mac007 Posted December 18, 2010 Share Posted December 18, 2010 Hi, All: I'm trying to figure out what way it's the best way to pull info belonging to a specific user based on whether he's a logged-in "member", and want to make sure he's not able to access any other member's details... would the best way be to try to match the user's "username" stored in a $_SESSION when fetching his info, something like this: <?php // Assume the login combo is this: $username = $_POST['username']; $password = $_POST['password']; // Assume he has already logged in: $_SESSION['username'] = $username; //EXAMPLE 1: SELECTING user info simply from actual DB username/password match: if ($_SESSION['username']) { $userRecords = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'"); $userInfo = mysql_fetch_array($userRecords); echo $userInfo['id'] . $userInfo['username'] . $userInfo['first-name'] . $userInfo['last-name'] . $userInfo['date-register']; } // EXAMPLE 2: or SELECTING user info based on $_SESSION['username'] value: if ($_SESSION['username']) { $userRecords = mysql_query("SELECT * FROM users WHERE username = . $_SESSION['username'] . AND password = '$password'"); $userInfo = mysql_fetch_array($userRecords); echo $userInfo['id'] . $userInfo['username'] . $userInfo['first-name'] . $userInfo['last-name'] . $userInfo['date-register']; } ?> So, my question is, are this actually working differently? is one better than the other as far as security, preventing other users from hacking either on purpose or accidenally into other user's details? thank! Appreciate any feedback... Link to comment https://forums.phpfreaks.com/topic/222076-best-way-to-select-info-belonging-only-to-specific-logged-in-user/ Share on other sites More sharing options...
joel24 Posted December 18, 2010 Share Posted December 18, 2010 both your examples are looking for a username/pwd match. On login search the db for a username/pwd match. If the query is successful then set a session variable with the user's ID or username if that is the primary key in the table. Link to comment https://forums.phpfreaks.com/topic/222076-best-way-to-select-info-belonging-only-to-specific-logged-in-user/#findComment-1149093 Share on other sites More sharing options...
mac007 Posted December 19, 2010 Author Share Posted December 19, 2010 thanks joel... I see what you are saying. So, if I was using the username as the $_SESSION['username'], then I should at least make sure this field is defined as "unique" or also primary in the db by default. Or then again, as you say, I could just simply use the primary user id field to set the $_SESSION. Thanks! Link to comment https://forums.phpfreaks.com/topic/222076-best-way-to-select-info-belonging-only-to-specific-logged-in-user/#findComment-1149110 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.