tags:

views:

122

answers:

2
Q: 

my "remember me"-feature

Finally I have got this function to work. It does its job but it looks real messy, just wanna hear your thoughts and maybe theirs something I could improve?

Thanks alot!

Login

$result = mysql_query("SELECT * FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."' AND password = '".md5($_POST['password'])."'");
$row = mysql_fetch_object($result);

    if (mysql_num_rows($result) == 0) {
        exit('Bad Login');
    }

    $_SESSION['id'] = mysql_result($result, 0, 'id');

    # The user wants to be remembered
    if (isset($_POST['remember'])) {
        $key = md5(uniqid());
        setcookie('remember', $key, time()+900000);  /* expire in 10 days */
        mysql_query("UPDATE users SET sessionkey = '$key' WHERE id = ".mysql_result($result, 0, 'id'));

    }

And on each page I check:

if (isset($_SESSION['id'])) {
header("Location: welcome.php");
}

elseif (isset($_COOKIE['remember'])) {

$rs = mysql_query("SELECT * FROM users WHERE sessionkey = '$_COOKIE[remember]'");

if (mysql_num_rows($rs) == 1) {
    $_SESSION['id'] = 1;
header("Location: welcome.php");
}

}
A: 

I'm no PHP expert, but there's probably an off-the-shelf solution for session management - I would suggest using it over rolling your own.

On Freund  2010-01-10 14:58:37
Session controlling, yes: The $_SESSION variable that Sven is already using. But session data is only stored for one browser session, where Sven wants the user to remain logged in even after the session has ended.
Douwe Maan  2010-01-10 15:03:08
By session I mean the broader sense, i.e. user session, not browser session.
On Freund  2010-01-10 15:05:13
Ah okay. PHP has no built-in solution for user session management, afaik.
Douwe Maan  2010-01-10 15:14:21
And no 3rd party/open source solution?
On Freund  2010-01-10 15:20:24
My web app uses roughly the same solution as the submitter's. Anyone have any recommendations for a standalone third party solution? (i.e. not something that's just a plugin for a framework, something you can just plug and play into any setup.)
Matthew  2010-01-10 17:36:11
+2  A: 

Put the code that checks if the number of rows is zero before the mysql_fetch_object($result) statement. That way, you don't waste that extra CPU cycle if the user doesn't exist.

Change this (in both places):

mysql_result($result, 0, 'id');

to

$row->id;

Also, if your id column isn't sanitary (i.e.: the user has entered some data for it at some point), you're going to want to escape it in your UPDATE query.

Just a matter of preference on this one, but when I check URL parameters existance, I like to use !empty() instead of isset. The reason is that if the parameter is set but empty, it will still return false:

!empty($_POST['remember'])

Also on that note, be sure to sanitize $_COOKIE['remember']. Cookie values can be changed by the user.

mysql_query("SELECT * FROM users WHERE sessionkey = '" . mysql_real_escape_string($_COOKIE[remember]) . "'");

Lastly, it might be a good idea not to select * in your query, as this can bump you up against a performance wall later on in your app. Consider just selecting, say, the ID of the user: 

mysql_query("SELECT id FROM users ...

Everything else looks pretty good!

mattbasta  2010-01-10 23:16:57

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL