Member Avatar for OsaMasw

Hello there,
I have a big big problem in my project, I have a login page , so everyone log in, the session will be his id

 $_SESSION['userid'] = $id;

till now there is no problems, I put a header file to check the user is logged in or not

<?php
    if (isset($_SESSION['loggedin']) && isset($_SESSION['userid']) && $_SESSION['loggedin'] == true && !empty($_SESSION['userid'])) {
    $SID = $_SESSION['userid'];
    $userpro = getusername($SID); // this just to get the username of user
?>

I've also created a** profile.php** to see other users profiles and see there files pictures and other things
Here Is my problem : when user lets say "A" enter on userprofile "B" by url profile.php?user=B its ok,
BUT when he goes to main page or any other page , the user "A" become user "B" and has all previlege of user "B" include commenting, favoriting, delete files for user "B", then imagin what happened if user "A" get previlege of "ADMIN" ? , anything wanted am here, just tell me what to do ?

  • 2 Contributors
  • 3 Replies
  • 125 Views
  • 4 Hours Discussion Span
  • Latest Post Latest Post by phorce
Member Avatar for phorce

You sure you're not setting the SESSION['user_id'] from a $_GET['id']?

e.g.

<?php

   $id = $_GET['id'];

   $_SESSION['user_id'] = $id;
Edited by phorce
commented: great advice +1
Member Avatar for OsaMasw

Before I post this I've checked my profile file , and saw there is an <iframe> that takes data from another file, and that file have a variable name as the same as $SID userpro, means every time I visit user profile I got his id and put it inside the $_SESSION['user_id'], what a stupid from me, now its all done thanks phorce for this advice.
I must always use echo to see what is the output of variables .

Edited by OsaMasw
Member Avatar for phorce

Hey, no problem!

You can var_dump($var) and see what the variable contains :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.