mytwocents All American 20654 Posts user info edit post |
So it's my birthday and here's what you can give me TWW.....
I have a login page that checks a username and password and then if it matches anything in a database, it logs that user in and loads a specific URL. I've managed to do all this but my problem is that once logged in if I manually put in the URL of another user, it will allow me access it even though I should only be allowed access to the URL for MY username and password.
$username="root"; $password="secretpassword"; $db_name="mydatabase"; $tbl_name="mytable"; mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword'];
$myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE scusername='$myusername' and scpassword='$mypassword'";
$result=mysql_query($sql); if (mysql_num_rows($result) == 0 ) { echo "Wrong Username or Password"; } else { while ($row = mysql_fetch_array($result)) { extract($row); session_register("myusername"); session_register("mypassword"); header("location:$url.php"); } } ?>
Now upon further research it appears I shouldn't be using the session_register but I'm not sure how to adjust.... regardless, here's the check I have for the pages:
session_start(); if(!session_is_registered(myusername)){ header("location:login.php"); } ?>
The easiest way I can think to do this is say something in that check like, 'if username then only that records url' but obviously I don't know how....8/31/2010 8:04:12 PM |
Stein All American 19842 Posts user info edit post |
You need to find a newer PHP tutorial. The ones at w3schools are pretty good. Here's the one for sessions: http://www.w3schools.com/php/php_sessions.asp
The key to figuring out your problem is to figure out exactly what it is you want to do and think what sort of steps you have to go through programmatically to meet that goal.
Oh, and don't connect to MySQL as root in your scripts. Big mistake. 8/31/2010 8:48:37 PM |
quagmire02 All American 44225 Posts user info edit post |
how is the "specific URL" generated? i assume you're doing something like directing them to a profile page or something after the login
i also assume that you have primary keys in the users table...if that's the case, register the primary key as a session variable upon successful login and have your "specific URL" page use the primary key to pull up that user's information (or whatever you're using it for)
if that's not the case, you're doing it wrong 9/1/2010 8:13:09 AM |
quagmire02 All American 44225 Posts user info edit post |
also, don't use session_register()...i think it's deprecated, but even if it isn't, $_SESSION[] is better 9/1/2010 8:55:57 AM |
mytwocents All American 20654 Posts user info edit post |
Well there's little doubt I'm doing it wrong....
And I realized after I posted and did a little bit of research that I shouldn't be using the session_register but I took the code from something I'd done in the past at some point.
In an effort to make this as painless as possible I currently am only using one table which holds a unique id, username, password, and URL. And yeah, based on their username, that's the URL that they get redirected to once registered header("location:$url.php".
Should I not be only using one table? And anyone know of a good tutorial for the things I'm going to need to do (besides the one Stein posted which I am currently looking at...TY :kiss ? 9/1/2010 11:41:34 AM |
Ernie All American 45943 Posts user info edit post |
9/1/2010 11:51:14 AM |
kiljadn All American 44690 Posts user info edit post |
^aahahhahahahhaha 9/1/2010 12:02:15 PM |
mytwocents All American 20654 Posts user info edit post |
gdamn it 9/1/2010 12:07:56 PM |
mytwocents All American 20654 Posts user info edit post |
OK....well per Stein's suggestion....here's what I'd like to do:
I have a flash presentation that I've made specific to a client and each presentation includes a dummy login page (again, specific to each client) so I will have a page say 'client1.php' that will obviously be meant to be only seen by that client. So I have a database with one table which includes a unique id, a username, a password, and the name of their specific page. So I want them to go to a general login page, enter their username and password and then if it checks out, it logs them in and redirects them to their unique page. I was under the impression the way I've gone about it so far was the best...now I'm just having problems figuring out how to store a session and then include that session_start for the pages so that they can only see theirs....? 9/1/2010 1:56:15 PM |
mytwocents All American 20654 Posts user info edit post |
jkfo;KJfkJgklJfgljDSlkgjlSKDjglkDGJSm 9/1/2010 11:54:47 PM |
Stein All American 19842 Posts user info edit post |
What about storing a session is unclear? 9/2/2010 8:59:20 AM |
Novicane All American 15416 Posts user info edit post |
Quote : | "So I have a database with one table which includes a unique id, a username, a password, and the name of their specific page. So I want them to go to a general login page, enter their username and password and then if it checks out, it logs them in and redirects them to their unique page." |
I would make a general page and use PHP include based on their unique ID AND first name/last name.
