Best way to track user

[giraffemedia]

Hello

 

what is the best way to track a user who logs in to my site?

 

I am currently using sessions and a mysql database (to authenticate the user login). What I would like to do is set session variables at the start when login is confirmed so that in later pages I can echo their name etc to personalise the site a bit more. Is this the correct way to do this?

 

If so how do I recall the variables from the session?

 

If anyone has a better idea of how to do this please let me know.

 

Regards

 

James

[blackwinter]

Well you've got the idea from the database to hold the sessions but what you could probably do is define what each page is when they visit a page so whenever they visit a  different page you can track them down. Make an array or something and from that figur eout the request_uri and search for the specific script and have an array such as 'index.php' => 'Index' and 'form.php' => 'Viewing the Forum' that type of thing.

[giraffemedia]

Sorry Blackwinter but that makes no sense to me at all.

 

All I want to do is retrieve the users first and last name from the database and store that in a session variable so that when they visit another page I can print things like "hello James" and "you were last here at..." and so on. I want to do this by retrieving the session variables if this is possible, which i'm sure it is - I just don't know how to do it.

 

Hope this helps.

 

James

[roopurt18]

See my replies to another post about the same thing:

http://www.phpfreaks.com/forums/index.php/topic,185869.msg832280.html#msg832280

http://www.phpfreaks.com/forums/index.php/topic,185869.msg832312.html#msg832312

[giraffemedia]

Ok. I have the pages working now where I have set the session assigning the variable name Login with the login name like so...

 

session_start();
$_SESSION['Login'] = $login;

 

What I would like to do is select all the data for that user from the database where the login name matches the one set in the session variable.

 

I'm not sure what code to put in on my mysql query though. Is it something like this...

 

$getuser="SELECT * FROM members WHERE login = $_SESSION['Login']";
$getuser_result=mysql_query($getuser);
etc etc

 

It's not working at the moment but is it in the right area?

 

Regards

 

James

[giraffemedia]

I've figured it out. Instead of putting

 

$query="SELECT * FROM members WHERE login =$_SESSION[Login]";
$result=mysql_query($query);

 

I put

 

$query="SELECT * FROM members WHERE login ='$_SESSION[Login]'";
$result=mysql_query($query);

 

Why is that? Is it because it was being treated as a string before?

[roopurt18]

To be on the safe side, any time you enclose a variable inside of a double-quoted string you should wrap it inside curly braces, like so:

$query="SELECT * FROM members WHERE login ='{$_SESSION['Login']}'";

 

Notice that also allows me to place the single quotes around the array key.  Your use of $_SESSION[Login] inside of your query is technically incorrect because you are missing the single quotes around the key, so PHP defaults to a set behavior that you may not be able to count on in future releases.

 

To answer your actual question, while $_SESSION['Login'] is a string as far as PHP is concerned, it's not a string in MySQL until you wrap it with single quotes.  All strings in MySQL must be enclosed in single quotes.

 

Additionally, you should always call mysql_real_escape_string() on any data you insert into a query.  It doesn't really matter where this data comes from, you should do it anyways.

 

A convention I like to use is to define a $Clean array and assign cleaned values to its keys.  Then in my queries I only use data that comes out of the $Clean array.  It is a little extra coding, but it is a constraint that forces me to clean all of my data.

 

$Clean = Array();
$Clean['login'] = "'" . mysql_real_escape_string($_SESSION['Login']) . "'";
$sql = "SELECT * FROM `users` WHERE `login`={$Clean['login']}";

 

Note also that in my queries I enclose table and field names in back ticks (the un-shifted tilde key).  This prevents errors in MySQL where a table or column name happens to match a MySQL reserved word.  And just because your column and table names don't match MySQL reserved words now doesn't mean they won't on the next release of MySQL.

[nadeemshafi9]

if you trac all teh sql that is used by teh usewr you can ttrack what they are doing and looking at

[helraizer]

I usually use $_SESSION['login'] = 1; to set the user as logged in. Then unset it if they logout.

 

then use an if statement like

 

<?php
if(isset($_SESSION['login'])) {
//user is logged in, welcome $user
}
else {
//user not logged in
}
?>

 

As for tracking I haven't tested this but, add a column to your table called 'page'  on each page have a $_SESSION['page']. So on the index page you might put

$_SESSION['page']=1;

then on the next page

unset($_SESSION['page'] 

to clean up that variable, under that code set the variable again

$_SESSION['page']=2;

etc.. keep doing that.

 

Each time have an SQL statement

 

"UPDATE members SET page=$page WHERE user_id=$user_id"

 

which will let you know which page the user is on at any time.

 

Sam

[giraffemedia]

Thanks for your help. I have had trouble with the code you supplied roopurt so I thought i'd show you what i've written myself.

 

What do you think?

 

 

<?php

include('../../config.php');
include('../../opendb.php');

//Sanitize the value received from login field to prevent SQL Injection

if(!get_magic_quotes_gpc()) {
$login=mysql_real_escape_string($_POST['login']);
}

else {
$login=$_POST['login'];
}

//Create query

$getuser="SELECT user_id FROM users WHERE login='$login'";
$getuser_result=mysql_query($getuser);

//Check whether the query was successful or not
if($getuser_result) {
if(mysql_num_rows($getuser_result)>0) {

//If login is successful start session and set the session variable to be the login name

session_start();
$_SESSION['Login'] = $login;

//Send the user to the main admin page

header("location: ../home.php");
exit();
}

else {

//Login failed
header("location: login_failed.php");
exit();
}
}

else {
die("Query failed because... ".mysql_error());
}

?>

[roopurt18]

if(!get_magic_quotes_gpc()) {
$login=mysql_real_escape_string($_POST['login']);
}

else {
$login=$_POST['login'];
}

You have to call mysql_real_escape_string() no matter what, whether Magic Quotes is on or off.  The difference is if Magic Quotes is on you have to call stripslashes() first.

 

$login = $_POST['login'];
if(MAGIC_QUOTES_IS_ON){ // <-- Replace that with your own test (use the PHP manual)
  $login = stripslashes($login);
}
$login = mysql_real_escape_string($login);
// Now $login is safe to use in a query

[discomatt]

I'd just make a sanitize function...

 

function sql_sanitize ($string, $link) {
if (get_magic_quotes_gpc())
	$string = stripslashes($string);
return mysql_real_escape_string($string, $link);
}

[nadeemshafi9]

you should have an ajax function that repeatedly indiactes to the database that you are online at any UNLOAD you should zero the status using another AJAX

[discomatt]

Using javascript to track user activity is crazy.

 

Just build a function that executes on each pageload that updates the users last active time and deletes any times older than x minutes.

[soycharliente]

I don't think he's suggesting to use JS to track, but to call back to the server for immediate reporting without having to reload the page.

[discomatt]

Reread his post.. the idea was to have a JS function indicate to the database the the user is active, and use unload to tell the db the window was closed and to send the session.

 

This is bad because the session will maintain if the user leaves to computer ofr any amount of time, as long as the window is open... or can screw with the script by turning js off before they unload.

 

Or the user could just have JS disabled...