Sure, but let me set the stage for you and others, so you get what was going on.
In my site, there are three users; user, affiliate, site owner. When logging in as an affiliate, I was having the page query all the records that belonged to that affiliate; row-by-row. I then coded a graphic button on each record with the record's (user's) email address, which I would click to go to that record. The problem was that it was showing something like:
templates/control_panel.php?email=
something@somewhere.com
Then, if I went to the top of the browser into the URL box and changed the email to a different address, it would show me the data for that record. In fact, I was basically in that record and all the pages for that record were now being presented to me.
The Fix -> Create another & new $_SESSION for both the Affiliate and Admin. That means in addition to any other SESSION you may have for that user type when the logged in.
Ok, so here's the code where I added a button to my row-by-row query:
Code: Select all
"<center><form method=\"post\" action=\"control_panel.php\"><input type=\"image\" src=\"../images/packet.jpg\" width=\"75\" height=\"18\" border=\"0\"\"/><input type=\"hidden\" name=\"aff_to_user\" value=\"".$row['username']."\"/></form></center>"
This allowed me to take the user's email address out of the URL. The Key here are the '
name="aff_to_user" and
value=\"".$row['username']."\" . The VALUE, in this case, was the user's e-mail address, which I'm pulling in the next page. The NAME can be anything you want as long as it matches on the next page.
This is the code I put in with the html (be sure to expand, so you can see it all):
Code: Select all
<?php session_start();
if ($_POST['aff_to_user']) // Affiliate-to-User (Affiliate's Control Panel to User's Control Panel without e-mail address) ;
{
$get_user_email = $_POST['aff_to_user'];
$_SESSION['aff_to_user'] = $get_user_email ; // Create new session for affiliate
}
$requestor = '' ;
if($_SESSION['admin_to_user'])
{
$requestor = $_SESSION['admin_to_user'];
}
elseif($_SESSION['myusername'])
{
$requestor = $_SESSION['myusername'];
}
elseif($_SESSION['aff_to_user'])
{
$requestor = $_SESSION['aff_to_user'];
}
if($requestor) {
...then something here [u]if[/u] needed. I had some include files here...
?>
Then my HTML was here
</body>
</html>
<? } else { echo "You must login to view this page." ; } ?> // Close the IF statement above
Not sure why the first bit of code above had to be in the page with the HTML. I have a .php page I use with this page, but putting the first snippet of code there didn't work even though I used the include function on the HTML side. If you figure that one out, please let me know. That's what I'm going to look at this morning. I'm trying to keep php/html separated as much as possible, but I just couldn't get it to work when the code was in the other page even though being called by INCLUDE.
Also, that $requestor stuff came about because in my php learning I got stuck with my site not knowing who was who (user, affiliate, or admin). So if you look in my list of posts, you'll see someone giving me a fix that used something similar. Meaning, you might do it differently with regard to that section of code.
Ok, hope this helps. Just remember, I'm an 8 week php programmer, so this hack could be on-track or completely wrong.

It does work though and it did remove the e-mail from the equation and still allow me to retrieve the user's data, which means now someone can't just change users from the URL window.
Let me know if it works for you.
Thanks..