MYSQL SELECT query displaying only the data from the logged in user session

Question

I am creating an account settings page for my membership website where the user that is logged can go to edit there username, password and email. This code below shows all the users in my database to every user with the option to edit.

$result = mysql_query("SELECT * FROM user") or die(mysql_error());

I don't want that. I would like only the information for user that is logged in so they can edit there own personal information. Here is my table:

$result = mysql_query("SELECT * FROM user '". mysql_real_escape_string($_SESSION['loggedin']) . "'") 
                        or die(mysql_error());

Here is the php code for whole page:

 <?php ob_start(); //keep output in buffer session_start(); require_once( 'database.php' ); include("head.php"); if (!isset($_SESSION['loggedin'])) { ?> <body> DO NOT HAVE ACCESS PRIVILEDGES TO THIS PAGE. <?php } elseif (isset($_SESSION['loggedin']) && ($_SESSION['adminuser']=='0' )){ //logged in and NOT an Admin ?> <body> <?php $result = mysql_query("SELECT * FROM user") or die(mysql_error()); ?> <table width="600" border="0" cellspacing="1" cellpadding="0"> <form name="form1" method="post" action=""> <tr> <td> <table width="600" border="0" cellspacing="1" cellpadding="0"> <tr> <td align="center"><strong>UserName</strong></td> <td align="center"><strong>Password</strong></td> <td align="center"><strong>Email</strong></td> </tr> <?php while($row = mysql_fetch_array( $result )){ ?> <tr> <td align="center"><? echo $row['username']; ?></td> <td align="center"><? echo $row['password']; ?></td> <td align="center"><? echo $row['email']; ?></td> <td align="center"><? echo '<a class="login" href="edit_user.php?id=' . $row['id'] . '">Edit</a>'; ?>&nbsp; &nbsp;</td> </tr> <?php } ?> <tr> </tr> </table> </td> </tr> </form> </table> <?php } elseif (isset($_SESSION['loggedin']) && ($_SESSION['adminuser']=='1' )){ //logged in and an Admin ?> <body class="loggedin"> <?php include("admin_menu.php"); ?> <?php $result = mysql_query("SELECT * FROM user") or die(mysql_error()); ?> <table width="600" border="0" cellspacing="1" cellpadding="0"> <form name="form1" method="post" action=""> <tr> <td> <table width="600" border="0" cellspacing="1" cellpadding="0"> <tr> <td align="center"><strong>UserName</strong></td> <td align="center"><strong>Password</strong></td> <td align="center"><strong>Email</strong></td> </tr> <?php while($row = mysql_fetch_array( $result )){ ?> <tr> <td align="center"><? echo $row['username']; ?></td> <td align="center"><? echo $row['password']; ?></td> <td align="center"><? echo $row['email']; ?></td> <td align="center"><? echo '<a class="login" href="edit_user.php?id=' . $row['id'] . '">Edit</a>'; ?>&nbsp; &nbsp;</td> </tr> <?php } ?> <tr> </tr> </table> </td> </tr> </form> </table> <? } include("footer.php"); ob_flush(); //flush output buffer ?> 

I've already tried these two ways to fix my problem and they didn't work:

 $result = mysql_query('SELECT * FROM user "'. mysql_real_escape_string(isset($_SESSION['loggedin']) && ($_SESSION['adminuser']=='0' )) . '"') or die(mysql_error()); 

^ that doesn't show anything except the titles of the columns. I tried this as well and it also didn't work:

 $result = mysql_query("SELECT * FROM user '". mysql_real_escape_string($_SESSION['loggedin']) . "'") or die(mysql_error()); 

Help please.

Answer 1

SELECT * FROM user WHERE id = UserId

This should solve your problem and please do a thorough search on mysqli or pdo. Stop using mysql