Jazzy 1012
asked on
Session timeout
I have a homepage the user logins in too with this php code:
I tried adding this
$_SESSION["timeout"] = time()+ (0*1*0*0);
So it logs out after a day but it didnt work, can anyone tell me why
<?php
session_start();
$username= $_SESSION['username'];
if($_SESSION['username'] == "")
{
header("Location: http://markitlive.com/new_system/");
}
require "connection.php";
$result= mysqli_query($conn,"SELECT * FROM users WHERE username = '$username'");
$row = mysqli_fetch_row($result);
$firstname = $row[0];
$lastname= $row[1];
$email = $row[2];
$birthday = $row[4];
$gender = $row[5];
$path = $row[8];
?>
I tried adding this
$_SESSION["timeout"] = time()+ (0*1*0*0);
So it logs out after a day but it didnt work, can anyone tell me why
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And 0*1*0*0 = 0.
ASKER
There is no other way by keeping it session and doing it with certain codes?
This is about how you use variable in the SQL statement.
$result= mysqli_query($conn,"SELECT * FROM users WHERE username = '$username'");
$username is coming from outside. Cookie can be even altered at the client side.
Let's say I change cookie to be 'myname \' AND 1=1'.
In this case your SQL query will return a user no matter name is correct or not (basic SQL injection).
Just be careful, definitely clear all incoming values before using in your scripts. In fact, don't use mysql functions directly, instead use PDO and prepared statements. I am just trying to take your attention about the safety side.
$result= mysqli_query($conn,"SELECT
$username is coming from outside. Cookie can be even altered at the client side.
Let's say I change cookie to be 'myname \' AND 1=1'.
In this case your SQL query will return a user no matter name is correct or not (basic SQL injection).
Just be careful, definitely clear all incoming values before using in your scripts. In fact, don't use mysql functions directly, instead use PDO and prepared statements. I am just trying to take your attention about the safety side.