need help in sessions and specifying user id's!

texazzpete

please can anyone out there help me! i'm trying to create a website that the users can log in and edit/update/delete/insert their records (like a penpals or dating site). i've added an authentication script which uses sessions to authenticate users. the username and passwords are stored in a table in a database which also contains the ID (primary key), email address, and other personal details (nickname, address etc). so far, i've been able to create a member area that will have links to make them edit their profiles, but how then do i use the session to identify their specific id in the database, so that they can only edit their own profile? ie if i was to put a link like
<a href="edit.php?id=$id">edit profile</a> how do i get the id variable out of the database, so that it only gets the id of the person that is logged in, making sure he/she only edits his/her profile?
Please help, as i'm really confused as to how to do this.

Tekime

Hi texazzpete,

I'll try and help you out; I'm no guru but I have developed a user auth system with many of the same functions as yourself.

If you have the user id being passed into the script, you simply need to use that id to perform all your DB functions.

If you are pulling the user profile, for example, it might look like this:

SELECT * FROM users WHERE user_id = $user_id

If you are updating values it may look like this:

UPDATE user SET thisval=blah, thatval=blah WHERE user_id = $user_id

As you can see you just need to make any transactions on the DB specific to that user's ID.

It's hard to help without a specific idea of what you're trying to do. If you don't understand the above I suggest you go read up on MySQL queries.

Never trust client data though. In the above examples someone could type "edit.php?id=someotherusersid" in their browser and be recognized as another user.

Personally, I don't even trust session data.

When a user hits my site, a new session is created automatically. If that user logs in, the session ID, user id, time, IP address and user agent are logged in a session table in my DB. The user id is stored in $_SESSION['user_id'].

Every script they hit after that authorizes their session, by comparing all of the values (except time) to the ones in the session DB. If they match, it updates the DB and flushes any old entries.

Once I have confirmed that their session id, user id, ip address and user agent match the values in the DB, I set their access rights, user id and username as global variables. Then I can use these variables freely through my script, without worrying about session hijacking or spoofing.

I hope that helps some, good luck.