How to use a $_COOKIE in a php query?

Question

I'm currently making a simple login system with PHP and when write this

$sql = "SELECT * FROM logintoken WHERE token ='".$_COOKIE['SNID']."';";

it didn't give any result, eventhough when I echo out $_COOKIE['SNID'], it spitted out correct result. I also checked the database, the value was there in the 'token' row.So how can I fix this problem. Thank you for reading this text. Here is my Code:

  <?php
 if(isset($_COOKIE['SNID'])){
   echo 'Logged in';
   echo '<form  action="logout.weg.php" method="post">
     <button type="submit" name="logout">Press to logout</button>

   </form>';

  $userid = $_COOKIE['SNID'];
   $sql = "SELECT * FROM logintoken WHERE token ='".$_COOKIE['SNID']."';";
   $result = mysqli_query($conn,$sql);
   if (mysqli_num_rows($result) > 0){
     while ($row= mysqli_fetch_assoc($result)){
       echo $row['user_id'];
     }
   } else {
     echo 'No result';
   }
 } else {
   echo 'Not logged in';
 }


?>

Have you tried printing the resulting `$sql` contents and comparing that to a handwritten query? — Todd Sewell, Jun 17 '18 at 09:25
easy to hack code :) just create a cookie named SNID on the browser and login. — Metalik, Jun 17 '18 at 09:27
You shouldn't be using cookies to control login information. The most you should be using cookies for is a remember me function. Please use [$_SESSION](http://php.net/manual/en/reserved.variables.session.php) — FluxCoder, Jun 17 '18 at 09:49
@FluxCoder incorrect. for "remember me" cookies you need an identifying token as OP has. Else it's "remember who?" — Martin, Jun 17 '18 at 10:12
Todd Sewell, yes I did. Metalik , I know but I'm still an amatuer so I don't want to make my Code too complicated but thanks for the advice. For the others, thanks guys — Andy Le, Jun 17 '18 at 18:48

Martin · Answer 1 · 2018-06-18T08:35:43.740

To answer your question:

You should fully escape your cookie value using mysqli_real_escape_string().
The problem can also be your ;. remove it from your SQL. the PHP Manaul says:

Note:
You should not add a terminating semicolon or \g to the statement.

Also, you should be checking your MySQL and PHP error logs and using bug outputting such as:

$result = mysqli_query($conn,$sql) or error_log(print_r(mysqli_error($conn),true));

(Qualifier: this is not the best way, but this does get the job done quick)

The correct way to do what you want to do:

(Qualifier: What you're trying to do may not be the best way, but here's how to do that properly)

/***
 * Never trust user data. Including cookies.
 * Here assume cookie random token key is any alphanumeric character.
 * This key is NOT the password
 ***/ 
 $userid = $_COOKIE['SNID'];
 $useridClean = preg_replace("/[^a-z0-9]/i","",$userid); // clean the cookie value
 if($useridClean !== $userid){
     die("bad cookie!");
 }
 /***
  * Hash your cookie value
  ***/
 $useridClean = hash('sha256', $userid); 

 /***
  * NOTE: Do NOT append ; at the end of the statement. 
  * Good practise to check the user is expecting to be "remembered" 
  ***/
 $sql = "SELECT username, userid FROM logintoken WHERE token = ? AND 
         remember_me_flag = 'Y' AND user_banned_flag != 'Y' ";

 /***
  * Use prepared statements for safety
  ***/
 $mysqli = new mysqli("example.com", "user", "password", "database");
 $result = $mysqli->prepare($sql);
 $result->bind_param("s", $useridClean);
 $result->execute();
 $row = $result->fetch_array(MYSQLI_ASSOC);
 $result->close();

 if($row['userid'] > 0 && !empty($row['username'])){
    /***
     * Once the user has returned; reasign new token values in both
     * The database and the cookie  
     ***/
    echo "Hello ".$row['username'];
 }
} 
else {
   echo 'No result';
}

Please Read up on:

MySQLi prepared statements
PCRE Regex
PHP 'Remember Me' cookie best practise (This is essential reading)

How to use a $_COOKIE in a php query?

1 Answers1

To answer your question:

The correct way to do what you want to do:

Please Read up on: