User Permissions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
brmcdani44
Forum Commoner
Posts: 26
Joined: Fri Oct 08, 2010 3:52 pm

User Permissions

Post by brmcdani44 »

I have a method for users to be able to edit postings that have made. It works fine except I do not have a control to keep the user from changing the address parameter in the address bar. I need to hide this parameter if possible as well as add an else statement somewhere that directs them to a file that lets them know this is not their posting to edit if the parameter is hacked.

Here is what the address bar looks like (as you can see any evid can be passed):
http://postareus.us/admin/cal_edit.php?evid=11

I currently have a SQL statement saying pull from the posting table where their username = their session username. This isn't enough though because I can put any evid in the paremeter in the address bar and update information from a posting that is not mine.

Here is my code. Any help will be appreciated in creating a method that will redirect a user to an error message instead of still allowing them to update a posting.

Code: Select all

if($_GET['evid']) {

	$event_id = $_GET['evid'];
	$username = $_SESSION['username'];
	
	$sql = "SELECT * FROM posting WHERE id='$event_id' AND user = '$username'"; 
	$result = mysql_query($sql);
	
	$row = mysql_fetch_array($result);
	
	echo "<h3>Event Details</h3>";
	
?>

<form action="cal_edit.php" method="post">
<input type="hidden" name="id" value="<?php echo $row['id']; ?>" />
<label>Name</label><input type="text" name="name" value="<?php echo stripslashes($row['event']);?>" /><br />
<label>Descrption</label><textarea name="desc" class="tinymce" cols="30" rows="10"/><?php echo stripslashes($row['description']);?></textarea>

<br /><br />

<label>Location</label><input type="text" name="location" value="<?php echo stripslashes($row['location']);?>" />

<br />

<label>Date</label><input type="text" name="date" id="datepicker" value="<?php echo $row['day'].'/'.$row['month'].'/'.$row['year'];?>" /><br /><br />

<?php

$from = str_split($row['time_from']);
$until = str_split($row['time_until']);

?>

<label>Time From (24hr)</label>
<select name="from">
<option selected value="<?php echo $from[0].$from[1]?>"><?php echo $from[0].$from[1]?></option>
<option value="00">00</option>
<option value="01">01</option>
<option value="02">02</option>
<option value="03">03</option>
<option value="04">04</option>
<option value="05">05</option>
<option value="06">06</option>
<option value="07">07</option>
<option value="08">08</option>
<option value="09">09</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
<option value="13">13</option>
<option value="14">14</option>
<option value="15">15</option>
<option value="16">16</option>
<option value="17">17</option>
<option value="18">18</option>
<option value="19">19</option>
<option value="20">20</option>
<option value="21">21</option>
<option value="22">22</option>
<option value="23">23</option>
<option value="24">24</option>
</select>:
<select name="from2">
<option selected value="<?php echo $from[2].$from[3]?>"><?php echo $from[2].$from[3]?></option>
<option value="15">15</option>
<option value="30">30</option>
<option value="45">45</option>
<option value="00">00</option>
</select>
<br />

<label>Time Until (24hr)</label>
<select name="until">
<option selected value="<?php echo $until[0].$until[1]?>"><?php echo $until[0].$until[1]?></option>
<option value="01">01</option>
<option value="02">02</option>
<option value="03">03</option>
<option value="04">04</option>
<option value="05">05</option>
<option value="06">06</option>
<option value="07">07</option>
<option value="08">08</option>
<option value="09">09</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
<option value="13">13</option>
<option value="14">14</option>
<option value="15">15</option>
<option value="16">16</option>
<option value="17">17</option>
<option value="18">18</option>
<option value="19">19</option>
<option value="20">20</option>
<option value="21">21</option>
<option value="22">22</option>
<option value="23">23</option>
<option value="24">24</option>
</select>:
<select name="until2">
<option selected value="<?php echo $until[2].$until[3]?>"><?php echo $until[2].$until[3]?></option>
<option value="15">15</option>
<option value="30">30</option>
<option value="45">45</option>
<option value="00">00</option>
</select>

<br />
<div class="error_message">Delete this event? (Cannot be undone!) <input type="checkbox" class="checkbox" name="delete" value="delete_evid"></div>

<input type="submit" value="Confirm" name="do_edit" />
</form>

<?php

}
curlybracket
Forum Commoner
Posts: 59
Joined: Mon Nov 29, 2010 2:40 pm

Re: User Permissions

Post by curlybracket »

I don't understand: how you can pull not your post from the table just by editing id in the url? Your code also checks the username, so if post isn't mine I shouldn't get it from database.
brmcdani44
Forum Commoner
Posts: 26
Joined: Fri Oct 08, 2010 3:52 pm

Re: User Permissions

Post by brmcdani44 »

Your correct. When you submit it again it doesn't do anything to the DB but you can still submit the posting. Oh well as long as it doesn't change the existing data that is fine with me.
curlybracket
Forum Commoner
Posts: 59
Joined: Mon Nov 29, 2010 2:40 pm

Re: User Permissions

Post by curlybracket »

You should write short code to check the post ownership then. Alogrithm of this code should be like this:
1. You have id in url - take it and select post from database with that id
2. Check if value of "user" field is the same as the value of $_SESSION['username']. If not - user is not the owner, do redirect or display post as a plain text instead of texarea and rest of the form.
Post Reply