Results 1 to 12 of 12
  1. #1
    Join Date
    Jun 2007
    Posts
    73

    A quick PHP question

    I've looked around and havn't found anything yet.

    I want to check the whole table and make sure that no results match except for where the username='$_SESSION[username]'. I am trying to make a user managment script and the script will update the users new e-mail if nobody else is using the e-mail or the $_SESSION['username'] email matches the new e-mail (if it dosn't change).

    Do you know what I mean?

    My Query looks somthing like

    PHP Code:
    $query sprintf("SELECT email FROM members WHERE email = '$email' AND  !(username='$_SESSION[username])"); 
    Thanks

  2. #2
    Join Date
    Mar 2005
    Location
    Orlando, Florida
    Posts
    2,625
    Try not to store ANY user information in the sessions.

    Create a sessions table, generate a session hash for you to store on the remote computer.

    On each page load, grab the session hash from the cookie and/or session, look it up, and JOIN the sessions table with the users table.

    Now you have access to all of your users information, but ONLY if the clients session has matches the IP address and other randomly generated information.

    Also, you could just run this -

    PHP Code:
    <?php

    $query 
    mysql_query("SELECT email FROM members WHERE email = '$email'");

    if(
    mysql_row_count($query) > 1){
    //The email address exists!

    } else {
    //The email address hasn't been used :)

    }

    ?>
    It may not be 100% correct. Especially in the mysql commands as I'm used to ADODB at this point.
    Matthew Rosenblatt, and I do lots of things.
    Used to be a full time server administrator, now I help build cruise ships and inspect homes.
    My company, Ferrell Solutions, specializes in home inspections and property management.
    RecallScan is a service for monitoring appliances and vehicles in your home for recalls.

  3. #3
    "SELECT count(email) as cnt FROM members WHERE email = '$email'"
    You don't have to change the email if this user already has that email as then he's trying to change to the same email he already has.

    If you still want to check
    "SELECT count(email) as cnt FROM members WHERE email = '$email' AND user != '$user';"
    Similar to what you had..

    I am not sure HostTDS-Matt is correct. PHP Sessions are not COOKIES.. If you store something to the SESSION it stays on the SERVER, it's never passed to the client in cookie or anything.. only autogenerated SESSION key get's passsed in the cookie or URL. Basically it already works similar as he describes by itself. So by Matt's advice you would be doubling the behaviour.

    .. It's never good to put direct _SESSION variable into SQL string.. and you would have an error as you have to wrap it like this ..
    !(username='{$_SESSION[username]})"
    because you are accessing a complex variable.
    Last edited by middayc; 07-02-2009 at 03:05 PM.

  4. #4
    Join Date
    Jun 2007
    Posts
    73
    Quote Originally Posted by middayc View Post
    You don't have to change the email if this user already has that email as then he's trying to change to the same email he already has.

    If you still want to check
    Similar to what you had..

    I am not sure HostTDS-Matt is correct. PHP Sessions are not COOKIES.. If you store something to the SESSION it stays on the SERVER, it's never passed to the client in cookie or anything.. only autogenerated SESSION key get's passsed in the cookie or URL. Basically it already works similar as he describes by itself. So by Matt's advice you would be doubling the behaviour.

    .. It's never good to put direct _SESSION variable into SQL string.. and you would have an error as you have to wrap it like this .. because you are accessing a complex variable.

    I will try this in the morning as it apears to be correct from what I can see.

    Also, about the sessions, your saying that I shouldn't apply direct $_SESSION variables? is that because they can be modified by the client easily? I've set it so that when the user logs in, it querys the users username and stores it in a session. I don't know if this is correct or not but it seems to be working quite well (although I am not to sure about the secuirty).

    Anyways yeah, I will try it in the morning and post the results :p

  5. #5
    Basically.. my scentence about $_SESSION is a little exaturating if I think a little. Only you on a server side can set session variable. Client can't , it can set cookies by itself but not session.

    That scentence would hold for usinf $_GET $_POST $REQUEST $_COOKIES and perhaps some other but I admit it doesn't really apply to $_SESSION.

  6. #6
    Join Date
    Jun 2007
    Posts
    73
    So using a $_SESSION is more secure then using $_COOKIES and $_GET and $_POST variables?

  7. #7
    The difference is you (your PHP code on server) sets the $_SESSION values and you can trust yourself (to some degree ).

    $_COOKIES can be set by the javascript (which client can controll) of faked in rogue browser (bot).

    $_GET and $_POST is user input, you have to take into account that user is a hacker.

  8. #8
    Join Date
    Jun 2007
    Posts
    73
    Quote Originally Posted by middayc View Post
    The difference is you (your PHP code on server) sets the $_SESSION values and you can trust yourself (to some degree ).

    $_COOKIES can be set by the javascript (which client can controll) of faked in rogue browser (bot).

    $_GET and $_POST is user input, you have to take into account that user is a hacker.
    Ok thanks for all your help! I will take this into consideration when I am desiging more of my scripts, Thanks

  9. #9
    Join Date
    Mar 2005
    Location
    Orlando, Florida
    Posts
    2,625
    You're right, sessions are not cookies, but PHP assigns a cookie to the users computer set to termite upon browser closing of which holds the PHP Session ID.

    At least, I'm pretty sure that's how it works. Otherwise, how would PHP be able to track who gets which session? There would be no other way that I can think of. Then again, I haven't slept in days so I could be wrong.
    Matthew Rosenblatt, and I do lots of things.
    Used to be a full time server administrator, now I help build cruise ships and inspect homes.
    My company, Ferrell Solutions, specializes in home inspections and property management.
    RecallScan is a service for monitoring appliances and vehicles in your home for recalls.

  10. #10
    Join Date
    Dec 2002
    Location
    Jackson, MI
    Posts
    1,525
    yes a cookie is placed on the clients computer to hold the session id, but the session variables themselves are stored on the server.

    I would never store a password in a session variable, but other non sensitive user information is fine.

  11. #11
    thanks alot guys

  12. #12
    even i had the same problem thanx a lot

Similar Threads

  1. Quick question
    By DT-Spirit in forum Dedicated Server
    Replies: 3
    Last Post: 11-14-2007, 06:11 AM
  2. Quick Question
    By JBrown1045 in forum Programming Discussion
    Replies: 5
    Last Post: 06-24-2005, 12:53 PM
  3. Quick IPB question
    By NickRac in forum Hosting Software and Control Panels
    Replies: 2
    Last Post: 06-11-2005, 10:44 AM
  4. Quick 2CO Question
    By Red Rover in forum Running a Web Hosting Business
    Replies: 2
    Last Post: 04-22-2003, 10:38 PM
  5. Quick Question..
    By faculty in forum Web Hosting
    Replies: 3
    Last Post: 10-08-2002, 08:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •