please i need urgent, crucial helpin sessions and specifying user id from database!!

texazzpete

please can anyone out there help me! i'm trying to create a website that the users can log in and edit/update/delete/insert their records (like a penpals or dating site). i've added an authentication script which uses sessions to authenticate users. the username and passwords are stored in a table in a database which also contains the ID (primary key), email address, and other personal details (nickname, address etc). so far, i've been able to create a member area that will have links to make them edit their profiles, but how then do i use the session to identify their specific id in the database, so that they can only edit their own profile? ie if i was to put a link like
<a href="edit.php?id=$id">edit profile</a> how do i get the id variable out of the database, so that it only gets the id of the person that is logged in, making sure he/she only edits his/her profile?
Please help, as i'm really confused as to how to do this.

notionlogic

Maybe I've misunderstood the question but isn't this simply a case of query your USERS table (or similar) using the value of the $id variable?

Something like:

select * from Users where ID=$id

of course it's better to also check for a password for security purposes...

select * from Users where ID=$id and pass=$password

or, if you're encrypting passwords in your database...

select * from Users where ID=$id and pass=password($password)

texazzpete

my problem is with the member area, there can't be any select queries on top, there will only be a check for the session variables. since both username and password were entered and verified on a login.php page. can you find a way to make the user name and password entered on the login.php page specify the id in the database on the member page so that only the person's data/profile can be accessed?

Nick_Whymark

I'm a bit confused what you're after, but I don't see why session_id is your primary key on the database ? It seems to me that userid should be your primary key.

It sounds like you need to:

1) Authenticate the user by reading the database (userid and password) from what they type in your logon form.
2) Use sessions to store a variable containing the userid when that user has been validated.
3) In your member area use the userid to read your database and get their profile.

Apologies if I'm barking up the wrong tree (or just barking) !

Cheers,
Nick.

texazzpete

thanks a lot for your replies guys, but i just started with session variables 2 days ago, so can you gimme alittle example nick? you're on the right ttrack!!

Nick_Whymark

Hi,

I haven't got an example to hand, but the basic idea is as follows:

In the login script:

Use session_start() to begin a session.
when the user has input his/her user and password, save the userid to a session variable. You can do this using either

$_SESSION['userid'] = $userid_from_form;

OR (you shouldn't mix and match these - the first one is preferable)

$userid = $userid_from_form;
session_register('userid');

The session_start creates a unique id which is stored in a cookie or is passed in the url depending on browser set-up. The session_register or assignment using $_SESSION will create a variable and place it's name and value into the session file. If it's a new session then the session file is automatically created for you.

Obviously the user name/password should be checked with the database before assigning the session variable to indicate that the user is logged on.

You should place a session_start() in any scripts that need access to the variables ! This then re-assigns the variables from the session file (who's name is related to the unique id in the cookie/url).

When you need to authenticate that the user has logged on, simply check that the session variable is set. Use either:

if (isset($_SESSION['userid'))
{
.........
.........
}

OR (use whichever you used before)

if (session_is_registered('userid'))
{
.........
.........
}

if it is set, then the user is logged on. You can then use the userid to read the database for the user's details.

The session will (might) time out eventually - depending on your PHP configuration settings. So if you find that the session variable isn't set you can redirect your visitor to the log on screen again.

Having said all that - I'm struggling to get sessions working at the moment, so I may not be the best one to ask. Sessions can go further and use other methods for storing the variables, you can find that in the manual (www.php.net).

Cheers,
Nick.