sessions gone wild

I start sessions on all pages with: at the top of the page before anything else.

When I login these sessions are set: OK, I'm logged in. It's a recipe website and I migrate to a page that has a list of Beef recipes. I click on one and on the page displaying the recipe it shows the person who submitted the recipe's display name, e.g. Martha

Next to Martha's name is a link that says Click Here to see all my recipes. Here's the link: To display the recipe a query is ran that pulls the recipe from the recipes table: recipe_id, c_id, user_id, recipe_title, ingredients, directions, notes, viewed, r_allow, submitted

The user_id is set in the users table when the person registered. The user_id is entered into most of the tables on this website.

Here's where things get screwy.

When I click on the link to see all of Martha's recipes, a query is ran that pulls all the recipes from the database that correlates with Martha's user_id. At the same time - my session is now populated with Martha's information. At the top of the screen where it used to say Hello, David P (my display_name, which was set in a session when I log in) --- now says, "Hello, Martha". When I go to the user Control Panel it is Martha's account that I'm in. I can change her password and delete all her recipes if I had a mind to.

I can change from Martha to someone else just by clicking on the link to see all of their recipes. It's as if the page variable ($user_id) is changing the session variable ($_SESSION['user_id']).

My server uses PHP Version 4.4.9

On the same page that displays the recipe along with the link to see all that person's recipes, is a link that allows me to add that recipe to my "favorite recipes box". This is just a table (favorite_recipes) that has 2 rows - recipe_id and user_id.

How it is suppose to work is that when I click on the "Add to Favorite Recipe Box" a page opens that takes my user_id ($_SESSION['user_id']) and that recipe's recipe_id ($recipe_id) and inserts it into the favorite_recipe table and gives me a happy message saying it's been added: What actually happens is that the recipe owner's user_id is entered instead of my session user_id and it changes my current session ($_SESSION['user_id']) and ($_SESSION['display_name']) - be it me or the person who I viewed all their recipes -- to the person whose recipe I just saved in my favorite recipe box. I am now them and when I go to the control panel I am in their account and once again can do mischief if I've a mind to.

So, it seems that whenever I click on a link my session changes. I don't get this. Any ideas?

Hey.

None of the code you posted looks like it is causing this, and I can't spot anything that could be.

Are there any global includes in your PHP files? Something that could be interfering with the sessions?

Try searching all the files involved for "$_SESSION['user_id'] =". Just in case there was a copy/paste malfunction, or something like that.

Also, a couple of things you should consider.

• Using the SHA function inside a MySQL query is inadvisable. Under certain circumstances the MySQL server may log the raw query, which would then contain the plain-text password. Kind of defeats the purpose of the whole thing.
  It's better to use PHP to hash things and pass the hashes into the queries.
  
• Your "Add recipe" code is wide open to SQL Injection.
  Always use the mysql_real_escape_string function on data before inserting it into a MySQL query. In the case of numbers, the intval and floatval functions can also be used.
  
• My server uses PHP Version 4.4.9
  A fan of antiques, are you? :P

When you say SQL Injection I guess you're referring to this: I changed to this: I have an escape_data function in my database connection include that handles mysql_real_escape_string.

I thought I read someplace that a page variable $user_id could change the session user_id when passed through the address bar such as with this: Is this possible or no?

I don't see any buggered up session user_id's on any of the pages. The session system I'm using is the one found in Larry Ulman's book Chp13.

I'm not sure how I would implement the PHP hash that you spoke of. I'll have to read up on that.

No matter what link I click on, my session information changes to someone else. Even this: c_id and c_name is the recipe category id and name. I click on this and I'm suddenly someone else.

See any reason why this would not display even though the session user_id is set and the recipe_id hasn't been added already? I have the user_id echo-ed above this script (as a test) to make sure that it is set and it is. I can't figure out why it isn't working.

OK, I found the problem with that which I posted above. The query should have been this:
What this query was doing was checking to see if the user had already added this recipe into their favorites. If so, this section was to be ignored. If they had not, then show this section and give the user the option of adding it to their favorites folder. I failed to check it against the recipe_id of the current recipe.