As far as mysql_real_escape_string goes, I'm not sure how you regulate usernames, but for instance if a user had a username that could inject sql into your db, such as

'; DROP TABLE users; --

then you might have a problem. That may not be a good example, but I hope you see what I mean.  To be on the safe side, I use it every single time I make a db query.  You'll always want to use it right before or in the query on the query string to ensure that everything is escaped and that you didn't miss something.

[twilitegxa]

Right before the query? Can you give me an example?

[HPWebSolutions]

What I mean is, don't do mysql_real_escape_string on variables you are going to be inserting into the database dozens of lines of code before the sql query, which can happen in larger applications. Always do the the escaping right as you're doing the query so you are 100% certain that everything going into the MySQL query is properly escaped. For example, instead of doing

$num = mysql_real_escape_string($_POST['num']);
// 20 more lines of code
mysql_query("UPDATE num SET value=$num, someField=$num WHERE id=1;");

 

do this instead:

 

$num = $_POST['num'];
// 20 more lines of code
mysql_query("UPDATE num SET value='".mysql_real_escape_string($num)."'. someField=".mysql_real_escape_string($num)." WHERE id=1;");

 

or:

 

$num = $_POST['num'];
  // 20 more lines of code
$set_pairs = 'value='.mysql_real_escape_string($num).', someField='.mysql_real_escape_string($num);
  mysql_query("UPDATE num SET $set_pairs WHERE id=1;");