Resolving Session Related Visibility

Question

BilalAKhan 12 Newbie Poster

12 Years Ago

Hi,

In my website, Blog is a small portion. I have managed to make and insert the blog. In manage blog area I am giving a user this a authority to manage their written blogs. At this point I am getting a problem. When I am logged as 'A' (A represents as a login name) and write a blog and then signout, and login as 'B'. The blog recently written by 'A' is shown in 'Bs' Manage Profile portion. This means that there is no security what so ever. B can see and Delete A's blog.

I have an idea to play with two different tables and bring login as a foreign key in the blog table and then put it against the session variable in order to see if the blog was written by the same user.

I am new at PHP & MYSQL , I would appreciate any suggestions, any reading material and any help on this.

Regards,

Bilal A. Khan

php

3 Contributors
3 Replies
79 Views
10 Hours Discussion Span
Latest Post 12 Years Ago Latest Post by simplypixie

urtrivedi 276 Nearly a Posting Virtuoso

12 Years Ago

when you click on logout, you must call some file say logout.php in which you must destroy session like

<?php
        session_start();

	session_unset('userid');
	session_unset('username');
			
	session_destroy();

	header("Location: login.php");
?>

Edited 12 Years Ago by urtrivedi because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

BilalAKhan 12 Newbie Poster · Answer 1 · 2011-11-28T18:22:09+00:00

when you click on logout, you must call some file say logout.php in which you must destroy session like
<?php
        session_start();

	session_unset('userid');
	session_unset('username');
			
	session_destroy();

	header("Location: login.php");
?>

Correct.. I agree. My Code is given Below:

$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
  $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
  //to fully log out a visitor we need to clear the session varialbles
  $_SESSION['MM_Username'] = NULL;
  $_SESSION['MM_UserGroup'] = NULL;
  $_SESSION['PrevUrl'] = NULL;
  unset($_SESSION['MM_Username']);
  unset($_SESSION['MM_UserGroup']);
  unset($_SESSION['PrevUrl']);
	
  $logoutGoTo = "index.php";
  if ($logoutGoTo) {
    header("Location: $logoutGoTo");
    exit;
  }
}

Now it is doing the same thing. But the question is that if I login as a different user how does my website prevent blogs that 'A' user has written from 'B' user?/ or the user has written. Right now it is showing me all the blogs.

Regards,

Bilal A. Khan

simplypixie 123 Posting Pro in Training · Answer 2 · 2011-11-28T22:49:10+00:00

SELECT * FROM blogs WHERE username='".$_SESSION['MM_Username']."'

Use this code to only select the blogs written by the logged in user