Fetching Database Table Details After PHP Login

[Giarc86]

Hi all,

I am a bit confused with this and wondered if someone could help.

I have a page that people can login to and then based on their login(username) it shows data in a table relevant to them.

I have found a script that is handling most of the hard work, I am just having trouble getting the data to display based on their login details.

I am assuming the login details would be stored in the SESSION so if I use:

$sql = "SELECT * FROM $tbl_name WHERE username = '" . $_SESSION['username'] . "'";

should it work? Or am I missing something?

Unless the login isn't storing in SESSION? Is there another way to perform a login?
Do I need to declare something else?

Thanks for any help!

 

[Other Pineapple Smurf]

Lets ignore security here but that looks right. Are you using session_start()

 

[guest2013-1]

echo $_SESSION['username']; and make sure you actually have the username stored in session.

It's hard to debug anything that "handles most of the hard work" because it's the script that will either use a session or a cookie or whatever to do the actual login. It might not even store the username but the userid as in the database (assuming there's a userid.

However, everything does look fine.

I'd do another echo on $sql just to make sure that $tbl_name in that sql is looking at the correct table and make sure that table has a column in there called username and/or if the username is actually in that table to begin with.

 

[Giarc86]

Security isn't a major issue at the moment.

I am using session_start() with username. If I remove the WHERE clause it displays all the data correctly but as soon as the WHERE clause is added in it won't.

EDIT: Just saw your post AcidRaZor, will try echo the username now.

 

[zippy]

What error message are you getting?

 

[Giarc86]

I am not getting any error message, the results are just not showing up.

I tried

echo $_SESSION['username'];

but nothing displayed however

echo $_SESSION['name_of_user'];

displays.
Inserting that into the WHERE clause doesn't show anything up though.

In the database there is name and username. username is used as the login, name just displays to welcome them.

I am not sure if this function helps anything:

function CheckLoginInDB($username,$password)
    {
        if(!$this->DBLogin())
        {
            $this->HandleError("Database login failed!");
            return false;
        }          
        $username = $this->SanitizeForSQL($username);
        $pwdmd5 = md5($password);
        $qry = "Select name, email from $this->tablename where username='$username' and password='$pwdmd5' and confirmcode='y'";
        
        $result = mysql_query($qry,$this->connection);
        
        if(!$result || mysql_num_rows($result) <= 0)
        {
            $this->HandleError("Error logging in.");
            return false;
        }
        
        $row = mysql_fetch_assoc($result);
        
        
        $_SESSION['name_of_user']  = $row['name'];
        $_SESSION['email_of_user'] = $row['email'];
        
        return true;
    }

 

[rward]

try prefixing the table name with the database name.

Could be your running the query without selecting the db ..
select * from db.table where col1 = 'xxx';

 

[Nod]

Maybe a stupid question, but if you do the query directly in the database, do you actually get anything back for the username used?

 

[Other Pineapple Smurf]

I always do to see what is being passed.

session_start();
var_dump($_SESSION);
die();

 

[Giarc86]

Okay it is working now.

$sql = "SELECT * FROM $tbl_name WHERE username = '" . $membersite->UserFullName() . "'";

The session was set in the function, so calling the function seems to work. I didn't realise that

Thank you to all for the help, much appreciated!

 

[Other Pineapple Smurf]

Now add your security before I login in as

johnny'; drop tables; '