So I know I can restrict the viewing of a page by session/access using this

<?PHP
require_once('../../lib/connections/db.php');
include('../../lib/functions/functions.php');
checkLogin('2');
$getuser = getUserRecords($_SESSION['user_id']);
?>

is there a way to add to that if the id of the page doesnt match the username in the same database it wont allow you to look at the page?

id meaning "page.php?id=username"

thanks for your help.

Member Avatar for diafol

One way to allow or disallow access to pages would be to check the permission level of the user.

Example tables...

USER
user_id (auto, int, 7)
username (varchar, 20)
pwhash (varchar, 64)
rights (int, 11) - total of all applicable right_val

RIGHTS
right_id (auto, int, 3)
right_val (int, 11) - 1,2,4,8,16....
right_label (varchar, 16)

So at the top of your page, simply place the level required to allow access...

Something like this - not tested

if(isset($_SESSION['rights']) && ($_SESSION['rights'] & ADMIN))
{
    header("Location: somepage.php");
    exit;
}

Hey wikit, this might be another one of those item and wish question for yours earlier that you're trying to explain but not getting the words right.

Do you mean you want to control access to a page to make sure any given user can only view THEIR OWN detailed profile and not someone else's?

yes djbirdi, exactly :-D thankyou sry I know my wording can be wrong :( sry I'm trying

if people are smart enough if they just change the ID in the path they can load another person's page of info, I want to make it so they cant do that, that they can only load their own id=name

<?php
    $getuser = getUserRecords($_SESSION['user_id']);
?>

What does this function give you? I'm guessing an array with all user info? If yes, going by your item and wish question, let's say the username is "CharName" and since that's the first array value, it would be $getuser[0]. If all that method does is give you the username directly, then ofcourse just use $getuser on its own, and compare it with the "username" you get from your URL like this:

<?php
    // Two assumptions for this example:
    // Your page for user profiles is "page.php?id=username"
    // The following function returns an array

    $getuser = getUserRecords($_SESSION['user_id']);
    $current_user = $getuser[0];

    // Now grab the username out of the URL
    $username_to_check = some_sanitation_function($_GET['id']);

    // And let's compare them. If they don't match, force a redirect
    if($current_user != $username_to_check) {
        header("Location: page.php?id=" . $current_user . "");
        exit();
    }
?>
commented: Good interpretation +14
Member Avatar for diafol

@DJ - how on earth did you work that out? Good stuff. Heh heh.

how on earth did you work that out? Good stuff. Heh heh.

Lol thanks bud! Me and cereal were helping him earlier with a different question and had to go back 'n forth a few times to clarify what he wanted, so I figured this might be along the same lines

Member Avatar for diafol

Aha! So you're not gifted with a sixth sense after all! Thought I was in a parallel universe or having one of my many senior moments, heh heh.

Oh no! Did I miss a chance to impress Mr. DaniWeb Legend himself by being too honest? Hahaha.

Alright I'm gonna stop hijacking this thread lol.

Member Avatar for diafol

We can carry on this bromance later, heh heh. Sorry hijacking over.

LOL good guess on the CharName

I believe 'getuser = getUserRecords($_SESSION['user_id']);' basically is telling the page that the username of the currently logged in session is whatever the username is. In the 'users' database the name of the user is 'username' in the gear database it's 'CharName' But that shouldnt really matter, cause basically I just want the page to look at the url path file.php?id=name and make sure that the name in that path matches their session login username.

technically the name of the files I will be putting this to will be player_show.php and player_h_updater.php, so the path that the filename will have is 'player_show.php?id=username' and 'player_h_updater.php?id=username'

The other part that makes this a little tricky is that one of those pages is a facebox. so that one I will just prefer it to just close or not work at all.

'some_sanitation_function' << is that an actual function name? cause it gave me 'Fatal error: Call to undefined function some_sanitation_function()' when i tried to use this code.

Thanks again for your help (ps i may give up on the other wish/have thing it's really confusing me lol) (also ps.. I'm female ;) )

I believe 'getuser = getUserRecords($_SESSION['user_id']);' basically is telling the page

I gotta stop you right there. You're setting $getuser as a variable. It's not "telling the page" to do anything. It's just a variable until you use it for something.

Sorry about not explaining some_sanitation_function. It's not a built-in PHP function, but more a force of habit even when I'm writing example code lol. You don't have to include it at all. I'm just really anal about anything and everything an external user has access to/can manually change, so I like to "clean" every user input value. So in my case, some_sanitation_function would be something like this:

<?php
    // an extremely basic example of a sanitation function
    function cleanUserInput($input) {
        return mysql_real_escape_string($input);
    }
?>

You will have to forgive me please :( I'm still very new to this

I tried this

<?PHP
require_once('../../lib/connections/db.php');
include('../../lib/functions/functions.php');

checkLogin('2');

// Two assumptions for this example:
// Your page for user profiles is "page.php?id=username"
// The following function returns an array

$getuser = getUserRecords($_SESSION['user_id']);
$current_user = $getuser[0];

// Now grab the username out of the URL

$id=$_GET['id']; 

// And let's compare them. If they don't match, force a redirect

if($current_user != $id) {
        header("Location: player_h_updater_1.php?id=" . $current_user . "");
        exit();
    }
?>

and the result I got was

Notice: Array to string conversion in /users/database/player_h_updater_1.php on line 23

Warning: Cannot modify header information - headers already sent by (output started at /users/database/player_h_updater_1.php:23) in /users/database/player_h_updater_1.php on line 23

Line 23 is

    header("Location: player_h_updater_0.php?id=" . $current_user . "");

:( please help me sort this out...

<?php
    $getuser = getUserRecords($_SESSION['user_id']);

    // Do this after the above line:
    echo "Get User's value is: " . $getuser . "";
?>

Tell me what you see on the page.

@ DJBirdi

it echos the line "Get User's value is: Array"

I thought so ...now check this:

<?php
    print_r($getuser);
?>

Array ( [0] => Array ( [id] => 1 [username] => user1 [first_name] => tester [last_name] => [email] => user12 [dialing_code] => 0 [phone] => 0 [city] => [country] => [thumb_path] => pics/7593uphol1_thumb.jpg [img_path] => pics/7593uphol1.jpg [active] => 1 [reg_date] => Wednesday, Sep 28, 2011, 8:47 am [last_active] => ) )

OK great. Recall how I told you whether your getUserRecords($_SESSION['user_id']) function was setting the $getuser variable to an array or if it was just a string was a guess (one of my two assumptions) on my part. Now that I know your array structure, set your $current_user variable like this and you should be good to go.

<?php
    $current_user = $getuser[0]['username'];
?>

I know you're new so I'll say this. Any programmer will tell you that you learn A WHOLE LOT MORE by trying to play around with your code to figure out what the problem is. PHP is usually very good at telling you what's wrong. As soon as you see something like this, especially if it's your first time seeing it: "Notice: Array to string conversion", try to think about what it could mean and more often than not, you'll know what the problem is.

okies, I appreciate your help and patience DJBirdi. I only just learned the 'display errors' php code a few days ago. And thats helped me a lot recently. the print code you said above I didnt even know about >.<

anyways back on topic....

I changed what you said to change there with the current_user

also had to change the line

        header("Location: player_h_updater_1.php?id=" . $current_user . "");

to

        header("Location: player_h_updater_1.php?id=$current_user");

and now it's working :-D

thanks a HUGE ton!!!!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.