If they successfully log in, be sure to pull the unique ID and their first name and assign a variable to it and pass it to your loggedin.php.
(i.e loggedin.php&id=2&name=Tom )
Write another query to double check and make sure the id and name match (you wouldn't want people just chainging the unique ID and getting access to other peoples pages)
then write a phpinclude for an html or whatever file and append their ID to it. include"yourpage'.$id.'".html".
You could probably get away with writing IF statements but if you get a lot of users could be a pain.9/2/2010 11:23:32 AM |
Stein All American 19842 Posts user info edit post |
Uh... no. Don't do that.
Listen, you have someone logging in, you store their session ID ( $_SESSION['id'] ) and then redirect them to "display.php" and then use the value in $_SESSION['id'] (which is their unique ID) to display whatever it is that person should see. Don't pass anything in the URL, there's no need to do so.
Just be sure to put a session_start() as the first line on both pages since otherwise you don't have "access" to read/write $_SESSION. 9/2/2010 11:29:44 AM |
Novicane All American 15416 Posts user info edit post |
Quote : | "Listen, you have someone logging in, you store their session ID ( $_SESSION['id'] ) and then redirect them to "display.php" and then use the value in $_SESSION['id'] (which is their unique ID) to display whatever it is that person should see. Don't pass anything in the URL, there's no need to do so." |
yeah do this, sorry9/2/2010 11:34:57 AM |
mytwocents All American 20654 Posts user info edit post |
OK.....so I've done it like you guys have said (mostly....though I'm sure somewhere is something different) but anyway, here's my question... I have a display.php page which indeed uses the value stored in the session. Now this question is a very basic one I'm sure but....I currently have it pulling the URL like this....which works perfectly:
include("$url.php");
but now I want to be able to have that be in a directory so that instead of just http://www.website.com/url.php it would be http://www.website.com/folder/url.php
I'm getting confused with the proper way to do that....which/what escape characters get used for the folder/ ? where?9/26/2010 7:25:18 PM |
EuroTitToss All American 4790 Posts user info edit post |
wot 9/26/2010 7:46:32 PM |
mytwocents All American 20654 Posts user info edit post |
include("$url.php");
this would lead to http://www.website.com/url.php
I want to store whatever url is used in a directory so that instead of the above, it would be: http://www.website.com/folder/url.php
So how would I put that in my php code?
include(/folder/"$url.php"); or
include(\folder\"$url.php"); or
include('\folder"\"$url.php");
I know none of those are right, which is why I'm asking for help 9/26/2010 7:51:48 PM |
qntmfred retired 40726 Posts user info edit post |
it's not even your birthday
i'm out 9/26/2010 8:39:51 PM |
mytwocents All American 20654 Posts user info edit post |
fair enough. You guys have been awesomee 9/26/2010 9:24:22 PM |
mytwocents All American 20654 Posts user info edit post |
but feel free to be more awesome..... 9/26/2010 10:31:09 PM |
Ernie All American 45943 Posts user info edit post |
Quote : | "include("$url.php"); " |
I haven't done anything with PHP in a while, but are periods allowed in variable names?
--
After actually reading your question, I think you'd want to do something like this
$foo = '/path/to/' . $user_url;
include($foo);
Again, though, not really my thing, and I'm sort of stabbing in the dark at what you want because your question is barely intelligible.
