The book and the download code are different.
The book is correct.
The book says
$user = User::getById($_SESSION['userId']);
the download code says
$user = User::getById(1);
This is a VERY SERIOUS SECURITY ISSUE which I will talk
about near the bottom.
and you tried
It should be $_SESSION['userId'], not $SESSION['USER_ID'] or 1
(and the 'userId' is case sensitive too)
What happens if you use $_SESSION['USER_ID'] is this.
$_SESSION['USER_ID'] is 0.
So you are calling getById with a userId of 0.
When User::getById queries the database it does this query
SELECT USERNAME, PASSWORD, EMAIL_ADDR, IS_ACTIVE, PERMISSION
WHERE USER_ID = 0
and it returns nothing, as it should, because there is no user_id of 0.
so then there are no rows returned, which makes it
fall through the if block
$row = mysql_fetch_assoc($result);
$user->username = $row['USERNAME'];
$user->password = $row['PASSWORD'];
$user->emailAddr = $row['EMAIL_ADDR'];
$user->isActive = $row['IS_ACTIVE'];
$user->permission = $row['PERMISSION'];
$user->uid = $user_id;
So there is nothing in the user object.
When the program returns to main.php it has no $user->username or
So in the disabled, readonly, textfield labeled "Username",
there is nothing to echo, $user->username is empty.
<td><input type="text" name="username" disabled="disabled"
readonly="readonly" value="<?php echo $user->username; ?>" /></td>
Same for the textfield labeled "Email Address";
$user->emailAddr is empty
<td><label for="email">Email Address</label></td>
<td><input type="text" name="email" id="email"
value="<?php echo (isset($_POST['email']))? htmlspecialchars(
$_POST['email']) : $user->emailAddr; ?>" /></td>
NOW, about the book download code.
Since you are passing down a user_id of 1, it will return the user
object for userId 1. THIS IS NOT CORRECT and a SERIOUS SECURITY HOLE.
If your userId was 10 then
You wouldn't be changing your own password and email you would be
changing it for someone else!! (userId 1)
Two things happen here
First, User 10 would be annoyed and wouldn't be able to change his password
Second, This is a VERY SERIOUS security hole. If you have 100 users, any of those users 2-100 could steal everything from userId 1.
1. They see the readonly user name in the textfield.
2. They change the email to there own.
4. They change password to their own.
So they have stolen the identity of userId 1.
I am sure this is just an oversight, and the publishing company will
change the download code. I am going to enter an erata with
WROX right now.
I hope this helps.