Cookie verification problems

[Mutley]

I'm using a variable to draw a control panel.

The cookie, doesn't recognise this, so if I put ?id=1 or ?id=2 they are supposed to be accessible by 2 different users, instead, you can login in either account and still access the control panel by changing the variable to either 1 or 2.

I've tried this, where I check the cookie for the username, if they match, to allow, although it doesn't work, I can't seem to login at all:
[code]  $logged = MYSQL_QUERY("SELECT * from users WHERE id='$_COOKIE[id]' AND '$userid'='$_COOKIE[content]'");[/code]

Is that wrong in any way? Is there another method of doing what I'm suggesting (a secure way).

[onlyican]

First off
NEVER parse anything into the Database without securing it first, at least use mysql_real_escape_string()

I would do something like this

Second
I notice you are not using quotes in the cookie array list
$_COOKIE["id"];

otherwise it will try and match the global name ID
and if there is no global named ID, it would come up blank


Do something like this

[code]
<?php
$userID = isset($_COOKIE["id"]) ? $_COOKIE["id"] : "";
$Content = isset($_COOKIE["content"]) ? $_COOKIE["content"] : "";

$userID = mysql_real_escape_string($userID);
$Content = mysql_real_escape_string($Contnet);

$query = "SELECT * FROM users WHERE id='".$userID."'";

$result = mysql_query($query);

if(mysql_num_rows($result) != 0){
$loged = true;
}else{
$logged = false;
}

?>

[/code]

I dont have a clue what you are trying to do on the second part of the query

[Mutley]

Thanks, I think I made it confusing with the $userid variable though.

That variable is what is used to determine which control panel is shown using $_GET, such as ?userid=john what I need to do is check the cookie and database that the cookie in use is for that user, not someone else.

So if John logs in, it checks that the the variable will be ?userid=john, it checks the cookie to see if John HAS logged on and then it checks the database to see if a John does exist. I hope that makes sense? At the moment you can login as Bob and then type in the variable for John to see his control panel, not sure if this is the best way to do it.

So what you have typed up looks great but I'm confused how you've used the $userid.

[Mutley]

Anyone? :(

[bljepp69]

If you're asking about the format of the expression for $userid, it's called a ternary operator.  Read more about it here - [url=http://www.php.net/manual/en/language.operators.comparison.php]http://www.php.net/manual/en/language.operators.comparison.php[/url].

Did you have a different question?

[Mutley]

That's not what I mean, I'm saying that in the example above $userid is a $_GET variable from the URL such as ?userid=john.

In the example code I was given, $userid is a variable for the cookie, not the $_GET as I incorrectly stated it in my topic so people are getting confused. :)

[onlyican]

Translate your query
Lets say
$_COOKIE["id"] = 10;
$useid = "john";
$_COOKIE["content"] = "MyContent";
$logged = MYSQL_QUERY("SELECT * from users WHERE id='$_COOKIE["id"]' AND '$userid'='$_COOKIE["content"]'");

So your query reads

SELECT * FROM users WHERE id = '10' AND john = 'MyContent'

Do you have a field called john in your MySQL Table?

And you know that $logged would be #Resource ID