Getting User ID

[karenn1]

I have a system where a user can log into the members area. Is there a way for the users to edit their profile WITHOUT using session_id? My database table looks like this:

 

ID, Name, Surname, Address, Email, Username, Password.

 

In other words, when the person logs in, I want the ID to be dragged with it and available on the members index page on the Edit Profile Link, ie. edit_profile.php?id=35.

 

Can someone please help?

 

Thanks,

Karen

[MadTechie]

personally i would use sessions..

other options cookies (kinda a bad idea)

or $_GET['id'] on every page and pass it via every link..!

 

just an idea!

[karenn1]

I'm using cookies at the moment combined with session_id. It works for the first time when your return to the page but any subsequent visits then the ID changes to a completely different users' ID.

 

Any idea how I can sort this out?

[MadTechie]

without seeing the code i couldn't say!

[karenn1]

This is the code for the login page. The actual HTML code for the form begins just underneath it:

 

<?php

// Connecting, selecting database 
include('../../includes/conn.inc.php'); 
include("../../includes/user_member.inc.php");
include("../../includes/validate.inc.php");
include("../../includes/error_report.inc.php");

$user = new user($db, members);

   	if(isset($_POST['remember'])){
      setcookie("cookname", $_POST['username'], time()+60*60*24*100, "/");
      setcookie("cookpass", $_POST['password'], time()+60*60*24*100, "/");
   } 
  
  
   
   if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
      $_SESSION['username'] = $_COOKIE['cookname'];
      $_SESSION['password'] = $_COOKIE['cookpass'];
      $user->login($_POST['username'], $_POST['password']);
   }

$validate = new validate("error");


if (isset($_POST['username']) && isset($_POST['password']))	{	
	$error["username"] = $validate->field($_POST['username']);
	$error["password"] = $validate->field($_POST['password']);	
	$error["email"] = $validate->field($_POST['email']);	
	$user->login($_POST['username'], $_POST['password']);
}
else {

 

And this is the members index page:

 

<?php
// includes
include("../includes/conn.inc.php");
include("../includes/user.inc.php");
include("../includes/error_report.inc.php");

// authorizing
$user = new user($db, "members");
$user->authorize("../public/eng/login.php", array("Member"));
?>
<?php

if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
             $_SESSION['username'] = $_COOKIE['cookname'];
            $_SESSION['password'] = $_COOKIE['cookpass'];

   }

$sql2 = "SELECT * FROM members WHERE id = '". $_SESSION["id"] ."'"; 
            $sql2 = mysql_query($sql2); 
$result2 = mysql_fetch_assoc($sql2); 

?>

 

The edit profile link is as follows:

 

<a href="profile_update.php?id=<?= $result2['id']; ?>

 

Don't worry about the authorization coding. That's just for the difference access levels that I have.

 

Any ideas?

[karenn1]

Does anybody have any ideas on this one?

 

Thanks,

Karen

[MadTechie]

why not store the user ID the same as your storing the username ?

 

i assume you know the security problems with the script above, maybe include a checksum, ie

setcookie("cookid", $ID, time()+60*60*24*100, "/");
setcookie("cookhash", md5($ID.$username."StaticSiteSalt"), time()+60*60*24*100, "/");

 

then to check the id

if($_COOKIE['cookhash'] == ($_COOKIE['cookid'].$_COOKIE['cookuser']."StaticSiteSalt"))
{
//valid
}