Restrict Access to Page defined by user name

Question

ibakir 0 Light Poster

13 Years Ago

Hey :D , take a look
http://www.dalilack.com/marketList.php
click edit on the orange button
EX : http://www.dalilack.com/marketFormUpdate.php?Id=11
the id of that user is 11, you can use 'hoho33' as a user name & 'shityshit' as a pass

now you notice there's info for each member , and in order when that user want to edit and change his info it directed to log in page after write the field then he can change his own info.

now the problem is that he can use his user name and password in order to change any of others users info and their details!!!!
so please guys i need a help
thanks

here you can see 'marketFormUpdate.php' Source Code

<?php require_once('Connections/dalilack.php'); ?>
<?php
if (!isset($_SESSION)) {
  session_start();
}
$MM_authorizedUsers = "name";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && true) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}

$MM_restrictGoTo = "login/login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {   
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0) 
  $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo); 
  exit;
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
  $updateSQL = sprintf("UPDATE explorers SET name=%s, email=%s, product=%s, price=%s, phoneNumber=%s, comments=%s WHERE Id=%s",
                       GetSQLValueString($_POST['name'], "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['product'], "text"),
                       GetSQLValueString($_POST['price'], "text"),
                       GetSQLValueString($_POST['phoneNumber'], "text"),
                       GetSQLValueString($_POST['comments'], "text"),
                       GetSQLValueString($_POST['Id'], "int"));

  mysql_select_db($database_dalilack, $dalilack);
  $Result1 = mysql_query($updateSQL, $dalilack) or die(mysql_error());

  $updateGoTo = "marketList.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $updateGoTo .= (strpos($updateGoTo, '?')) ? "&" : "?";
    $updateGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $updateGoTo));
}

if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

mysql_select_db($database_dalilack, $dalilack);
$query_product = "SELECT * FROM states";
$product = mysql_query($query_product, $dalilack) or die(mysql_error());
$row_product = mysql_fetch_assoc($product);
$totalRows_product = mysql_num_rows($product);

$colname_formUpdate = "-1";
if (isset($_GET['Id'])) {
  $colname_formUpdate = $_GET['Id'];
}
mysql_select_db($database_dalilack, $dalilack);
$query_formUpdate = sprintf("SELECT Id, name, email, product, price, phoneNumber, comments, explorers.userName, explorers.password FROM explorers WHERE Id = %s", GetSQLValueString($colname_formUpdate, "int"));
$formUpdate = mysql_query($query_formUpdate, $dalilack) or die(mysql_error());
$row_formUpdate = mysql_fetch_assoc($formUpdate);
$totalRows_formUpdate = mysql_num_rows($formUpdate);
?>

microsoft-access php

3 Contributors
12 Replies
1K Views
2 Days Discussion Span
Latest Post 13 Years Ago Latest Post by Stefano Mtangoo

almostbob 866 Retired: passive income ROCKS

13 Years Ago

the display users page and the edit user details page, should be completely separate, when opening the edit user details page the user should be presented with a single item, containing only their details, select * from table where id = userid , where userid is only pulled from the session already established

never use $_get for anything 'secure', anybody can see the query string, can dump whatever they want into the query string, can save the query string as a favorite and **** with the database whenever they wish

one user, one edit, one update, NO problem

Edited 13 Years Ago by almostbob because: n/a

almostbob 866 Retired: passive income ROCKS

13 Years Ago

example1 Button at the top of this page "users online"
example2 button in your control panel to allow you to edit only your own details

nothing but a simple display page of other users
submit for update on your own page, by _post(and/or ajax) to sanitise the urls

these are the minimum standard required

Edited 13 Years Ago by almostbob because: n/a

Stefano Mtangoo 455 Senior Poster

13 Years Ago

so i need a lil description about how to deal with access level in adobe Dreamweaver cs5 , and sorry for my English :D

Check the red color and tell me if you are kidding :)
Anyway, take look at good answers above!

