A little help needed!! PHP/Cookies/SQL

ukgoped

07-13-2005, 03:46 AM

<?php
include("config.php");

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

$username = mysql_real_escape_string($_COOKIE['loggedin']);
$query = "SELECT * FROM users WHERE username = \'$username\'";
$rs = mysql_query($query);
$data = mysql_fetch_array($rs);
$firstname = $data['firstname'];
echo "Welcome to Your Account, $firstname";
?>

Can someone please help me get this piece of code right..

This is the error i get atm..
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/ukgoped/public_html/pedads/account.php on line 41
Welcome to Your Account,

Any help will be appreciated!!

Fou-Lu

07-13-2005, 03:54 AM

Your incorrect line is here:

$query = "SELECT * FROM users WHERE username = \'$username\'";

Change to:

$query = "SELECT * FROM users WHERE username = '" . $username . "'";

and your good to go.
On a side note, cookies are insecure, you should use sessions instead.

ukgoped

07-13-2005, 03:59 AM

Sessions aren't my strong point..

If you could help me get sessions sorted that would be fantastic! Ijust wouldn't know where to start..

Fou-Lu

07-13-2005, 05:28 AM

Validating would be a toughy for it, and its been awhile since I've used straight sessions.
All pages must include a session_start() at the top, thats how the sessions are accessed. They are passed using cookies if available, or otherwise with the url:

<?php
session_start();
ob_start();
if (!isset($_SESSION))
{
$_SESSION['username'] = 'Guest';
$_SESSION['loggedin'] = 0;
$_SESSION['ipaddress'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
}

if (($_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']) OR ($_SESSION['ipaddress'] != $_SERVER['REMOTE_ADDR']))
{
$_SESSION = array();
if (isset($_COOKIE[session_name()]))
{
set_cookie(session_name(), '', time()-42000, '/');
}
session_regenerate_id();
$_SESSION['username'] = 'Guest';
$_SESSION['ipaddress'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
}

Use something of the sorts for a session.php file. Include this into all accessing files:

<?php
include_once('./session.php');
include_once('./config.php');

if (isset($_SESSION['loggedin']))
{
die('Welcome to your account ' . $_SESSION['username']);
}

if (!empty($_POST['submit']))
{
$query = "SELECT `password` FROM users WHERE username = '" . mysql_real_escape_string($_POST['username'])) . "'";
$result = mysql_query($query);
$password = mysql_result($result, 0);
if ($password == $_POST['password'])
{
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $password;
$_SESSION['loggedin'] = true;
header("location: " . $_SERVER['PHP_SELF'] . "?" . SID);
}
else
{
echo 'Username and/or password combination incorrect! Please try again!<br />';
}
}
ob_end_flush();
?>
<form method="post">
Username: <input type="text" name="username" /><br />
Password: <input type="text" name="password" /><br />
<input type="submit" name="submit" value="Submit" />
</form>

Or something of the sorts for a loggin script.

Oh BTW, this is horribly standards uncompliant when it comes to XHTML.