global vars question

Forum Moderators: coopster

Message Too Old, No Replies

global vars question

need help

zaez

12:11 am on Jun 21, 2006 (gmt 0)

Hi all.
Have a question.
my login function looks like this:

function login()
{
global $db, $smarty, $id;
$sql = "select count(*) from users where nick='".$_POST['nick']."' and psw = '".$_POST['psw']."'";
if ($db->getOne($sql))
{
$id = $db->getOne("select id from users where nick='".$_POST['nick']."'");
....
}
else
{
....

then i need to use the $id, and it's value got from $db->getOne("select id from users where nick='".$_POST['nick']."'") in another *.php
how can i do it?

greatfull for any help.
Thanks!

eelixduppy

12:22 am on Jun 21, 2006 (gmt 0)

Welcome to WebmasterWorld!

You can use sessions [us3.php.net]. Try the following:


[url=http://us3.php.net/manual/en/function.session-start.php]session_start[/url]();


function login()
{
global $db, $smarty, $id;
$sql = "select count(*) from users where nick='".[url=http://us3.php.net/manual/en/function.mysql-real-escape-string.php]mysql_real_escape_string[/url]($_POST['nick'])."' and psw = '".mysql_real_escape_string($_POST['psw'])."'";
if ($db->getOne($sql))
{
$_SESSION["id"] = $db->getOne("select id from users where nick='".mysql_real_escape_string($_POST['nick'])."'");
....
}

Now when you want to use the id again, initialize the session(session_start();), and get the info ($_SESSION["id"])...Good luck ;)

P.S. I added some extra security on your query. Read up on mysql_real_escape_string; it's important!

[edited by: eelixduppy at 12:35 am (utc) on June 21, 2006]

zaez

12:23 am on Jun 21, 2006 (gmt 0)

Thanks! I'll try it! Thanks!

zaez

12:32 am on Jun 21, 2006 (gmt 0)

yeap, i've read it allready.
the point is that the script doesn't want to run when i add it like this:
$sql = "select count(*) from users where nick='".mysql_real_escape_string($_POST['nick'])."' and psw = '".mysql_real_escape_string($_POST['psw'])."'";

i'll try again

eelixduppy

12:39 am on Jun 21, 2006 (gmt 0)

echo $sql to see if it contains what you want. You can also check this echoed query in mysql manually to see if it returns anything. Also, in your class, you can put this on the mysql_query function:


mysql_query($query) or [url=http://us2.php.net/manual/en/function.die.php]die[/url]([url=http://us2.php.net/mysql_error]mysql_error[/url]());

I also suggest encrypting the password. Whether you use mysql's PASSWORD function, or md5(prefered method), it should be encrytped. More here [webmasterworld.com]

[edited by: eelixduppy at 12:41 am (utc) on June 21, 2006]

jatar_k

12:40 am on Jun 21, 2006 (gmt 0)

Welcome to WebmasterWorld zaez,

have you tried adding a step?

$escnick = mysql_real_escape_string($_POST['nick']);
$escpass = mysql_real_escape_string($_POST['psw']);
$sql = "select count(*) from users where nick='" . $escnick . "' and psw = '" . $escpass . "'";

zaez

12:55 am on Jun 21, 2006 (gmt 0)

Guys THANKS a LOT!
i don't know how much time i had to spent with this prob, if you didn't help me =)
THANKS!

sry for bad english ;)

jatar_k

1:40 am on Jun 21, 2006 (gmt 0)

>> sry for bad english

we don't care about english skills here as much as all learning good coding together :)