Make a session usable in a sql query

[Gotharious]

Hello all,

 

I've made this for users login, and now I want the user to only be able to see his info

so how can I use the $_SESSION['userid'] to search the database for it's value and echo results?

 

here is my code, I want to use the session value instead of get

 

<?    

      if (isset($_GET['id'])) {
      $con = mysql_connect("supremecenter14.co.uk","teko_waw","tmisabro77");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("teko_waw", $con);


	$result = mysql_query("select * from users where id = '{$_GET['id']}'");




	$row = @mysql_fetch_array($result);
	echo "<table width=98%>";       
	        echo "<tr>";
		echo "<td valign=\"top\" width=\"120px\">";
		$rowid = $row['id'];
		echo "<td valign=\"top\">";
		echo "<table>
			<tr>
			<td valign=\"top\" class=\"searchtitle\">
			".$row['fname']. '  ' .$row['mname']. '  ' .$row['lname']."
			</td>
			</tr>";
?>

 

and here is where they're set

 

if (isset($_POST['email']))
{
$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);

//Query

$results = mysql_query("SELECT * FROM users WHERE email = $email AND password = $password");

if(!result) {
$_SESSION['error'] = '<span style="color: red">Login Failed. Email or Password is Incorrect <br/>';	
} else {
         
	$row = mysql_fetch_assoc($results);
	$_SESSION['userid'] = $row['id'];
	$_SESSION['email'] = $email;
	$_SESSION['error'] = 'Login Successful<br/>. Welcome,'. $email;	

}

[floridaflatlander]

I use

 

if (isset($_GET['id']) && is_numeric($_GET['id'])) {

$id = $_GET['id'];

} else redirect

 

then

 

if (($id == $_SESSION['mem_id'])) { // You could switch it to != and redirect first

 

$query =  " SELECT ................... WHERE id = $id or you could use  id = $_SESSION['mem_id']";

 

} else {redirect}

 

I also add a redirect if there is no member with that id