| SitePoint Sponsor |
i'm new at php and i have made a login page which is connected to mysql database ,where there are data for different employess,and i wanted to know how can everyone that login on page access only his data and the data for other employess are unvisible...Thanks!
If someone logs into your page, you should be verifying who they are against known users, probably from a database?
Is that the case?
"select id from users where name = 'Isaac Newton'";
So you know his id is say, 23.
Is this really your case too?
If so you can then go on to only select from the database the record which belongs to him.
"select fruit from foodstuffs where user_id = 23";
And then display his apple.
use the following code for your login page and myaccount page
<?php
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
//suppose your database user table name is users and there are three collum in table. id,username,password then run the query to login
$login = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
if($login){
$userdata = mysql_fetch_array($login);
$user_id = $userdata['id']; //where id is the unique auto incremented id in your users table for each user
$username = $userdata['username'];
session_start();
$_SESSION['user_id'] = $user_id;
header("Location:myaccount.php");
}else{
echo "username or password is incorrect";
}
//Now go to the myaccount.php and write the following line on top to authnticate that the logged in user can access the page only
if(!isset($_SESSION['user_id'])){
heaer("Location:login.php");
exit();
}
//All the data will be fetched on the basis of $_SESSION['user_id'] and you have to make an additional collum in all tables that will be user_id collum for each user
//Now fetch the data of logged in user only and leave others
$user_id = $_SESSION['user_id'];
$data = mysql_query("SELECT * FROM datatable WHERE user_id='$user_id'");
?>
When the user logs in his unique id is stored in session and then the data is fetched using that id in whole project. use that id in "Where" condition in all query so then the data for other users will not be shown. And you have to make an additional collum in all your data table for each user and name that collum is "user_id" to make different the data for each user.
@blogaddition ; The code you suggested in post #3 is inherently dangerous in that allows an SQL injection attack.
Perhaps you'd care to rewrite it so that it does not leave anyone reading this thread open to abuse.
@Cups :The user that has put this question is new to php. I am not teaching him that how to defend with sql injection. I am just giving him a basic idea of php login script.
@Cups ; is correct, we at Sitepoint like to provide examples, but ones that are meaningful and won't result in bad practices being continued further. He simply asked that you provide a better more secured example which really just needed a few tweaks.Originally Posted by blogaddition
By changing the following lines:
To their appropriate more secure onesPHP Code:$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$user_id = $_SESSION['user_id'];
Would introducing the original poster to PDO be better? Definitely.PHP Code:$username = mysql_real_escape_string($_REQUEST['username']);
$password = mysql_real_escape_string($_REQUEST['password']);
$user_id = mysql_real_escape_string($_SESSION['user_id']);
@Marsi ;, if you would like to see blogaddition's example using PDO, let me know. I could probably work on that later today.
@blogaddition ; as cpradio says, we tend to jump on dangerous examples, especially when given out as advice, unless you provide a very clear warning such as "It is up to you to properly escape the incoming data to protect yourself from SQL injection attacks, I left them out for brevity.".
But when I think back, I haven't seen that for a while now either.
Even the basic use of mysql_* functions often prompts replies about "switch to PDO" -- I tend to do that when I can assume that the posters skill level is ready to take that on of course.
You don't have to jump to PDO...but really maybe should start with MySQLi functions instead...? MySQLi functions are very similar to that of the older interface. So it should not be that hard to shift.
I actually did that for the "jump to PDO" crowd, next time I'll remember to add theto signify it as more of an "inside joke"
In all reality, the point to take away from here is brief examples can usually include SQL Injection prevention. Validating the data could be considered something that would require more time and may be left out for brevity, same with XSS and CSRF protections.
Its all gravy.
With the greatest respect to @Marsi ; the question is so basic we can probably assume that jumping to PDO or even mysqli might be a bit much to start off with and to me @cpradio ; 's interjection with the mysql_real_escape_string example was spot on.
Banging on about SQL injection is now so, so common on here (and elsewhere on the 'net) that it really should be obvious to everyone who visits -- its just that some people don't visit that often - and might come across this thread almost by accident, and as a (PHP) community we still have a duty to keep the message front and centre.
Hopefully some others who are less aware of SQL injection (or XSS, CSRF) attacks will come across this thread too and be prompted to find out more about protecting themselves and their clients.
If that sounds like you, fire away with questions, do.
Posting Permissions
Reply With Quote
Bookmarks