User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » PHP Sessions with different info for each user Page [1]  
mytwocents
All American
20654 Posts
user info
edit post

So it's my birthday and here's what you can give me TWW.....

I have a login page that checks a username and password and then if it matches anything in a database, it logs that user in and loads a specific URL. I've managed to do all this but my problem is that once logged in if I manually put in the URL of another user, it will allow me access it even though I should only be allowed access to the URL for MY username and password.


$username="root";
$password="secretpassword";
$db_name="mydatabase";
$tbl_name="mytable";
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$myusername=$_POST['myusername']; $mypassword=$_POST['mypassword'];

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE scusername='$myusername' and scpassword='$mypassword'";

$result=mysql_query($sql);
if (mysql_num_rows($result) == 0 ) { echo "Wrong Username or Password";
} else {
while ($row = mysql_fetch_array($result)) {
extract($row);
session_register("myusername");
session_register("mypassword");
header("location:$url.php"); } } ?>


Now upon further research it appears I shouldn't be using the session_register but I'm not sure how to adjust.... regardless, here's the check I have for the pages:




The easiest way I can think to do this is say something in that check like, 'if username then only that records url' but obviously I don't know how....

8/31/2010 8:04:12 PM

Stein
All American
19842 Posts
user info
edit post

You need to find a newer PHP tutorial. The ones at w3schools are pretty good. Here's the one for sessions: http://www.w3schools.com/php/php_sessions.asp

The key to figuring out your problem is to figure out exactly what it is you want to do and think what sort of steps you have to go through programmatically to meet that goal.

Oh, and don't connect to MySQL as root in your scripts. Big mistake.

8/31/2010 8:48:37 PM

quagmire02
All American
44225 Posts
user info
edit post

how is the "specific URL" generated? i assume you're doing something like directing them to a profile page or something after the login

i also assume that you have primary keys in the users table...if that's the case, register the primary key as a session variable upon successful login and have your "specific URL" page use the primary key to pull up that user's information (or whatever you're using it for)

if that's not the case, you're doing it wrong

9/1/2010 8:13:09 AM

quagmire02
All American
44225 Posts
user info
edit post

also, don't use session_register()...i think it's deprecated, but even if it isn't, $_SESSION[] is better

9/1/2010 8:55:57 AM

mytwocents
All American
20654 Posts
user info
edit post

Well there's little doubt I'm doing it wrong....

And I realized after I posted and did a little bit of research that I shouldn't be using the session_register but I took the code from something I'd done in the past at some point.

In an effort to make this as painless as possible I currently am only using one table which holds a unique id, username, password, and URL. And yeah, based on their username, that's the URL that they get redirected to once registered header("location:$url.php".

Should I not be only using one table? And anyone know of a good tutorial for the things I'm going to need to do (besides the one Stein posted which I am currently looking at...TY :kiss ?

9/1/2010 11:41:34 AM

Ernie
All American
45943 Posts
user info
edit post

9/1/2010 11:51:14 AM

kiljadn
All American
44690 Posts
user info
edit post

^aahahhahahahhaha

9/1/2010 12:02:15 PM

mytwocents
All American
20654 Posts
user info
edit post

gdamn it

9/1/2010 12:07:56 PM

mytwocents
All American
20654 Posts
user info
edit post

OK....well per Stein's suggestion....here's what I'd like to do:

I have a flash presentation that I've made specific to a client and each presentation includes a dummy login page (again, specific to each client) so I will have a page say 'client1.php' that will obviously be meant to be only seen by that client. So I have a database with one table which includes a unique id, a username, a password, and the name of their specific page. So I want them to go to a general login page, enter their username and password and then if it checks out, it logs them in and redirects them to their unique page. I was under the impression the way I've gone about it so far was the best...now I'm just having problems figuring out how to store a session and then include that session_start for the pages so that they can only see theirs....?

