Page 1 of 1

ID page, how to restrict access.

Posted: Fri Aug 28, 2009 4:03 pm
by synical21
Hey PHP Gurus,
I got another problem and i think i will explain it in a bad way so ill try make it clear, ill start off by explaining the process of this part of the site.

1. User submits proof to database, attached to the proof is job ID
2. User goes to myjobs.php where the database queries all jobs with there user id matching( so only the jobs they created are viewed), there is then a link to jobproof.php
3. jobproof.php then queries the table "proof" for all records with the current job ID
4. The url is then like jobproof.php?ID=21

So now is displayed all the proof what is for job id 21 and the creator of job 21 can view this by going to myjobs.php then going to jobproof.php?ID21.

This works fine but there is a problem.... Any user can then type jobproof.php?ID=21 and view all the records.

The way i think to stop this is by only allowing the jobproof.php page to be accessed by myjobs.php

I dont know if theres a more effective way or im making the structure of this wrong. I didnt think of this problem before i started this part of the site.


This is the first part of jobproof.php, this gets all the proof records for that particular jobID.

Code: Select all

# connect to the database
mysql_connect(asdasdasd3');
mysql_select_db('asdasdasd');
 
 
session_start(); 
$my_id = trim (' ' . @$_GET['ID']) ; // will always return a result -- uses '
// sanitize/ clean data value: check for integer value, generate the corresponding string
if ('' < $my_id) { $my_id= (int) $my_id; // extract integer value -- uses '
                           if ( 0 == $my_id) { $my_id= ''; //handle as empty -- uses '
                                                       } else $my_id = "$my_id"; // uses "
                        }
if ('' == $my_id) { //handle the case where no ?ID= present
 
} else { //we have a ID=some integer >0
 
$result = mysql_query("SELECT * FROM `proof` WHERE job_id = '$my_id'")   // This will return one result
or die(mysql_error());  
 
}
// START AN OUTPUT TABLE

Re: ID page, how to restrict access.

Posted: Fri Aug 28, 2009 6:28 pm
by mikemike
It's late and I've been working for the last 18 hours, so excuse me if I'm missing the picture here. Can you not just check that the user is the owner of that job, and if it's not just display a message?

If your database structure is right, that should be easy.

Re: ID page, how to restrict access.

Posted: Fri Aug 28, 2009 6:49 pm
by synical21
When you say it like that you make it sound easy but the first time i type html was 2 weeks ago so bare with me :P

So i query the database to only show a certain job like

SELECT * FROM `proof` WHERE job_id = '$my_id'

Then in that table needs a column of user_id which is the creators id

And finally use $_SESSION['user_id'] to match the user_id in the table.

then if not match write a error message.

The only part i dont know how to do is how to match $_SESSION['user_id'] with the user id im querying.

Re: ID page, how to restrict access.

Posted: Fri Aug 28, 2009 7:07 pm
by sousousou
Rebuild your query to something like

SELECT * FROM `proof` WHERE job_id = '$my_id' and user_id = '$_SESSION['user_id']'

The only thing with this query is that it won't return anything if the current user isn't the owner of the job_id.

Re: ID page, how to restrict access.

Posted: Fri Aug 28, 2009 7:34 pm
by synical21
Maybe set up a kinda thing where if null display error message? i dont know :banghead:

Re: ID page, how to restrict access.

Posted: Fri Aug 28, 2009 9:19 pm
by synical21
any one just drop a example for me to follow.... ive tried to add this but its not taking me very far

Re: ID page, how to restrict access.

Posted: Sat Aug 29, 2009 8:43 am
by synical21
Still cant find what i need in them tutorials although very good site, i also google various keywords like php match query. Still cant find what i need

Re: ID page, how to restrict access.

Posted: Sat Aug 29, 2009 10:34 am
by micknc
If I understand the problem correctly this should work:

Code: Select all

$query = "SELECT * FROM `proof` WHERE job_id = '$my_id' and user_id = '$_SESSION['user_id']''";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
if ($num_rows != 1){die("You do not have permission to view this page!");}
else{
//The rest of your code here!
}

Re: ID page, how to restrict access.

Posted: Sat Aug 29, 2009 10:57 am
by synical21
micknc wrote:If I understand the problem correctly this should work:

Code: Select all

$query = "SELECT * FROM `proof` WHERE job_id = '$my_id' and user_id = '$_SESSION['user_id']''";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
if ($num_rows != 1){die("You do not have permission to view this page!");}
else{
//The rest of your code here!
}

The num_rows part is what i didnt know to so ican use that, but ill try make the problem clearer:

When a user creates a job it is sent to the table "jobs" along with there user id so i know who created, now the creator of that job can view there jobs by clicking "my jobs" which would then query the database table of jobs for all jobs with $_SESSION['user_id']. Thats the job part aside.

Now every other user can then create "proof" for this job, then input the data into a form and it gets sent to a new table called "proof", in this table the proof,job id and current user id of the proof is sent.

Now back to the creator, he can now view the users who have sent data reffering to his job by querying the table proof such as "SELECT * FROM `proof` WHERE job_id = '$my_id'"

So now i need to stop other users accessing this page, "user_id = '$_SESSION['user_id']'' will not work as the creator id is not in table proof the only id's there are job id and user id of the proof submited. BUT i could use user_id = '$_SESSION['user_id']' if it queried the jobs table as that can confrim the creator of the job. So isit possible to run a query on two tables? Im sure there is but i have never had to do that before. That maybe a little clearer, its confusing which is why im struggleing :(

Re: ID page, how to restrict access.

Posted: Sat Aug 29, 2009 3:54 pm
by micknc
I think the best approach for looking at those two tables is to use Left Join. Here is a sample tutorial:
http://www.tizag.com/mysqlTutorial/mysqlleftjoin.php

This code would join those two tables into one query:

Code: Select all

$query = "SELECT jobs.job_id, proof.field FROM jobs LEFT JOIN proof ON jobs.job_id = proof.job_id WHERE jobs.job_id = '$my_id' and jobs.user_id = '$_SESSION['user_id']'";

Re: ID page, how to restrict access.

Posted: Sat Aug 29, 2009 4:31 pm
by synical21
Ooooo this looks good, ill sink my teeth into the tutorial thanks alot