Get ID from Query in login script

jwilley

Ok, I'm so close... here is my login script:

<form method=post action="<?echo $PHP_SELF?>"> 
<table cellpadding=2 cellspacing=0 border=0> 
<td>Username:</td><td><input type="text" name="lastname" size=10></td><tr> 
<td>Password:</td><td><input type="password" name="membernumber" size=10></td><tr> 
<td>&nbsp;</td><td><input type="submit" name="login" value="Log In"></td> 
</table></form> 

<?
if ($login) { 
$db = mysql_connect("localhost", "oataorg_ohioata", "atmedical");
mysql_select_db("oataorg_memdb",$db);
$result=mysql_query("select * from membinfo where lastname='$lastname'",$db) or die ("cant do it"); 
while ($row=mysql_fetch_array($result)) { 
if ($row["membernumber"]==$membernumber) { 
printf ("Successfully Logged In!<a href=\"newmemupd.php?id=$id\">Click Here</a>");
}
}
}
 ?>

I know somewhere that i am missing a query to get the ID from the row IF they pass the login criteria... any ideas on doing this? Am i close?
JDW

kevinsequeira

if ($row["membernumber"]==$membernumber) {
$id = $row['id'];
// assuming id is stored in the table as a column called id
printf ("Successfully Logged In!<a href=\"newmemupd.php?id=$id\">Click Here</a>");

}

jwilley

man, i almost had it too! 😉

thanks again for savin my butt... i'm pretty sure now that i have things where i want them...

i have the user logging in against the database as verification and then it will send the unique user ID over the URL to the next page where that will be used to update their information...

does this seem secure enough? i will do it over a secure server when all is said and done...

Jon

jwilley

Is there a way that if they enter the wrong information they can get an error message saying "Not a valid login, try again"?

right now it just refreshes itself....

jwilley

Is there a way now to hide that ID number in the corresponding URL? That is the only security issue right now i can see is that some smart guy could just change the url to another ID number and be able to change that person's info also...

can it be hidden on the url?
Jon

stolzyboy

how are you gonna GET something from the url if it is hidden

there won't be anything in the querystring at that point