9/1/2010 1:56:15 PM

mytwocents
All American
20654 Posts
user info
edit post

jkfo;KJfkJgklJfgljDSlkgjlSKDjglkDGJSm

9/1/2010 11:54:47 PM

Stein
All American
19842 Posts
user info
edit post

What about storing a session is unclear?

9/2/2010 8:59:20 AM

Novicane
All American
15416 Posts
user info
edit post

Quote :
"So I have a database with one table which includes a unique id, a username, a password, and the name of their specific page. So I want them to go to a general login page, enter their username and password and then if it checks out, it logs them in and redirects them to their unique page."


I would make a general page and use PHP include based on their unique ID AND first name/last name.

If they successfully log in, be sure to pull the unique ID and their first name and assign a variable to it and pass it to your loggedin.php.

(i.e loggedin.php&id=2&name=Tom )

Write another query to double check and make sure the id and name match (you wouldn't want people just chainging the unique ID and getting access to other peoples pages)

then write a phpinclude for an html or whatever file and append their ID to it. include"yourpage'.$id.'".html".

You could probably get away with writing IF statements but if you get a lot of users could be a pain.

9/2/2010 11:23:32 AM

Stein
All American
19842 Posts
user info
edit post

Uh... no. Don't do that.

Listen, you have someone logging in, you store their session ID ( $_SESSION['id'] ) and then redirect them to "display.php" and then use the value in $_SESSION['id'] (which is their unique ID) to display whatever it is that person should see. Don't pass anything in the URL, there's no need to do so.

Just be sure to put a session_start() as the first line on both pages since otherwise you don't have "access" to read/write $_SESSION.

9/2/2010 11:29:44 AM

Novicane
All American
15416 Posts
user info
edit post

Quote :
"Listen, you have someone logging in, you store their session ID ( $_SESSION['id'] ) and then redirect them to "display.php" and then use the value in $_SESSION['id'] (which is their unique ID) to display whatever it is that person should see. Don't pass anything in the URL, there's no need to do so."


yeah do this, sorry

9/2/2010 11:34:57 AM

mytwocents
All American
20654 Posts
user info
edit post

OK.....so I've done it like you guys have said (mostly....though I'm sure somewhere is something different) but anyway, here's my question...
I have a display.php page which indeed uses the value stored in the session. Now this question is a very basic one I'm sure but....I currently have it pulling the URL like this....which works perfectly:

include("$url.php");


but now I want to be able to have that be in a directory so that instead of just http://www.website.com/url.php it would be http://www.website.com/folder/url.php


I'm getting confused with the proper way to do that....which/what escape characters get used for the folder/ ? where?

9/26/2010 7:25:18 PM

EuroTitToss
All American
4790 Posts
user info
edit post

wot

9/26/2010 7:46:32 PM

mytwocents
All American
20654 Posts
user info
edit post

include("$url.php");


this would lead to http://www.website.com/url.php

I want to store whatever url is used in a directory so that instead of the above, it would be:
http://www.website.com/folder/url.php

So how would I put that in my php code?
include(/folder/"$url.php");

or
include(\folder\"$url.php");

or
include('\folder"\"$url.php");


I know none of those are right, which is why I'm asking for help

9/26/2010 7:51:48 PM

qntmfred
retired
40816 Posts
user info
edit post

it's not even your birthday

i'm out

9/26/2010 8:39:51 PM

mytwocents
All American
20654 Posts
user info
edit post

fair enough. You guys have been awesomee

9/26/2010 9:24:22 PM

mytwocents
All American
20654 Posts
user info
edit post

but feel free to be more awesome.....

9/26/2010 10:31:09 PM

Ernie
All American
45943 Posts
user info
edit post

Quote :
"
include("$url.php");
"


I haven't done anything with PHP in a while, but are periods allowed in variable names?

--

After actually reading your question, I think you'd want to do something like this

$foo = '/path/to/' . $user_url;

include($foo);


Again, though, not really my thing, and I'm sort of stabbing in the dark at what you want because your question is barely intelligible.

