username from session details from database - php

I am trying to get my session variable username to work with my database by displaying user data from database according to username on the session.
But, my script does not work. What should I do here?
<?php session_start(); ?>
<?php include "includes/connection.php"; ?>
<?php
$query = mysql_query("SELECT id, username, password, email, name, aim, admin, time, phone, address
FROM users
WHERE username = $_SESSION['myusername']");
while($row = mysql_fetch_object($query) )
{
echo "$row->Id<br />";
echo "Username: . $row['id']";<br />"
//echo "$row->Password<br />";
//echo "$row->Email<br />";
//echo "$row->Name<br />";
//echo "$row->Aim<br />";
//echo "$row->Admin?<br />";
//echo "$row->Time<br />";
//echo "$row->Phone<br />";
//echo "$row->Address<br />";
}
?>
Instead of working, the script displays the below on the screen:
Please see on:
http://www3.londonmet.ac.uk:8008/~iia0014/userdetails.php


u have many things are wrong. u are mixing between html and php to use quotes.
and its different between Id and id
u must also escape your variables ,
look at this
$myusername = mysql_real_escape_string($_SESSION['myusername']);
$query = mysql_query("SELECT id, username, password, email, name, aim, admin, time, phone, address
FROM users
WHERE username = '".$myusername."' ");
while($row = mysql_fetch_array($query) )
{
echo $row['id'] ."<br />";
echo "Username:" . $row['username']."<br />" ;
....
.... //continue same method as above by caring the quotes in their places . dont mix them with php
}
?>
i advice you to use PDO or MYSQLI LOOK THIS is deprecated . so better turn to PDO or SQLI
mysql_fetch_object() is similar to mysql_fetch_array(), with one difference - an object is returned, instead of an array. Indirectly, that means that you can only access the data by the field names, and not by their offsets (numbers are illegal property names).

Related

Show logged in user's data in profile.php

<?php
require('db.php');
$_SESSION['sloggedIn']="yes";
$data1['first_name'] = $_SESSION['sfirstname'];
$data1['email'] = $_SESSION['semail'];
$sqlQuery = "SELECT first_name, email FROM otium where id = :id";
file_put_contents('log/DBErrors.txt', 'Connection: '.'rivi8'.$sqlQuery."\n", FILE_APPEND);
$kysely1 = $DBH->prepare($sqlQuery);
$kysely1->execute($data1);
// Loop the recordset $rs
// Each row will be made into an array ($row) using mysqli_fetch_array
//while($row = mysqli_fetch_array($rs)) {
// Write the value of the column FirstName (which is now in the array $row)
echo $sqlQuery['first_name'] . "<br />";
echo $sqlQuery['email'] . "<br />";
//}
?>
First time doing this php and i would like to print out user's logged in data, i have this code but is not working! please help

$sqlQuery is just string variable containing query, you can't expect it to be a array.
I guess you already got firstName and email from session then there is no need of executing sql query, just printing the session will make your job done.
echo $_SESSION['first_name'] . "<br />";
echo $_SESSION['email'] . "<br />";

simple MySQL query via PHP

I have a table with about 500,000 rows, and need to query it to retrieve results. Basically the user just inputs a case number, and then I want to execute the following query and display the results using a while loop
if (!empty($_POST["casenum"])) {
$result2 = mysql_query("SELECT Box_Content.case_number, Transfer.number, Transfer.location, Box.number FROM Box_Content, Transfer, Box WHERE Box_Content.box_id = Box.id and Box.transfer_id = Transfer.id and Box_Content.case_number = '".$_POST['casenum']."'");
while ($row = mysql_fetch_array($result2)) {
echo "Case number: ".$casenum." text ";
echo "<br />";
}
} else {
echo "<h4>WARNING!!! Search criteria entered not valid. Please search again.</h4>";
}
What am I doing wrong here?
EDIT:
It works now if only one row is returned, but for two rows, it seems to be trying to print the entire table...
$casenum = $_POST["casenum"];
echo "<br />The case number entered is: $casenum<br />";
if (!empty($_POST["casenum"]))
{
$result2 = mysql_query("SELECT Box_Content.case_number, Transfer.number as transfer_number, Transfer.location as transfer_location, Box.number as box_number FROM Box_Content, Transfer, Box WHERE Box_Content.box_id = Box.id and Box.transfer_id = Transfer.id and Box_Content.case_number = '" . $_POST['casenum'] . "'");
while($row = mysql_fetch_array($result2))
{
print_r ($row);
echo "<br />";
echo "<b>Case number: </b>" . $row['case_number'] ."<br />";
echo "<b>Transfer number: </b>" . $row['transfer_number'] ."<br />";
echo "<b>Transfer location: </b>" . $row['transfer_location'] ."<br />";
echo "<b>Box number: </b>" .$row['box_number'] ."<br />";
}
}
else
{
echo "<h4>WARNING!!! Search criteria entered not valid. Please search again.</h4>";
}
var_dump($_POST);

Try:
while ($row = mysql_fetch_array($result2)) {
echo "Case number: ". $row['Box_Content.case_number'] ." text ";
echo "<br />";
}
$row['case_number'] will output the case_number retrieved for each row in your resultset.
However, you should look into doing one of two things:
Start using best practices.
Start using a non-deprecated SQL library (mysqli, PDO).
This query is susceptible to SQL injection:
"SELECT Box_Content.case_number, Transfer.number, Transfer.location, Box.number
FROM Box_Content, Transfer, Box
WHERE Box_Content.box_id = Box.id and Box.transfer_id = Transfer.id
and Box_Content.case_number = '".$_POST['casenum']."'"
Use mysql_real_escape_string($_POST['casenum']) to patch this.
Reference: http://php.net/manual/en/function.mysql-real-escape-string.php
The mysql_* functions have long been deprecated due to unprepared statement operations. Look into either mysqli or PDO for your project instead.

What am I doing wrong here?
1) $casenum isn't set in your code... (Please tell me it is nothing and you don't have register superglobals turned on?!) You would probably want $row['case_number']
2) But anyway, that's not really what you are doing wrong... Your biggest mistake is using user input without any kind of validation or sanitization...
Imagine if $_POST["casenum"] was equal to...
' or 1=2 union select user,password,email,salt from users

You seem to be using $casenum from nowhere.
Try:
while($row = mysql_fetch_assoc($result2))
echo "Case number: ".$row['number']." text <br />";
When using the mysql_fetch functions assoc will bring back named indexed data, num will bring back numberic indexed data and array will bring back both, so try to use one or the other.
Then when you do $row = mysql_fetch_assoc($result2) your essentially saying for each row of data returned store it as a (in this case associative) array in $row, so you can then access your data via the standard array commands ($row['foo']).

Match Username (field from mysql table) To Session ID In PHP

How do i do it? I'v tried all different ways but I just cant do it!
Basically, im trying to pull out information from the "starters table" and display only the logged in users data.
Here is the code which gives me an error message in which I cannot solve:
<?php
session_start();
require_once '../database.php';
if (isset($_SESSION['myusername'])){
echo "Welcome ".$_SESSION['myusername'];
}
?>
<?php
include '../database.php';
$userid = $_SESSION["myusername"];
#the where clause is where im stuck at the moment!
Line 50:
$result = mysql_query("SELECT Recipename, Ingredients, Method, Time FROM starters WHERE username = $_SESSION['myusername']");
echo "<table border='0'><table border width=65%> <tr><th>Recipie Name</th><th>Ingredients</th><th>Method</th><th>Time</th></tr>";
while($row = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['Recipename']. "</td>";
echo "<td>" . $row['Ingredients']. "</td>";
echo "<td>" . $row['Method']. "</td>";
echo "<td>" . $row['Time']. 'minutes'."</td>";
echo "</tr>";
}
echo "</table>";
?>
</table>
the error message i get is the following:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/jahedhus/public_html/cook/usersloggedin/starters.php on line 50
line 50 is the select statement!
I would really appreciate your help,
Thanks so much!

You need to wrap the username in quotes:
$result = mysql_query("SELECT Recipename, Ingredients, Method, Time FROM starters WHERE username = '{$_SESSION['myusername']}'");
Additionally, you're trusting that $_SESSION['myusername'] is a valid username (not some string of attach SQL). If you don't know that data is safe, you need to at least escape the data.

