Show total messages by user sessions

Question

Show total messages by user sessions

Navigation

#1 by (2 votes)
#2 by (0 votes)

0

I have a problem with a query. I want to show the total number of messages that have been sent to each user.

Example: Carlos has 2 messages and Juan has 1 message but when I enter Carlos' session I get 3 messages. I mean, he's telling me about the total number of messages and not about that user's session.

NOTE: I know that this code is obsolete, but they are pieces of systems that I am finishing to migrate to PDO.

Annex the code:

<!-- proceso para consultar-->
<?php
$login= $_SESSION['login'];
$password=$_SESSION['password'];
$sql = "SELECT * FROM usuario WHERE login='$login' AND 
password='$password'";
$resultl=mysql_query($sql,$link);//devuelve la consulta
$_editar_linea=mysql_fetch_array($resultl);{
?>
<?php
$sql = "SELECT * FROM mjs INNER JOIN usuario ON mjs.fk_cedula=usuario.id 
WHERE idnivel_usuario='Empleado' AND estado_mjs='No leido'";
$resultl=mysql_query($sql,$link)or die("Error en: $busqueda: " . 
mysql_error());
$campo=mysql_fetch_array($resultl);
$totalmjs=mysql_num_rows($resultl);
{
?>
 <li><a href="mjs.php">Mjs <span class="new badge blue"><?=$totalmjs?>
</span></a></li>
<?php
}
?>
<?php
}
?>
<!--fin proceso para consultar-->

mysql php

asked by yoclens 02.05.2017 в 07:44

source

2 answers

0

I have already resolved friends is as follows

    <!-- proceso para consultar-->
    <?php
    $login= $_SESSION['login'];
    $password=$_SESSION['password'];
$sql = "SELECT * FROM mjs, usuario  WHERE usuario.login='$login' AND 
usuario.password='$password' AND 
usuario.idnivel_usuario='Empleado' AND mjs.estado_mjs='No leido' AND 
mjs.fk_cedula=usuario.id";
$resultl=mysql_query($sql,$link)or die("Error en: $busqueda: " . 
mysql_error());
$campo=mysql_fetch_array($resultl);
$totalmjs=mysql_num_rows($resultl);
{
?>
<li><a href="mjs.php">Mjs <span class="new badge blue"><?=$totalmjs?></span>
</a></li>
<?php
}
?>
<!--fin proceso para consultar-->

I'm closing the topic

answered by 02.05.2017 в 08:16

use method post to add a record Error trying to play an MP3 file in C #

score 2 · Accepted Answer

The problem you are suffering is that you are counting ALL the records in the mjs table that meet condition idnivel_usuario='Empleado' AND estado_mjs='No leido' and you are not taking into account that the recipient is the user in question.

Personally I do not recommend storing the user's username and password in the session variables, it's sensitive information that could be stolen from the server. You should save useful information about the user to whom the session belongs, for example your user ID, usuario.id , with what you save:

Check each user access to a PHP user verification and password.

Consult the user table to obtain the user ID to access their data from other related tables.

Leaving aside those topics (if you want you can ask me and I could make an example of how it would be done correctly) I expose the code that works correctly and a brief explanation:

<!-- proceso para consultar-->
<?php
if (!isset($_SESSION['usuario.id'])) {
  $login = mysql_real_escape_string($_SESSION['login']);
  $password = mysql_real_escape_string($_SESSION['password']);
  $sql = "SELECT id FROM usuario WHERE login='$login' AND 
password='$password'";
  $resultl = mysql_query($sql,$link);//devuelve la consulta
  if ($resultl === false) {
    die(mysql_error());
  }
  $_editar_linea = mysql_fetch_assoc($resultl);
  if ($_editar_linea === false) {
    die('Acceso denegado');
  }
  $_SESSION['usuario.id'] = $_editar_linea['id'];
}
$id_usuario = mysql_real_escape_string($_SESSION['usuario.id']);
$sql = "
  SELECT
    COUNT(*) numero
  FROM
    mjs
  WHERE
    idnivel_usuario = 'Empleado'
  AND
    estado_mjs = 'No leido'
  AND
    fk_cedula = '$id_usuario'
";
$resultl = mysql_query($sql,$link) or die("Error en: $sql: " . 
mysql_error());
$campo = mysql_fetch_assoc($resultl);
?>
 <li><a href="mjs.php">Mjs <span class="new badge blue"><?= htmlspecialchars($campo['numero']) ?>
</span></a></li>
<!--fin proceso para consultar-->

To begin with, you must escape character strings correctly before entering them in a SQL query. Since you do not have prepared queries with variables association (as PDO or mysqli offers) then you must use the function mysql_real_escape_string() .

If you do not, you could suffer SQL injection attacks exposing sensitive information about your company. For starters, since you do not use hash algorithms to store passwords in your database, they could access users and passwords in plain text.

I have created an initial control block to save the query to the database to get the usuario.id . It will only be obtained the first time, the following visits the value stored in the session variables will be reused.

The query SELECT COUNT(*) numero will obtain the number of records without having to overload the MySQL server sending each and every one of the messages to the PHP script (and also saving memory at both ends) with an alias numero to be accessed from the result.

On some sides of your code you open blocks of code { ... } without associating any control commands that are not necessary and, therefore, I have removed them from my response.

Finally, although I know it is a number, I recommend you use htmlspecialchars() whenever you are going to show the information obtained in the document of the database to avoid HTML, CSS and / or JS injection attacks.