[Edited on September 27, 2010 at 8:41 AM. Reason : I'm pretty sure that you aren't using the include() function properly]

9/27/2010 8:33:14 AM

Stein
All American
19842 Posts
user info
edit post

While you're right about how you'd do it, Ernie, "include" isn't a function and thus you don't (and shouldn't) use parentheses around it.

Quote :
"I haven't done anything with PHP in a while, but are periods allowed in variable names?"


PHP is generally pretty good about figuring out what's a variable name and what isn't. If there's any confusion it can be wrapped in braces, such as "{$url}.php"

mytwocents if you look at the PHP manual http://www.php.net/include you'll see that "include" requires a string, which is the path to the file in question. Knowing what you know about PHP, which of the following is a string:

$a = folder/"url.php"
$a = folder/url.php
$a = "folder/url.php"

[Edited on September 27, 2010 at 10:33 AM. Reason : .]

9/27/2010 10:33:06 AM

mytwocents
All American
20654 Posts
user info
edit post

^...
$a = "folder/url.php"
?

I realize that my questions might be somewhat retarded but understand that I never learned php, I just did/do things by trial and error and the way I had was working...I just couldn't figure out how to get the path in there...I have no doubt my php is seriously flawed and it works...until it doesn't....which is why I'm here.

I've now gotten myself totally screwed up and somehow ended up with

$foo = "'/folder/'.{$url}.php";
include '$foo';

or some variation of it and I know it's wrong....but

9/27/2010 12:15:35 PM

mytwocents
All American
20654 Posts
user info
edit post

oh shit......

so I did

$foo = "$url.php";
include ('folder/' .$foo);


and it worked.....?

Am I right or lucky?

9/27/2010 12:21:53 PM

Ernie
All American
45943 Posts
user info
edit post

$foo = "$url.php";




[Edited on September 27, 2010 at 12:33 PM. Reason : I'm really bothered and confused by $url.php]

9/27/2010 12:30:09 PM

mytwocents
All American
20654 Posts
user info
edit post

Well I suppose I'd be bothered by it too except that it works... but I see the issue (I think)....

each url is unique to each person who logs in so it's just pulling it from the table where the data is stored... ?? How else do you do it?

9/27/2010 1:09:42 PM

Ernie
All American
45943 Posts
user info
edit post

Well, lots of things

mysqli, get your db credentials out the damn way, concatenation instead of throwing .php in the variable name to let the engine suss it out

etc etc

[Edited on September 27, 2010 at 2:14 PM. Reason : I thought you asked what else would one do, not how else. Whatever, this thread sucks.]

9/27/2010 2:06:45 PM

Stein
All American
19842 Posts
user info
edit post

include "/folder/{$url}.php";

The issue Ernie's understandably having with saying "$url.php" is that when you do that, you're hoping that the PHP interpreter properly handles that line, rather than you just explicitly telling it what to do.

It generally works well enough if you keep it simple, but surrounding the variable with braces lets the interpreter know exactly what you want. When you start getting complicated and using arrays, you'll notice that:

echo "Value 0: $array[0]";
and
echo "Value 0: {$array[0]}";

Print two different values.

9/27/2010 3:11:17 PM

qntmfred
retired
40816 Posts
user info
edit post

i, too, was a little weirded out by $url.php

but hey, it is valid. if you're comfortable with it, and there aren't other developers maintaining it to get thrown off by it, no problem using that syntax

also, i doubt you are in this case, but make sure if you're doing an include on $url, make sure the user can't influence the value of $url - could open yourself up to code injection attack http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html

9/27/2010 3:35:06 PM

Stein
All American
19842 Posts
user info
edit post

It's a really bad habit a lot of new PHP programmers pick up partly because the manual and the countless web tutorials out there don't do a very good job of saying "here's how you tell the interpreter this is a variable" and since PHP is pretty good at picking up what's going on, most people don't even know it's possible until they run into the array issue I mentioned.

9/27/2010 4:58:26 PM

 Message Boards » Tech Talk » PHP Sessions with different info for each user Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.