giraffemedia Posted March 6, 2008 Share Posted March 6, 2008 Hello what is the best way to track a user who logs in to my site? I am currently using sessions and a mysql database (to authenticate the user login). What I would like to do is set session variables at the start when login is confirmed so that in later pages I can echo their name etc to personalise the site a bit more. Is this the correct way to do this? If so how do I recall the variables from the session? If anyone has a better idea of how to do this please let me know. Regards James Quote Link to comment Share on other sites More sharing options...
blackwinter Posted March 6, 2008 Share Posted March 6, 2008 Well you've got the idea from the database to hold the sessions but what you could probably do is define what each page is when they visit a page so whenever they visit a different page you can track them down. Make an array or something and from that figur eout the request_uri and search for the specific script and have an array such as 'index.php' => 'Index' and 'form.php' => 'Viewing the Forum' that type of thing. Quote Link to comment Share on other sites More sharing options...
giraffemedia Posted March 6, 2008 Author Share Posted March 6, 2008 Sorry Blackwinter but that makes no sense to me at all. All I want to do is retrieve the users first and last name from the database and store that in a session variable so that when they visit another page I can print things like "hello James" and "you were last here at..." and so on. I want to do this by retrieving the session variables if this is possible, which i'm sure it is - I just don't know how to do it. Hope this helps. James Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted March 6, 2008 Share Posted March 6, 2008 See my replies to another post about the same thing: http://www.phpfreaks.com/forums/index.php/topic,185869.msg832280.html#msg832280 http://www.phpfreaks.com/forums/index.php/topic,185869.msg832312.html#msg832312 Quote Link to comment Share on other sites More sharing options...
giraffemedia Posted March 10, 2008 Author Share Posted March 10, 2008 Ok. I have the pages working now where I have set the session assigning the variable name Login with the login name like so... session_start(); $_SESSION['Login'] = $login; What I would like to do is select all the data for that user from the database where the login name matches the one set in the session variable. I'm not sure what code to put in on my mysql query though. Is it something like this... $getuser="SELECT * FROM members WHERE login = $_SESSION['Login']"; $getuser_result=mysql_query($getuser); etc etc It's not working at the moment but is it in the right area? Regards James Quote Link to comment Share on other sites More sharing options...
giraffemedia Posted March 10, 2008 Author Share Posted March 10, 2008 I've figured it out. Instead of putting $query="SELECT * FROM members WHERE login =$_SESSION[Login]"; $result=mysql_query($query); I put $query="SELECT * FROM members WHERE login ='$_SESSION[Login]'"; $result=mysql_query($query); Why is that? Is it because it was being treated as a string before? Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted March 10, 2008 Share Posted March 10, 2008 To be on the safe side, any time you enclose a variable inside of a double-quoted string you should wrap it inside curly braces, like so: $query="SELECT * FROM members WHERE login ='{$_SESSION['Login']}'"; Notice that also allows me to place the single quotes around the array key. Your use of $_SESSION[Login] inside of your query is technically incorrect because you are missing the single quotes around the key, so PHP defaults to a set behavior that you may not be able to count on in future releases. To answer your actual question, while $_SESSION['Login'] is a string as far as PHP is concerned, it's not a string in MySQL until you wrap it with single quotes. All strings in MySQL must be enclosed in single quotes. Additionally, you should always call mysql_real_escape_string() on any data you insert into a query. It doesn't really matter where this data comes from, you should do it anyways. A convention I like to use is to define a $Clean array and assign cleaned values to its keys. Then in my queries I only use data that comes out of the $Clean array. It is a little extra coding, but it is a constraint that forces me to clean all of my data. $Clean = Array(); $Clean['login'] = "'" . mysql_real_escape_string($_SESSION['Login']) . "'"; $sql = "SELECT * FROM `users` WHERE `login`={$Clean['login']}"; Note also that in my queries I enclose table and field names in back ticks (the un-shifted tilde key). This prevents errors in MySQL where a table or column name happens to match a MySQL reserved word. And just because your column and table names don't match MySQL reserved words now doesn't mean they won't on the next release of MySQL. Quote Link to comment Share on other sites More sharing options...
