ID page, how to restrict access.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

ID page, how to restrict access.

Post by synical21 »

Hey PHP Gurus,
I got another problem and i think i will explain it in a bad way so ill try make it clear, ill start off by explaining the process of this part of the site.

1. User submits proof to database, attached to the proof is job ID
2. User goes to myjobs.php where the database queries all jobs with there user id matching( so only the jobs they created are viewed), there is then a link to jobproof.php
3. jobproof.php then queries the table "proof" for all records with the current job ID
4. The url is then like jobproof.php?ID=21

So now is displayed all the proof what is for job id 21 and the creator of job 21 can view this by going to myjobs.php then going to jobproof.php?ID21.

This works fine but there is a problem.... Any user can then type jobproof.php?ID=21 and view all the records.

The way i think to stop this is by only allowing the jobproof.php page to be accessed by myjobs.php

I dont know if theres a more effective way or im making the structure of this wrong. I didnt think of this problem before i started this part of the site.


This is the first part of jobproof.php, this gets all the proof records for that particular jobID.

Code: Select all

# connect to the database
mysql_connect(asdasdasd3');
mysql_select_db('asdasdasd');
 
 
session_start(); 
$my_id = trim (' ' . @$_GET['ID']) ; // will always return a result -- uses '
// sanitize/ clean data value: check for integer value, generate the corresponding string
if ('' < $my_id) { $my_id= (int) $my_id; // extract integer value -- uses '
                           if ( 0 == $my_id) { $my_id= ''; //handle as empty -- uses '
                                                       } else $my_id = "$my_id"; // uses "
                        }
if ('' == $my_id) { //handle the case where no ?ID= present
 
} else { //we have a ID=some integer >0
 
$result = mysql_query("SELECT * FROM `proof` WHERE job_id = '$my_id'")   // This will return one result
or die(mysql_error());  
 
}
// START AN OUTPUT TABLE
User avatar
mikemike
Forum Contributor
Posts: 355
Joined: Sun May 24, 2009 5:37 pm
Location: Chester, UK

Re: ID page, how to restrict access.

Post by mikemike »

It's late and I've been working for the last 18 hours, so excuse me if I'm missing the picture here. Can you not just check that the user is the owner of that job, and if it's not just display a message?

If your database structure is right, that should be easy.
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: ID page, how to restrict access.

Post by synical21 »

When you say it like that you make it sound easy but the first time i type html was 2 weeks ago so bare with me :P

So i query the database to only show a certain job like

SELECT * FROM `proof` WHERE job_id = '$my_id'

Then in that table needs a column of user_id which is the creators id

And finally use $_SESSION['user_id'] to match the user_id in the table.

then if not match write a error message.

The only part i dont know how to do is how to match $_SESSION['user_id'] with the user id im querying.
sousousou
Forum Commoner
Posts: 29
Joined: Fri Aug 28, 2009 1:10 pm

Re: ID page, how to restrict access.

Post by sousousou »

Rebuild your query to something like

SELECT * FROM `proof` WHERE job_id = '$my_id' and user_id = '$_SESSION['user_id']'

The only thing with this query is that it won't return anything if the current user isn't the owner of the job_id.
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: ID page, how to restrict access.

Post by synical21 »

Maybe set up a kinda thing where if null display error message? i dont know :banghead:
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: ID page, how to restrict access.

Post by synical21 »

any one just drop a example for me to follow.... ive tried to add this but its not taking me very far
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: ID page, how to restrict access.

Post by synical21 »

Still cant find what i need in them tutorials although very good site, i also google various keywords like php match query. Still cant find what i need
User avatar
micknc
Forum Contributor
Posts: 115
Joined: Thu Jan 24, 2008 11:13 pm

Re: ID page, how to restrict access.

Post by micknc »

If I understand the problem correctly this should work:

Code: Select all

$query = "SELECT * FROM `proof` WHERE job_id = '$my_id' and user_id = '$_SESSION['user_id']''";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
if ($num_rows != 1){die("You do not have permission to view this page!");}
else{
//The rest of your code here!
}
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: ID page, how to restrict access.

Post by synical21 »

micknc wrote:If I understand the problem correctly this should work:

Code: Select all

$query = "SELECT * FROM `proof` WHERE job_id = '$my_id' and user_id = '$_SESSION['user_id']''";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
if ($num_rows != 1){die("You do not have permission to view this page!");}
else{
//The rest of your code here!
}

The num_rows part is what i didnt know to so ican use that, but ill try make the problem clearer:

When a user creates a job it is sent to the table "jobs" along with there user id so i know who created, now the creator of that job can view there jobs by clicking "my jobs" which would then query the database table of jobs for all jobs with $_SESSION['user_id']. Thats the job part aside.

Now every other user can then create "proof" for this job, then input the data into a form and it gets sent to a new table called "proof", in this table the proof,job id and current user id of the proof is sent.

Now back to the creator, he can now view the users who have sent data reffering to his job by querying the table proof such as "SELECT * FROM `proof` WHERE job_id = '$my_id'"

So now i need to stop other users accessing this page, "user_id = '$_SESSION['user_id']'' will not work as the creator id is not in table proof the only id's there are job id and user id of the proof submited. BUT i could use user_id = '$_SESSION['user_id']' if it queried the jobs table as that can confrim the creator of the job. So isit possible to run a query on two tables? Im sure there is but i have never had to do that before. That maybe a little clearer, its confusing which is why im struggleing :(
User avatar
micknc
Forum Contributor
Posts: 115
Joined: Thu Jan 24, 2008 11:13 pm

Re: ID page, how to restrict access.

Post by micknc »

I think the best approach for looking at those two tables is to use Left Join. Here is a sample tutorial:
http://www.tizag.com/mysqlTutorial/mysqlleftjoin.php

This code would join those two tables into one query:

Code: Select all

$query = "SELECT jobs.job_id, proof.field FROM jobs LEFT JOIN proof ON jobs.job_id = proof.job_id WHERE jobs.job_id = '$my_id' and jobs.user_id = '$_SESSION['user_id']'";
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: ID page, how to restrict access.

Post by synical21 »

Ooooo this looks good, ill sink my teeth into the tutorial thanks alot
Post Reply