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

ibakir 0 Light Poster · Answer 1 · 2011-07-11T02:10:19+00:00

very nice in what did u said, thanks man , but the edit user details page is collecting Data info by the user ID same as the

select * from table where id = userid

i need to control that logged in user from not editing other users in the Display user page :(
so i need a lil description about how to deal with access level in adobe Dreamweaver cs5 , and sorry for my English :D

ibakir 0 Light Poster · Answer 2 · 2011-07-11T18:03:46+00:00

take a look at this thread :D
http://www.daniweb.com/web-development/php/threads/184658

ibakir 0 Light Poster · Answer 3 · 2011-07-11T21:45:10+00:00

LOL :D its like how the hack i must write those access level , and the answers didn't really helped me :S

i need if a user logged in he won't be abble to miss around in the others info
EX : when you comment on facebook.com you can after while edit it again !!! that's what i actually need :D
by the way you can give a try http://www.dalilack.com/marketList.php
then click on edit ADs "orange button" you can notice the link change by user ID :D

MySQL : http://forum.montadaphp.net/attachments/2742d1310387490-untitled-1.jpg

Stefano Mtangoo 455 Senior Poster · Answer 4 · 2011-07-11T21:56:54+00:00

LOL :D its like how the hack i must write those access level , and the answers didn't really helped me :S
i need if a user logged in he won't be abble to miss around in the others info
EX : when you comment on facebook.com you can after while edit it again !!! that's what i actually need :D
by the way you can give a try http://www.dalilack.com/marketList.php
then click on edit ADs "orange button" you can notice the link change by user ID :D
MySQL : http://forum.montadaphp.net/attachments/2742d1310387490-untitled-1.jpg

Each post/Item must be associated with the Id of one created
---------------------------
| Post | Item | UserId |
---------------------------

Then Give link to edit only if the user logged in is the user who created it!

ibakir 0 Light Poster · Answer 5 · 2011-07-11T23:04:16+00:00

ok now that's what i call it a solution now chk this two tables
http://www.dalilack.com/info.jpg
http://www.dalilack.com/admin.jpg
then in the update info user page

<?php
if (!isset($_SESSION)) {
  session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && true) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}

$MM_restrictGoTo = "login/login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {   
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0) 
  $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo); 
  exit;
}
?>

Stefano Mtangoo 455 Senior Poster · Answer 6 · 2011-07-11T23:55:25+00:00

IF I understand, what you want to implement is, like, you have users and each user have profile. Each user should be able to modify HIS profile and NOT any other. The same for the post/item. If that is right then check userId of logged user and Id associated with item/profile. If they match, allow edit. If not restrict edit!

Since I have no Idea of what you are coding....I cannot help on those tables. I may suggest you make very simple illustration project and test the concept and then use it to implement in that big project!

ibakir 0 Light Poster · Answer 7 · 2011-07-12T01:41:38+00:00

yes that's right :D

If they match, allow edit. If not restrict edit!

i would like to write this in php code , but unfortunately i still beginner in writing functions, any way thank you a lot man :D

ibakir 0 Light Poster · Answer 8 · 2011-07-12T02:15:20+00:00

i would like to write a function if that user id who post that post equal the same user id who logged in then he can edit his own post , then if its match go to the update page ; http://www.dalilack.com/marketFormUpdate.php?Id=11
if not : go to log in page to write his own user name and pass for that post he clicked edit on it ; http://www.dalilack.com/marketList.php

now this function where and how i supposed to write it , in MarketFormUpdate page Or marketList page ??

Stefano Mtangoo 455 Senior Poster · Answer 9 · 2011-07-12T17:48:04+00:00

yes that's right :D
i would like to write this in php code , but unfortunately i still beginner in writing functions, any way thank you a lot man :D

There is very nice channel with full of videos to teach you. Once you pass the basics, check login register video playlist.
Post again if you hit a wall