nadeemshafi9 Posted March 10, 2008 Share Posted March 10, 2008 if you trac all teh sql that is used by teh usewr you can ttrack what they are doing and looking at Quote Link to comment Share on other sites More sharing options...
helraizer Posted March 10, 2008 Share Posted March 10, 2008 I usually use $_SESSION['login'] = 1; to set the user as logged in. Then unset it if they logout. then use an if statement like <?php if(isset($_SESSION['login'])) { //user is logged in, welcome $user } else { //user not logged in } ?> As for tracking I haven't tested this but, add a column to your table called 'page' on each page have a $_SESSION['page']. So on the index page you might put $_SESSION['page']=1; then on the next page unset($_SESSION['page'] to clean up that variable, under that code set the variable again $_SESSION['page']=2; etc.. keep doing that. Each time have an SQL statement "UPDATE members SET page=$page WHERE user_id=$user_id" which will let you know which page the user is on at any time. Sam Quote Link to comment Share on other sites More sharing options...
giraffemedia Posted March 11, 2008 Author Share Posted March 11, 2008 Thanks for your help. I have had trouble with the code you supplied roopurt so I thought i'd show you what i've written myself. What do you think? <?php include('../../config.php'); include('../../opendb.php'); //Sanitize the value received from login field to prevent SQL Injection if(!get_magic_quotes_gpc()) { $login=mysql_real_escape_string($_POST['login']); } else { $login=$_POST['login']; } //Create query $getuser="SELECT user_id FROM users WHERE login='$login'"; $getuser_result=mysql_query($getuser); //Check whether the query was successful or not if($getuser_result) { if(mysql_num_rows($getuser_result)>0) { //If login is successful start session and set the session variable to be the login name session_start(); $_SESSION['Login'] = $login; //Send the user to the main admin page header("location: ../home.php"); exit(); } else { //Login failed header("location: login_failed.php"); exit(); } } else { die("Query failed because... ".mysql_error()); } ?> Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted March 11, 2008 Share Posted March 11, 2008 if(!get_magic_quotes_gpc()) { $login=mysql_real_escape_string($_POST['login']); } else { $login=$_POST['login']; } You have to call mysql_real_escape_string() no matter what, whether Magic Quotes is on or off. The difference is if Magic Quotes is on you have to call stripslashes() first. $login = $_POST['login']; if(MAGIC_QUOTES_IS_ON){ // <-- Replace that with your own test (use the PHP manual) $login = stripslashes($login); } $login = mysql_real_escape_string($login); // Now $login is safe to use in a query Quote Link to comment Share on other sites More sharing options...
discomatt Posted March 11, 2008 Share Posted March 11, 2008 I'd just make a sanitize function... function sql_sanitize ($string, $link) { if (get_magic_quotes_gpc()) $string = stripslashes($string); return mysql_real_escape_string($string, $link); } Quote Link to comment Share on other sites More sharing options...
nadeemshafi9 Posted March 11, 2008 Share Posted March 11, 2008 you should have an ajax function that repeatedly indiactes to the database that you are online at any UNLOAD you should zero the status using another AJAX Quote Link to comment Share on other sites More sharing options...
discomatt Posted March 11, 2008 Share Posted March 11, 2008 Using javascript to track user activity is crazy. Just build a function that executes on each pageload that updates the users last active time and deletes any times older than x minutes. Quote Link to comment Share on other sites More sharing options...
soycharliente Posted March 11, 2008 Share Posted March 11, 2008 I don't think he's suggesting to use JS to track, but to call back to the server for immediate reporting without having to reload the page. Quote Link to comment Share on other sites More sharing options...
discomatt Posted March 11, 2008 Share Posted March 11, 2008 Reread his post.. the idea was to have a JS function indicate to the database the the user is active, and use unload to tell the db the window was closed and to send the session. This is bad because the session will maintain if the user leaves to computer ofr any amount of time, as long as the window is open... or can screw with the script by turning js off before they unload. Or the user could just have JS disabled... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.