0

I'm doing a sort of login page for my website which I'm just testing right now, and this code is after the login. The thing is, I want to retrieve some information from my database, but the code doesn't work (it doesn't echo anything). I checked that the MySQL query is fine and it works, but there is no result in the PHP.

Please I would be happy for any help and answers,

//---MySQL connection---//
$server = "localhost";
$user = "root";
$pass = "password";
$db = "users";
$table = "users";
mysql_connect($server,$user,$pass) or die(mysql_error());
mysql_select_db($db) or die(mysql_error());
//----------------------//

//---MySQL query, data selection---//
$sesuser = $_SESSION['username'];
$sql = "SELECT data FROM $table WHERE username='$sesuser'";
$predata = mysql_query($sql);
$data = mysql_fetch_field($predata);
//---------------------------------//

//---Check if session is registered---//
session_start();
if(session_is_registered("username")){
    echo "\n"."Hello ".$_SESSION["username"]."<br />";
    echo $data; //!!this line doesn't work
}
else{
    echo "<script>window.location=/login/</script>";
}
//------------------------------------//
?>
Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
Fasand
  • 316
  • 2
  • 10
  • mysql_fetch_field returns the column information, don't you want the data of the column instead? – Book Of Zeus Oct 03 '11 at 11:07
  • Change `echo $data;` into `echo htmlspecialchars(print_r($data, true));` and try again. – hakre Oct 03 '11 at 11:08
  • 1
    @Fasand, never ever inject `$_*` superglobals directly into a query. That's an SQL-injection hole, use `$var = mysql_real_escape_string($_SESSION['username']);` See: http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain – Johan Oct 03 '11 at 11:17
  • @hakre came out like this: stdClass Object ( [name] => data [table] => users [def] => [max_length] => 9 [not_null] => 1 [primary_key] => 0 [multiple_key] => 0 [unique_key] => 0 [numeric] => 0 [blob] => 0 [type] => string [unsigned] => 0 [zerofill] => 0 ) – Fasand Oct 03 '11 at 11:31

3 Answers3

3

put session_start() at the top or just before you use $_SESSION variable

one more thing : The function session_is_registered has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.

better way

session_start();
//---MySQL query, data selection---//
$sesuser = mysql_real_escape_string($_SESSION['username']);
$sql = "SELECT data FROM $table WHERE username='$sesuser'";
$predata = mysql_query($sql);
$data = mysql_fetch_field($predata);
//---------------------------------//

//---Check if session is registered---//

if(isset($_SESSION['username'])){
    echo "\n"."Hello ".htmlentities($_SESSION["username"])."<br />";
    echo $data; 
}
else{
    header("Location :"login.php");
    exit();
}
Community
  • 1
  • 1
xkeshav
  • 53,360
  • 44
  • 177
  • 245
  • Thanks, I used the 'session_is_registred' because I found it in one article and it worked for me so I was wandering more about the SQL problem. But when I put the 'session_start()' to the start it still didn't fix the problem. But I think there's some problem with the 'mysql_fetch_field', although I don't know what. – Fasand Oct 03 '11 at 11:27
2

var_dump($data); - What is says?

And YES, but session_start at begining of file;

And try(via php):

$i = 0;
while ($i < mysql_num_fields($result)) {
    echo "Information for column $i:<br />\n";
    $meta = mysql_fetch_field($result, $i);
    if (!$meta) {
        echo "No information available<br />\n";
    }
    echo "<pre>
blob:         $meta->blob
max_length:   $meta->max_length
multiple_key: $meta->multiple_key
name:         $meta->name
not_null:     $meta->not_null
numeric:      $meta->numeric
primary_key:  $meta->primary_key
table:        $meta->table
type:         $meta->type
unique_key:   $meta->unique_key
unsigned:     $meta->unsigned
zerofill:     $meta->zerofill
</pre>";
    $i++;
}

And if you change mysql_fetch_field to mysql_fetch_row you would be able to reach your data over: $data[0];

Ernestas Stankevičius
  • 2,420
  • 2
  • 24
  • 30
  • You have an XSS security hole in that code. I suggest escaping all output using `htmlentities()` – Johan Oct 03 '11 at 11:23
  • the dumb: object(stdClass)#1 (13) { ["name"]=> string(4) "data" ["table"]=> string(5) "users" ["def"]=> string(0) "" ["max_length"]=> int(9) ["not_null"]=> int(1) ["primary_key"]=> int(0) ["multiple_key"]=> int(0) ["unique_key"]=> int(0) ["numeric"]=> int(0) ["blob"]=> int(0) ["type"]=> string(6) "string" ["unsigned"]=> int(0) ["zerofill"]=> int(0) } – Fasand Oct 03 '11 at 11:29
0

Basically there is an object returned in $data and you can echo it like $data->name

zeshan ahmad
  • 46
  • 5