Change the line:
$result = mysql_query("SELECT Recipename, Ingredients, Method, Time FROM starters WHERE username = $_SESSION['myusername']");
with this one:
$result = mysql_query("SELECT Recipename, Ingredients, Method, Time FROM starters WHERE username = '" . $_SESSION['myusername'] . "'");

Problem with the quotes is that they will get all gummed up, i'd seperate them either:
$result = mysql_query("SELECT Recipename, Ingredients, Method, Time FROM starters WHERE username = ".$_SESSION['myusername']);
OR
$result = mysql_query("SELECT Recipename, Ingredients, Method, Time FROM starters WHERE username = '$_SESSION[myusername]'");

Combine $_GET and $_POST in PHP?

for some friends and family (different sites), I created a script that allows them to input data into the database. With
echo ("<a href=\"./pagina.php?ID=" . $row['ID'] . "\">" . $row['ID'] . "<br>");
, I 'send' the ID of the requested table to the URL.
In pagina.php, I have this code:
ID: <?php echo $_GET["ID"]; ?>
That works, of course, but now I want to use that ID to also display the data from the database, so not from the URL. These values are " . $row['onderwerp'] . " and " . $row['tekst'] . "
(There may be more values to come, but I'm just a beginner, trying to get something to work).
I know this is possible, but I just can't get anything to work, as I have just started learning PHP.
I hope you can help me.

If you don't care whether data came from a $_COOKIE, $_GET, or $_POST, you can use $_REQUEST.

$id = (int)$_GET['id'];
$sql = "SELECT onderwerp, tekst FROM yourtable WHERE id=$id";
$result = mysql_query($sql) or die(mysql_error());
while($row = mysql_fetch_assoc($result)) {
echo "{$row['onderwerp']} - {$row['tekst']}<br />";
}

How to give a unique url/id to a question posted by the user?

There's a form called discussion.php, in which a user will fill out his/her question/discussion and post it to savedisc.php. Some of the savedisc.php looks like this:
$message = $_POST['message'];
$title = $_POST['title'];
$represents = $_POST['represents'];
//connect to database
//save the content of discussion/question into the database for future use
$sql="INSERT INTO Discussion (Message, Title, Type)
VALUES
('$message','$title','$represents')";
//Display user's question/discussion again
echo $message . "<br />";
echo $title . "<br />";
echo $represents . "<br />";
It is not shown above, but I am saving the id field manually, i.e. via phpmyadmin as a auto increment and primary key of course. Therefore, all of the values in the table Discussion will have their own unique id. Once the question/discussion is saved, I want to be able to display $title of each question on wb.php as a link, which as of now looks like this(some code from wb.php):
$result = mysql_query("SELECT * FROM Discussion ORDER BY id DESC");
//When user clicks the question/discussion Title, he/she will be directed to wbcomm.php
while($row = mysql_fetch_array($result))
{
echo "<a href='wbcomm.php' >{$row['Title']}</a><br />";
}
Until here, everything is working smooth. However, from here on, what I'm trying to do is, when the user clicks the question/discussion title via above code, I want him/her to be directed to wbcomm.php?id=1, where id=1 represents the unique id of the question/discussion. Some of the code from wbcomm.php is below:
if (isset($_GET['id']))
{
//connect to db
$wbid = mysql_real_escape_string($_GET['id']);
$sql = "SELECT * FROM Discussion WHERE id = '$wbid' LIMIT 1";
$res = mysql_query($sql);
if (mysql_num_rows() > 0) {
$discussion = mysql_fetch_object($res);
//display member's question here:
echo $discussion['id'] . "<br />";
echo $discussion['Title'] . "<br />";
echo $discussion['Type'] . "<br />";
echo $discussion['Message'] . "<br />";
}
else {
// discussion does not exist with ID
}
}
However, for some reason, the result is blank. I.e. the question/discussion doesn't even show up. What am I doing wrong? Is my procedure even correct?
Thank you.

In your wb.php, you create a link to wbcomm.php but you are not passing the ID of the discussion, so your $wbid will be empty. You need to pass the ID along with the link, like this:
while($row = mysql_fetch_array($result))
{
echo "<a href='wbcomm.php?id={$row['id']}' >{$row['Title']}</a><br />";
}

Your ID column is an autoincrement int type so you do not need to put it in quotes or escape it. You should definitely test it to see if it's numeric, though.

Use this SQL mysql_num_rows($res) > 0

Categories