asked on

Session timeout

I have a homepage the user logins in too with this php code:

<?php
session_start();
$username= $_SESSION['username'];

if($_SESSION['username'] == "")
{
	header("Location: http://markitlive.com/new_system/");
}

require "connection.php";

$result= mysqli_query($conn,"SELECT * FROM users WHERE username = '$username'");
$row = mysqli_fetch_row($result);
$firstname = $row[0];
$lastname= $row[1];
$email = $row[2];
$birthday = $row[4];
$gender = $row[5];
$path = $row[8];


?>

Open in new window

I tried adding this
$_SESSION["timeout"] = time()+ (0*1*0*0);
So it logs out after a day but it didnt work, can anyone tell me why

ASKER CERTIFIED SOLUTION

Suat M. Ozgur

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

Ray Paseur

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Dave Baldwin

And 0*1*0*0 = 0.

Jazzy 1012

ASKER

There is no other way by keeping it session and doing it with certain codes?

Suat M. Ozgur

This is about how you use variable in the SQL statement.

$result= mysqli_query($conn,"SELECT * FROM users WHERE username = '$username'");

$username is coming from outside. Cookie can be even altered at the client side.
Let's say I change cookie to be 'myname \' AND 1=1'.
In this case your SQL query will return a user no matter name is correct or not (basic SQL injection).

Just be careful, definitely clear all incoming values before using in your scripts. In fact, don't use mysql functions directly, instead use PDO and prepared statements. I am just trying to take your attention about the safety side.