Session Handling with Mysql

Anon

Hi,

does anybody have some experience with login and session handling using php3 and mysql? i want to store the user data in the database. perhaps anybody has an example for me.

thx Christian

ccgorman

I've been working on a login and session handling function for a few sites. It works well, does the job, for these lower security sites. There are essentially two main tables in the mysql database. One is the user login the other is the security levels (stored as binary). For example the user login table could be as follows:

CREATE TABLE user (
user_id int(11) NOT NULL auto_increment,
username varchar(50) NOT NULL,
password BLOB NOT NULL,
security_val int(11) DEFAULT '0' NOT NULL,
session_id varchar(64),
PRIMARY KEY (user_id),
UNIQUE username (username)
);

and the security table (with examples):

CREATE TABLE security (
security_id int(11) NOT NULL auto_increment,
security_name varchar(50) NOT NULL,
security_val int(11) DEFAULT '0' NOT NULL,
PRIMARY KEY (security_id),
UNIQUE security_name (security_name, security_val)
);

INSERT INTO security VALUES ( '1', 'general user', '1');
INSERT INTO security VALUES ( '2', 'admin', '2');
INSERT INTO security VALUES ( '3', 'new media', '4');
INSERT INTO security VALUES ( '6', 'super user', '524287');

A user could have access to all general user pages as well as new media pages, they would therefore have a security value of 5 (the sum of the two values). The page that they are visiting will also have a security value which is logically & tested against the user's security value to see if they have access. I'll just show a bit of the page configuration file and a few functions to show how it all ties in.

/
Set the session_id, if not automatic on your server
/
if ($session_id=="") {
$tmpHex="";
srand((double)microtime() 1000000);
for ($tmpHex = dechex(time() - mktime(0, 0, 0, 1, 1, 1990));
strlen($tmpHex) < 32;$tmpHex .= dechex((int)rand(0,15)));
setcookie ("session_id", $tmpHex, time() + 43200, "/", "$COOKIE_DOMAIN", 0);
$session_id=$tmpHex;
}
define ("CK_SESSION", $session_id);

/
Log them out if requested
*/
if ($logout) {
user_logout();
}

/
Login the user, if user_name and password passed.
*/
if ($user_name && $password) {
$user_login=@user_login ($user_name,$password);
if (!$user_login) {
header("Location:error?error_type=LOGIN");
exit();
}
}

/
Get the user_id and and the user login details details
*/
if (!$user_login) {
$user_login=@user_get_user_login();
if ($user_login["security_val"]=="") {
//set this to an integer so that future data entries of non-logged in users do not fail
$user_login["security_val"]=0;
}
}

/
Redirect the user if they do not have required security for rest of page
*/
if (!($user_login["security_val"] & $page_info["security_val"]) && ($page_info["security_val"]>0)) {
header("Location:error?error_type=PRIVELEGES");
}
if (!($user_login["security_val"] & $company_info["security_val"]) && ($company_info["security_val"]>0)) {
header("Location:error?error_type=PRIVELEGES");
}

/
Determine if the user name and password are in the database
if so, set the user login details

/
function user_login ($u,$p) {
$result=@("UPDATE user SET session_id = '' WHERE session_id = '".CK_SESSION."'");
$query="SELECT FROM user WHERE username='".$u."' and password=MD5('".$p."')";
$result=@($query);
if ($user = @MYSQL_FETCH_ARRAY($result)) {
$result=@("UPDATE user SET session_id = '".CK_SESSION."' WHERE user_id=".$user["user_id"]);
return $user;
}
return FALSE;
}

/
Logout function

/
function user_logout () {
$result=@("UPDATE user SET session_id = '' WHERE session_id = '".CK_SESSION."'");
}

/
Get the user login details by using the global session_id
Returns false if the details do not exist

/
function user_get_user_login () {
$query="SELECT FROM user WHERE session_id='".CK_SESSION."'";
$result=@($query);
if (@db_num_rows($result)) {
return @MYSQL_FETCH_ARRAY($result);
}
else {
return FALSE;
}
}

/
Set the user login details

/
function user_set_login ($u,$p,$s) {
$query="INSERT INTO user
(user_id, username, password, security_val)
VALUES (
NULL,
'".$u."',
MD5('".$p."'),
".$s."
)";
$result=@($query);
if (!$result) {
return FALSE;
}
else {
return db_insert_id();
}
}

/
Alter the user login details

/
function user_alter_login ($u_id,$s,$p="",$u="") {
$query="UPDATE user SET security_val=".$s;
if ($p) {
$query.=", password=MD5('".$p."')";
}
if ($u) {
$query.=", username='".$u."'";
}
$query.=" WHERE user_id=".$u_id;
$result=@($query);
if (!$result) {
return FALSE;
}
else {
return TRUE;
}
}

christiank

thx chris - do you have an URL for testing?

ChristianK

ccgorman

Sorry Christian, it is on an intranet at the moment. I am in the middle of uploading/testing and generally incorporating it into http://pddi.hwtc.com site, but it will be the weekend before I get real time to work on it. It does work very well but it is much more involved then just the code I sent before. If you need more help let me know.

One bug, I did notice that when I put it on a php3 server there was an error with undeclared arrays (which I should have declared as good coding practice) so I had to modify the functions to initialise the arrays, ie

$user = array();
$user["security_val"]=0;

-Chris