[Edited on September 27, 2010 at 8:41 AM. Reason : I'm pretty sure that you aren't using the include() function properly]9/27/2010 8:33:14 AM |
Stein All American 19842 Posts user info edit post |
While you're right about how you'd do it, Ernie, "include" isn't a function and thus you don't (and shouldn't) use parentheses around it.
Quote : | "I haven't done anything with PHP in a while, but are periods allowed in variable names?" |
PHP is generally pretty good about figuring out what's a variable name and what isn't. If there's any confusion it can be wrapped in braces, such as "{$url}.php"
mytwocents if you look at the PHP manual http://www.php.net/include you'll see that "include" requires a string, which is the path to the file in question. Knowing what you know about PHP, which of the following is a string:
$a = folder/"url.php" $a = folder/url.php $a = "folder/url.php"
[Edited on September 27, 2010 at 10:33 AM. Reason : .]9/27/2010 10:33:06 AM |
mytwocents All American 20654 Posts user info edit post |
^... $a = "folder/url.php" ?
I realize that my questions might be somewhat retarded but understand that I never learned php, I just did/do things by trial and error and the way I had was working...I just couldn't figure out how to get the path in there...I have no doubt my php is seriously flawed and it works...until it doesn't....which is why I'm here.
I've now gotten myself totally screwed up and somehow ended up with
$foo = "'/folder/'.{$url}.php"; include '$foo'; or some variation of it and I know it's wrong....but 9/27/2010 12:15:35 PM |
mytwocents All American 20654 Posts user info edit post |
oh shit......
so I did
$foo = "$url.php"; include ('folder/' .$foo);
and it worked.....?
Am I right or lucky?9/27/2010 12:21:53 PM |
Ernie All American 45943 Posts user info edit post |
$foo = "$url.php";
[Edited on September 27, 2010 at 12:33 PM. Reason : I'm really bothered and confused by $url.php]9/27/2010 12:30:09 PM |
mytwocents All American 20654 Posts user info edit post |
Well I suppose I'd be bothered by it too except that it works... but I see the issue (I think)....
each url is unique to each person who logs in so it's just pulling it from the table where the data is stored... ?? How else do you do it? 9/27/2010 1:09:42 PM |
Ernie All American 45943 Posts user info edit post |
Well, lots of things
mysqli, get your db credentials out the damn way, concatenation instead of throwing .php in the variable name to let the engine suss it out
etc etc
[Edited on September 27, 2010 at 2:14 PM. Reason : I thought you asked what else would one do, not how else. Whatever, this thread sucks.] 9/27/2010 2:06:45 PM |
Stein All American 19842 Posts user info edit post |
include "/folder/{$url}.php";
The issue Ernie's understandably having with saying "$url.php" is that when you do that, you're hoping that the PHP interpreter properly handles that line, rather than you just explicitly telling it what to do.
It generally works well enough if you keep it simple, but surrounding the variable with braces lets the interpreter know exactly what you want. When you start getting complicated and using arrays, you'll notice that:
echo "Value 0: $array[0]"; and echo "Value 0: {$array[0]}";
Print two different values. 9/27/2010 3:11:17 PM |
qntmfred retired 40726 Posts user info edit post |
i, too, was a little weirded out by $url.php
but hey, it is valid. if you're comfortable with it, and there aren't other developers maintaining it to get thrown off by it, no problem using that syntax
also, i doubt you are in this case, but make sure if you're doing an include on $url, make sure the user can't influence the value of $url - could open yourself up to code injection attack http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html 9/27/2010 3:35:06 PM |
Stein All American 19842 Posts user info edit post |
It's a really bad habit a lot of new PHP programmers pick up partly because the manual and the countless web tutorials out there don't do a very good job of saying "here's how you tell the interpreter this is a variable" and since PHP is pretty good at picking up what's going on, most people don't even know it's possible until they run into the array issue I mentioned. 9/27/2010 4:58:26 PM |