Mutley Posted December 23, 2006 Share Posted December 23, 2006 I'm using a variable to draw a control panel.The cookie, doesn't recognise this, so if I put ?id=1 or ?id=2 they are supposed to be accessible by 2 different users, instead, you can login in either account and still access the control panel by changing the variable to either 1 or 2.I've tried this, where I check the cookie for the username, if they match, to allow, although it doesn't work, I can't seem to login at all: [code] $logged = MYSQL_QUERY("SELECT * from users WHERE id='$_COOKIE[id]' AND '$userid'='$_COOKIE[content]'");[/code]Is that wrong in any way? Is there another method of doing what I'm suggesting (a secure way). Quote Link to comment Share on other sites More sharing options...
onlyican Posted December 23, 2006 Share Posted December 23, 2006 First offNEVER parse anything into the Database without securing it first, at least use mysql_real_escape_string()I would do something like thisSecondI notice you are not using quotes in the cookie array list$_COOKIE["id"];otherwise it will try and match the global name IDand if there is no global named ID, it would come up blankDo something like this[code]<?php$userID = isset($_COOKIE["id"]) ? $_COOKIE["id"] : "";$Content = isset($_COOKIE["content"]) ? $_COOKIE["content"] : "";$userID = mysql_real_escape_string($userID);$Content = mysql_real_escape_string($Contnet);$query = "SELECT * FROM users WHERE id='".$userID."'";$result = mysql_query($query);if(mysql_num_rows($result) != 0){$loged = true;}else{$logged = false;}?>[/code]I dont have a clue what you are trying to do on the second part of the query Quote Link to comment Share on other sites More sharing options...
Mutley Posted December 23, 2006 Author Share Posted December 23, 2006 Thanks, I think I made it confusing with the $userid variable though.That variable is what is used to determine which control panel is shown using $_GET, such as ?userid=john what I need to do is check the cookie and database that the cookie in use is for that user, not someone else.So if John logs in, it checks that the the variable will be ?userid=john, it checks the cookie to see if John HAS logged on and then it checks the database to see if a John does exist. I hope that makes sense? At the moment you can login as Bob and then type in the variable for John to see his control panel, not sure if this is the best way to do it.So what you have typed up looks great but I'm confused how you've used the $userid. Quote Link to comment Share on other sites More sharing options...
Mutley Posted December 24, 2006 Author Share Posted December 24, 2006 Anyone? :( Quote Link to comment Share on other sites More sharing options...
bljepp69 Posted December 24, 2006 Share Posted December 24, 2006 If you're asking about the format of the expression for $userid, it's called a ternary operator. Read more about it here - [url=http://www.php.net/manual/en/language.operators.comparison.php]http://www.php.net/manual/en/language.operators.comparison.php[/url].Did you have a different question? Quote Link to comment Share on other sites More sharing options...
Mutley Posted December 24, 2006 Author Share Posted December 24, 2006 That's not what I mean, I'm saying that in the example above $userid is a $_GET variable from the URL such as ?userid=john.In the example code I was given, $userid is a variable for the cookie, not the $_GET as I incorrectly stated it in my topic so people are getting confused. :) Quote Link to comment Share on other sites More sharing options...
onlyican Posted December 25, 2006 Share Posted December 25, 2006 Translate your queryLets say$_COOKIE["id"] = 10;$useid = "john";$_COOKIE["content"] = "MyContent"; $logged = MYSQL_QUERY("SELECT * from users WHERE id='$_COOKIE["id"]' AND '$userid'='$_COOKIE["content"]'");So your query readsSELECT * FROM users WHERE id = '10' AND john = 'MyContent'Do you have a field called john in your MySQL Table?And you know that $logged would be #Resource ID Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.