5

I log in a user, and in my PHP script, I make a session variable and assign username to it (as it is unique).

<?php
session_start();
//$username= getting username from database and all after loggin
$_SESSION['user_of_mywebsie']=$username;
// using $username now

Now is this the right and safe way? If not, what can be done? Now session is created with username in it ..

$sql_query=mysql_query("SELECT * FROM people WHERE username='$_SESSION['user_of_mywebsite']'");
while($row=mysql_fetch_assoc($sql_query))
{
$name=$row['name'];
$profile_pic=$row['pro_pic_location'];
}

//now i will use $name and $profile_pic furthur
Zafta
  • 655
  • 1
  • 10
  • 26
  • These are the only 2 lines you need. – xdbas Jun 11 '13 at 20:04
  • This seems like an overly broad question that doesn't really have a specific answer, and isn't a good fit for StackOverflow - see the FAQ: http://stackoverflow.com/faq – qJake Jun 11 '13 at 20:04
  • 1
    @SpikeX: It's not overly broad. Perhaps not too clear, but he has shown what he's doing and asks if it's OK or if there are hidden pitfalls. – Jon Jun 11 '13 at 20:05
  • @Jon I was under the impression that, generally speaking, "Is this code correct?" questions weren't really good questions. – qJake Jun 11 '13 at 20:06
  • @SpikeX: Generally speaking they are not. But IMHO this is quite specific: "will this work to remember the username? if not, what can I do?" – Jon Jun 11 '13 at 20:12
  • @Jon You've made a fair point, I reversed my -1. – qJake Jun 11 '13 at 20:16
  • Seriously, why the hell has this been closed due to "not constructive" ? This is a good question. And much better than most daily question here on StackOverflow. Trolls! – Sliq Jun 17 '13 at 21:03

4 Answers4

2

No not correct. Your code is vulnerable to SQL injection. What if my username is something like Robert'); DROP TABLE Students;--?

You should really at the very minimum escape the data or even better use prepared statements and bound parameters.

How can I prevent SQL injection in PHP?

Also you are using a deprecated database API. Either use mysqli_* or PDO.

Community
  • 1
  • 1
PeeHaa
  • 71,436
  • 58
  • 190
  • 262
1

This is totally right ! The $_SESSION var will only contain info for a specific visitor of your website, regardless whatever you have written into the $_SESSION (but, to be fair, there are some possibilties to read "foreign" sessions, for example when using shared hosting or multi-app-setups etc).

I'm doing it exactly like this (which is nearly same as yours)

$_SESSION['user_name'] = $result_row->user_name;

in my PHP login script (which is the most starred, downloaded and forked one on github, and has been checked by some people who are very picky). See more of the script here on github.

Sliq
  • 15,937
  • 27
  • 110
  • 143
  • So should i make session variables with long and unpredictable names .. like $_SESSION['user499dqCVVEFVRVEjjkfriopeq435234ewfwqef'] , etc – Zafta Jun 11 '13 at 20:30
  • 1
    @Mukurpuri Unless you are not using shared hosting or running multiple apps on one server (some cloud servers work like that) everything is secure! – Sliq Jun 11 '13 at 20:32
1

This will store the username in the session, but is not particularly secure.

If the only thing you are holding in the session is the username, this is probably fine, but if you have personal information stored in the users session, you might want to think about adding some security.

I found this handy looking quick tutorial for session safety http://phpsec.org/projects/guide/4.html

Furthermore, If you are new to php programming, it is probably better to use one of the frameworks that implements user management, as this has been done many times before, tested and perfected. No need to reinvent the wheel here.

If you do use a framework, you can check out this question about frameworks and user management and particularly this answer : https://stackoverflow.com/questions/10153619/looking-for-a-well-written-user-management-framework#10624058

Community
  • 1
  • 1
Skarlinski
  • 2,419
  • 11
  • 28
0

It will work, but you have to pay attention to two things:

  1. you have to be sure that there are NOT two or more users with the same name;
  2. what happens if a loggedin user (username whom session is valid) is deleted and another with the same name is created?

In those cases it may happens that a user still in session can find itself logged in... but as another user!

Try to put a unique userid in session instead.

dAm2K
  • 9,923
  • 5
  • 44
  • 47