mysql session data in select query

Question

LloydFarrell 0 Junior Poster

14 Years Ago

hi all im looking to use a select mysql query - but im trying to query the database against a users logged in sessions. I

have the sessions working correctly but I am unsure how to included the session data in my sql select query.

here is my users session

if ($_GET['SESS_MEMBER_ID']) {
	
     $id = $_GET['SESS_MEMBER_ID'];

} else if (isset($_SESSION['SESS_MEMBER_ID'])) {
	
	 $id = $_SESSION['SESS_MEMBER_ID'];

} else {
	header("location: http://localhost/www.website.com");
   exit();
}

and my session for country is the same

if ($_GET['SESS_COUNTRY']) {
	
     $country = $_GET['SESS_COUNTRY'];

} else if (isset($_SESSION['SESS_COUNTRY'])) {
	
	 $country = $_SESSION['SESS_COUNTRY'];

} else {
	header("location: http://localhost/www.website.com");
   exit();
}

What I would like to do is query the database, and bring back the results where country = country - of the user who is

logged in.

so if the user(SESS_MEMBER_ID) is from the UK I would like to bring back all users from the uk ?

I am ok with querying the database but im just not sure how to include the session data ?

$sql = mysql_query("SELECT * FROM table WHERE activated='1' AND Country =$SESS_COUNTRY ORDER BY id DESC LIMIT 5");

any pointers would be very much appreciated as always

mysql php session sql

2 Contributors
6 Replies
7K Views
4 Days Discussion Span
Latest Post 14 Years Ago Latest Post by qazplm114477

qazplm114477 14 Junior Poster

14 Years Ago

you could concatinate it into your query

$sql = mysql_query("SELECT * FROM table WHERE activated='1' AND Country ='".$_SESSION['COUNTRY']."' ORDER BY id DESC LIMIT 5");

mysql_query($sql);

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

LloydFarrell 0 Junior Poster · Answer 1 · 2010-04-24T23:39:01+00:00

you could concatinate it into your query

$sql = mysql_query("SELECT * FROM table WHERE activated='1' AND Country ='".$_SESSION['COUNTRY']."' ORDER BY id DESC LIMIT 5");

mysql_query($sql);

Hi many thanks, I will give this ago and let you know, if it works, I will update post as solved, very much appreciated

LloydFarrell 0 Junior Poster · Answer 2 · 2010-04-25T02:13:12+00:00

Hi many thanks, I will give this ago and let you know, if it works, I will update post as solved, very much appreciated

@qazplm114477

Hi yes that worked great thanks, just a quick questions about session data ?

Is it secure ? or is there away I can protect the data ? sorry if this is a stupid question but im just not sure ??

many thanks for input, Lloyd

qazplm114477 14 Junior Poster · Answer 3 · 2010-04-25T08:10:54+00:00

@qazplm114477
Hi yes that worked great thanks, just a quick questions about session data ?
Is it secure ? or is there away I can protect the data ? sorry if this is a stupid question but im just not sure ??
many thanks for input, Lloyd

No problem at all, SESSIONS are generally more secure (than cookies anyway), because all data in the SESSION variable is being retained on the YOUR server.

one tip, if you're using sessions for login and logout, there's a chance that the user may not always logout.
So you may want to look up on session.gc_maxlifetime and session.gc_probability. I haven't personally used them but they are worth a look.

also don't forget to destroy SESSIONS properly.

ex: unset($_SESSION) or session_destroy

LloydFarrell 0 Junior Poster · Answer 4 · 2010-04-26T00:06:01+00:00

No problem at all, SESSIONS are generally more secure (than cookies anyway), because all data in the SESSION variable is being retained on the YOUR server.
one tip, if you're using sessions for login and logout, there's a chance that the user may not always logout.
So you may want to look up on session.gc_maxlifetime and session.gc_probability. I haven't personally used them but they are worth a look.
also don't forget to destroy SESSIONS properly.
ex: unset($_SESSION) or session_destroy

**********
Hi, excellent, many thanks for your input -

for my logout im using the following

session_start();
	session_destroy();
unset($_SESSION['SESS_MEMBER_ID']);

************
if you don't mind continuing the conversation, I have been doing some digging around the web looking into protecting against SQL Injection attacks ! when users either update or upload new information -

I have got the following piece of code that I would like clarification on if you have a moment -

before i continue with my self teaching web design I would like to know i am on the right lines in protecting data content

The following is how I am protecting against SQL injection attacks

$title = $_POST['message_title'];
$title = stripslashes($title);
$title = strip_tags($title);
$title = mysql_real_escape_string($title);
$title = eregi_replace("'", "&#39;", $title);

What I would like to know is how can I create a function for the above and apply to each variable.

Many thanks in advance, Lloyd

qazplm114477 14 Junior Poster · Answer 5 · 2010-04-29T01:50:23+00:00

mysql_real_escape_string() will help prevent injection attacks,
an alternative would be prepared statements, however, you need php 5 to use this. prepared statements are generally more secure than old mysql statements and can be used for INSERT, UPDATE, DELETE, SELECT.

here's an example

//connect to database, you may notice the use of mysqli instead of mysql

//mysqli is the same as mysql, but more "improved". the main reason you should use mysqli is when you're using oop.(object oriented programming), you can use it like this too.

$dbc=mysqli_connect(HOST, USERNAME, PASSWORD, DB)
			or die('Cannot connect to MySQL! '.mysqli_connect_error());
	// Turn autocommit off.
        //This is the same as using transactions in mysql. ex: $q="begin";  mysql_query($q);
	mysqli_autocommit($dbc, FALSE);

	$query = "insert employee set
			id = UUID(),
			emp_first_name = ?,
			emp_last_name = ?,
			emp_no = ?,
			job_position_id = ?";

        //prepare the query
	$stmt = mysqli_prepare($dbc, $query);

         //the 'ssis' are the data types for the "?", s for string and i for int.
	mysqli_stmt_bind_param($stmt, 'ssis', $first_name, $last_name, $emp_no, $job_id);

	//run query
	//declare varaibles
	$id="UUID()";
	$first_name = trim($_POST['Employee_first_name']);
	$last_name = trim($_POST['Employee_last_name']);
	$emp_no = trim($_POST['Employee_number']);
       //trim to remove the excess "space "
	$job_id = $_POST['job_position'];

        //execute the statement
	mysqli_stmt_execute($stmt);
        
        //you may add your own validation here
        mysqli_commit($dbc);
	mysqli_stmt_close($stmt);