Jump to content

Setting a table value as a cookie


merrick89

Recommended Posts

Hi, I'm pretty new to php, and to this site as well, so please bear with me...

 

I have a table in my database which has "user_id" as its primary key, and i want to set the values under this as a cookie.

I've put in bold the main things that are affecting it (I think).

 

As is, the mysite_userid cookie does not set properly, and I get an error like this "Header may not contain more than a single header, new line detected...."

 

Any help would be really appreciated!!

 

<?php

 

include("connect.php");

 

$match = "select user_id from $table where username = '".$_POST['username']."'

and password = '".$_POST['password']."';";

 

$qry = mysql_query($match)

or die ("Could not match data because ".mysql_error());

$num_rows = mysql_num_rows($qry);

 

if ($num_rows <= 0) {

echo "Sorry, there is no username ".$_POST['username']." with the specified password.

";

echo "Try again";

exit;

}

 

$remember = strip_tags($_POST['remember']);

 

if ($remember) {

    setcookie("loggedin", "TRUE", time()+3600*24);

setcookie("mysite_username", "".$_POST['username']."");

header("Location: members.php");

        }

else {

 

 

setcookie("loggedin", "TRUE");

setcookie("mysite_username", "".$_POST['username']."");

setcookie("mysite_userid", $qry);

 

$site_username = $HTTP_COOKIE_VARS["mysite_username"];

$site_userid = $HTTP_COOKIE_VARS["mysite_userid"];

 

header("Location: members.php?user=$site_userid");

 

}

?>

Link to comment
Share on other sites

there are several things wrong with this code, and I am amazed that this is the only error that you are receiving.

 

1. you have an extra semi-colon in your SQL, it should read.

 

$match = "select user_id from $table where username = '$_POST['username']'
and password = '$_POST['password']'"; 

 

2. note: using the context "or die(mysql_error())" should only be used in the developmental stages of coding. Once the site is ready to be live, a new error handling method should be created.

 

3. mysql_num_rows cannot return a negative value, so checking if mysql_num_rows is negative is not needed, you can simply write:

 

if ($num_rows == 0)

 

4. (this should be the first check), you should always check to make sure that $_POST values are set by using isset before using them in your code.

 

if(isset($_POST['username'], $_POST['password']))

 

5. user input validation is a must before attempting to use the values in a query, as your code is right now, it is wide open to SQL injection. mysql_real_escape_string should be used at the least.

 

6. again, you are attempting to use a $_POST value ($_POST['remember']) before checking to make sure that it is set. You are also using strip_tags() on the value, and then checking for its existence, which logically makes no sense.

 

7. the first 2 cookies in theory should be ok. However the third one would cause trouble, since you are attempting to store a resource returned from mysql_query() into a cookie, which again, logically makes no sense. If you are attempting to store a value grabbed from the query, then use a mysql_fetch function to grab the values. mysql_fetch_assoc

 

8. $HTTP_COOKIE_VARS is deprecated and should not be used, use the superglobal array $_COOKIE instead. http://www.php.net/manual/en/reserved.variables.cookies.php

 

9. judging from the header, you expect $site_userid to have the value of user_id grabbed from your query as its value, thus $_COOKIE['mysite_userid'] as well, if this is the case, refer to answer 7.

Link to comment
Share on other sites

1. you have an extra semi-colon in your SQL, it should read.

 

$match = "select user_id from $table where username = '$_POST['username']'
and password = '$_POST['password']'"; 

 

Semi-colons are interpreted by MySQL as the end of a statement, so that won't hurt anything. It will work either way.

Link to comment
Share on other sites

Hi, yes the problem has been solved with mysql_fetch_assoc. We've also made changes based on your other recommendations. I don't understand them all yet, but I'm working on it!

 

Also, I tried making

 

$match = "select user_id from $table where username = '".$_POST['username']."'
and password = '".$_POST['password']."';";

 

into

 

$match = "select user_id from $table where username = '$_POST['username']'
and password = '$_POST['password']'"; 

 

but for some reason it gives a syntax error, so I just left it for now.

 

Here's what it looks like now:

 

<?php

include("connect.php"); 

if(isset($_POST['username'], $_POST['password']))

$match = "select user_id from $table where username = '".$_POST['username']."'
and password = '".$_POST['password']."';";

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows == 0) { 
echo "Sorry, there is no username ".$_POST['username']." with the specified password.
";
echo "Try again";
exit; 
} 

$remember = $_POST['remember'];
$result = mysql_fetch_assoc($qry);
$user_id = $result['user_id'];

if ($remember) {
	    setcookie("loggedin", "TRUE", time()+3600*24);
		setcookie("mysite_username", "".$_POST['username']."", time()+3600*24);
		setcookie("mysite_userid", $user_id, time()+3600*24);
		header("Location: members.php");
        }
else {


setcookie("loggedin", "TRUE");
setcookie("mysite_username", "".$_POST['username']."");
setcookie("mysite_userid", $user_id);

$site_username = $_COOKIE["mysite_username"];
$site_userid = $_COOKIE["mysite_userid"];

header("Location: members.php?user=$site_username");

}
?>

Link to comment
Share on other sites

$match = "select user_id from $table where username = '$_POST['username']'

and password = '$_POST['password']'";

 

yes this was a tiny mistake on my part, the error is due to not concatenating the string correctly, if you want to use $_POST directly in your query, change it to this.

 

$match = "select user_id from $table where username = '". $_POST['username'] ."'
and password = '". $_POST['password'] ."'"; 

Link to comment
Share on other sites

The three cookies you are setting for your 'login' script is not a secure way of making a login script and will easily allow anyone to become logged in as anyone else. Anyone can send any cookie value to your script. The "loggedin" cookie can simply be sent as "TRUE". The username is often displayed on social sites like forums and can easily be found or guessed if you have a username like 'admin' that can do anything on the site once logged in. The sequential user_id from the database can easily be found by sending a sequence of numbers until a match is found.

 

For a 'remember me' feature, you need to generate a unique and hard to guess and hard to reproduce 'token' and store that in the cookie and in the row in your user table for the person who has logged in. This token value will only identify the visitor so that you can find his row in the user table (you would typically get his user_id and display name out of the table and store them in session variables.) You also need to keep the logged in/logged out state in the user table so that if someone specifically logs out (or your code automatically logs inactive visitors out after a time period), even if someone has obtained a copy of the unique id token value, they cannot visit the site and be considered to be logged in. They would need to know both the username and password in order to become logged in.

Link to comment
Share on other sites

hmmm, that makes sense, I'll look into that too. I'm currently working on using mysql_real_escape_string() in the registration page, and I'm having a bit of trouble there too  :shrug: ...

 

I'm using the code from w3schools:

 

<?php
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}

$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// Make a safe SQL
$user = check_input($_POST['user']);
$email = check_input($_POST['email']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";

mysql_query($sql);

mysql_close($con);
?> 

 

That's directly from their tutorial. The problem I'm having is that I insert the email, password, username data into a table on my database, but the values insert as ' . And then its supposed to send you a confirmation e-mail, however since the e-mail submitted into the table is a ' , no e-mail gets sent out...

 

I was trying to google stuff and I saw a guy post this on another forum:

 

So I think what the moral of the story here is: Once you've scrubbed your data using mysql_real_escape_string() in preparation for insertion into the database, you can no longer use that data for other things, such as outputing it to the browser.

 

So is what I'm trying to do impossible?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.