Ok i'm wanting to know how to set a session in php?
it needs to contain username and users password :S

Just im trying to learn.

If you have a variable called $username you'd just set it by going



<?php

$_SESSION['username'] = "$username";

?>

bloody hell thats pretty easy, would i do this for all or could i do it so its selects user from db then $username[username] $username[level] etc? or how would i go about this?

You'd need to have a seperate session for each one I believe, but you could define somewhere a function that creates one for each session, then it'd be $username("level") etc.

Cheers :)

Make a SESSION for the users id/username.

Then just make a function which grabs the specific data from the MySQL table using their username/id.

That's one way of doing it.

surely thats hackable?! without providing a corrct pwrd :S

surely thats hackable?! without providing a corrct pwrd

How would it be exploitabe? O_O

You set a session with their ID/Username once they login correctly.

Then later on in your script, if you want to get say, their email you do like:

getInfo("email");

(obviously, you'd need to code the function).

How could that be exploited by a USER?

is there anyway u can change the session eg change the username and id :S so u can get on someone else acc?

Suggestion:

If you're using sessions for a web app, only store the users UID in a session, as this is unlikely to change for their use of the app.

You can make a function that automatically grabs the user details from the database (using their ID), and puts it in an array, like so:



<?PHP

function check_user_details() {

$uid = $_SESSION['uid'];

$query = "SELECT * FROM `users` WHERE uid='$uid'";

$query = mysql_query($query);

$user = mysql_fetch_assoc($query);

return $user;

}

$user = check_user_details();

?>


That way, you have access to the user details, and they are fresh (ie. if the username, email, password etc is changed, they will be refreshed after each load).

Heres what you want to do:



<?php
session_start();
$user = $_POST['username']; //This would be like from the login form
$result = mysql_query("SELECT * FROM usertable WHERE username = $user");
$row = mysql_fetch_array($result);
$_SESSION['yoursite_username'] = $row['username']; //This sets their username
$_SESSION['yoursite_password'] = $row['password']; //Same for the pass (encrypt it)
?>


And then just do a check and say:


<?php
session_start();
$result = mysql_query("SELECT * FROM usertable WHERE username = $user");
$row = mysql_fetch_array($result);
if($_SESSION['yoursite_username'] == $row['username']&&$_SESSION['password'] == $row['password']){
$_SESSION['yoursite_username'] = $row['username']; //This sets their username
$_SESSION['yoursite_password'] = $row['password']; //Same for the pass (encrypt it)
}
?>

:)

;) Cheers :P everyonez