Problem With user restriction for transaction history

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
XPS710
Forum Newbie
Posts: 5
Joined: Tue Jan 31, 2012 2:09 pm

Problem With user restriction for transaction history

Post by XPS710 »

Hi All
I have this piece of code here, what it does it pulls out all the payment transaction from mysql to the page, I have a membership site setup and everything and every user has its own profile section, but this piece of code shows all the other users payment and records as well,

How Do I restrict each user to view their own payment based on a user? Can I do a quick hardcode?

Code: Select all



<?php
  
	  
  define("_VALID_PHP", true);
  require_once("init.php");
  
  if (!$user->logged_in)
      redirect_to("index.php");
?>


<?php

  $transrow = $member->getPayments($user);
  
?>

<p class="info">Here you can view all your payment transactions.</p>
<h2><span><a href="controller.php?exportTransactions" title="Export To Excel Format" class="tooltip"><img src="../images/xls.png" alt="" class="img-wrap2"/></a> <a href="index.php?do=transactions&action=salesyear" title="View Sales Report" class="tooltip"><img src="../images/chart.png" alt="" class="img-wrap2"/></a></span>Viewing Transactions</h2>

<table cellpadding="0" cellspacing="0" class="display" border="1">
  <thead>
    <tr>
      <th width="20">#</th>
      <th class="left">Membership Title</th>
      <th class="left">&nbsp;</th>
      <th class="left">Amount</th>
      <th class="left">Payment Date</th>
      <th>Type of OS</th>
      <th>Status</th>
      
    </tr>
  </thead>
  <tbody>
    <?php if($transrow == 0):?>
    <tr>
      <td colspan="8"><?php echo $core->msgAlert('<span>Alert!</span>You don\'t have any transactions yet...',false);?></td>
    </tr>
    <?php else:?>
    <?php foreach ($transrow as $row):?>
    <?php $image = ($row['status'] == 0) ? "pending":"completed";?>
    <?php $status = ($row['status'] == 0) ? 1:0;?>
    <tr>
      <th></th>
      <td><?php echo $row['title'];?> <em>(<?php echo $row['pp'];?>)</em></td>
      <td><?php /*?><a href="index.php?do=users&action=edit&userid=<?php echo $row['user_id'];?>"><?php */?><?php echo $row['username'];?></a></td>
      <td><?php echo $core->formatMoney($row['rate_amount']);?></td>
      <td><?php echo $row['created'];?></td>
      <td align="center"><img src="http://www.hhpc.ca/membership/images/<?php echo $row['pp'];?>.png"/></td>
      <td align="center"><img src="http://www.hhpc.ca/membership/images/<?php echo $image;?>.png" alt="" class="tooltip img-wrap2" title="Status: <?php echo ucfirst($image);?>"/></td>
   
    </tr>
    <?php endforeach;?>
    <?php unset($row);?>
    <?php if($pager->items_total >= $pager->items_per_page):?>
    <tr style="background-color:transparent">
      <td colspan="8"><div class="pagination"><span class="inner"><?php echo $pager->display_pages();?></span></div></td>
    </tr>
    <?php endif;?>
    <?php endif;?>
  </tbody>
</table>

User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Problem With user restriction for transaction history

Post by social_experiment »

You would have to modify the "SELECT" query that retrieves the information to only selection information where something is unique to a specific user. In the code you've pasted there is no way to do this; you will likely have to modify getPayments() to achieve it;
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
XPS710
Forum Newbie
Posts: 5
Joined: Tue Jan 31, 2012 2:09 pm

Re: Problem With user restriction for transaction history

Post by XPS710 »

social_experiment wrote:You would have to modify the "SELECT" query that retrieves the information to only selection information where something is unique to a specific user. In the code you've pasted there is no way to do this; you will likely have to modify getPayments() to achieve it;
Thanks for your reply, how would i edit this then?

this is my getPayments()

Code: Select all

   public function getPayments($where = false, $from = false)
      {
		  global $db, $core, $pager, $row, $user;
		  
		  require_once(BASEPATH . "lib/class_paginate.php");

          $pager = new Paginator();
          $counter = countEntries($this->pTable);
          $pager->items_total = $counter;
          $pager->default_ipp = $core->perpage;
          $pager->paginate();
          
          if ($counter == 0) {
              $pager->limit = null;
          }
		  
          $clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";

		  if (isset($_GET['sort'])) {
			  list($sort, $order) = explode("-", $_GET['sort']);
			  $sort = sanitize($sort);
			  $order = sanitize($order);
			  if (in_array($sort, array("user_id", "rate_amount", "pp", "date"))) {
				  $ord = ($order == 'DESC') ? " DESC" : " ASC";
				  $sorting = " p." . $sort . $ord;
			  } else {
				  $sorting = " p.date DESC";
			  }
		  } else {
			  $sorting = " p.date DESC";
		  }
		  
          if (isset($_POST['fromdate']) && $_POST['fromdate'] <> "" || isset($from) && $from != '') {
              $enddate = date("Y-m-d");
              $fromdate = (empty($from)) ? $_POST['fromdate'] : $from;
              if (isset($_POST['enddate']) && $_POST['enddate'] <> "") {
                  $enddate = $_POST['enddate'];
              }
              $clause .= " WHERE p.date BETWEEN '" . trim($fromdate) . "' AND '" . trim($enddate) . " 23:59:59'";
          } 
		  
          $sql = "SELECT p.*, p.id as id, u.username, m.title,"
		  . "\n DATE_FORMAT(p.date, '%d. %b. %Y.') as created"
		  . "\n FROM ".$this->pTable." as p"
		  . "\n LEFT JOIN users as u ON u.id = p.user_id" 
		  . "\n LEFT JOIN ".$this->mTable." as m ON m.id = p.membership_id" 
		  . "\n " . $clause . " ORDER BY " . $sorting . $pager->limit;
		   
          $row = $db->fetch_all($sql);
          
		  return ($row) ? $row : 0;
      }



User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Problem With user restriction for transaction history

Post by social_experiment »

Code: Select all

$clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";
I would say this variable needs to be modified;
Make a back-up (if you haven't already) before you edit it :) Hth
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
XPS710
Forum Newbie
Posts: 5
Joined: Tue Jan 31, 2012 2:09 pm

Re: Problem With user restriction for transaction history

Post by XPS710 »

social_experiment wrote:

Code: Select all

$clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";
I would say this variable needs to be modified;
Make a back-up (if you haven't already) before you edit it :) Hth

Thanks for your input, this is also my user class you think i gotta do something here as well?


Code: Select all


<?php 
  /** 
   * User Class 
   * 
   * @copyright 2010 
   * @version $Id: class_user.php, v2.00 2011-07-10 10:12:05 gewa Exp $ 
   */ 
   
  if (!defined("_VALID_PHP")) 
      die('Direct access to this location is not allowed.'); 

  class Users 
  { 
      private $uTable = "users"; 
      public $logged_in = null; 
      public $uid = 0; 
      public $userid = 0; 
      public $username; 
      public $email; 
      public $name; 
      public $membership_id = 0; 
      public $userlevel; 
      private $lastlogin = "NOW()"; 
       

      /** 
       * Users::__construct() 
       * 
       * @return 
       */ 
      function __construct() 
      { 
          $this->getUserId(); 
          $this->startSession(); 
      } 

      /** 
       * Users::getUserId() 
       * 
       * @return 
       */ 
      private function getUserId() 
      { 
            global $core; 
          if (isset($_GET['userid'])) { 
              $userid = (is_numeric($_GET['userid']) && $_GET['userid'] > -1) ? intval($_GET['userid']) : false; 
              $userid = sanitize($userid); 
               
              if ($userid == false) { 
                  $core->error("You have selected an Invalid Userid","Users::getUserId()"); 
              } else 
                  return $this->userid = $userid; 
          } 
      }   

      /** 
       * Users::startSession() 
       * 
       * @return 
       */ 
      private function startSession() 
      { 
        session_start(); 
        $this->logged_in = $this->loginCheck(); 
         
        if (!$this->logged_in) { 
            $this->username = $_SESSION['username'] = "Guest"; 
            $this->userlevel = 0; 
        } 
      } 

      /** 
       * Users::loginCheck() 
       * 
       * @return 
       */ 
      private function loginCheck() 
      { 
          if (isset($_SESSION['username']) && $_SESSION['username'] != "Guest") { 
               
              $row = $this->getUserInfo($_SESSION['username']); 
              $this->uid = $row['id']; 
              $this->username = $row['username']; 
              $this->email = $row['email']; 
              $this->name = $row['fname'].' '.$row['lname']; 
              $this->userlevel = $row['userlevel']; 
              $this->membership_id = $row['membership_id']; 
              return true; 
          } else { 
              return false; 
          }   
      } 

      /** 
       * Users::is_Admin() 
       * 
       * @return 
       */ 
      public function is_Admin() 
      { 
          return($this->userlevel == 9); 
       
      }     

      /** 
       * Users::login() 
       * 
       * @param mixed $username 
       * @param mixed $pass 
       * @return 
       */ 
      public function login($username, $pass) 
      { 
          global $db, $core; 

          if ($username == "" && $pass == "") { 
              $core->msgs['username'] = 'Please enter valid username and password.'; 
          } else { 
              $status = $this->checkStatus($username, $pass); 
               
              switch ($status) { 
                  case 0: 
                      $core->msgs['username'] = 'Login and/or password did not match to the database.'; 
                      break; 
                       
                  case 1: 
                      $core->msgs['username'] = 'Your account has been banned.'; 
                      break; 
                       
                  case 2: 
                      $core->msgs['username'] = 'Your account it\'s not activated.'; 
                      break; 
                       
                  case 3: 
                      $core->msgs['username'] = 'You need to verify your email address.'; 
                      break; 
              } 
          } 
          if (empty($core->msgs) && $status == 5) { 
              $row = $this->getUserInfo($username); 
              $this->uid = $_SESSION['userid'] = $row['id']; 
              $this->username = $_SESSION['username'] = $row['username']; 
              $this->email = $_SESSION['email'] = $row['email']; 
              $this->name = $_SESSION['userlevel'] = $row['userlevel']; 
              $this->userlevel = $_SESSION['userlevel'] = $row['userlevel']; 
              $this->membership_id = $_SESSION['membership_id'] = $row['membership_id']; 

              $data = array( 
                    'lastlogin' => $this->lastlogin, 
                    'lastip' => sanitize($_SERVER['REMOTE_ADDR']) 
              ); 
              $db->update($this->uTable, $data, "username='" . $this->username . "'"); 
              if(!$this->validateMembership()) { 
                $data = array( 
                      'membership_id' => 0, 
                      'mem_expire' => "0000-00-00 00:00:00" 
                ); 
                $db->update($this->uTable, $data, "username='" . $this->username . "'"); 
              } 
                   
              return true; 
          } else 
              $core->msgStatus(); 
      } 

      /** 
       * Users::logout() 
       * 
       * @return 
       */ 
      public function logout() 
      { 
          unset($_SESSION['username']); 
          unset($_SESSION['email']); 
          unset($_SESSION['name']); 
          unset($_SESSION['membership_id']); 
          unset($_SESSION['userid']); 
          session_destroy(); 
          session_regenerate_id(); 
           
          $this->logged_in = false; 
          $this->username = "Guest"; 
          $this->userlevel = 0; 
      } 

      /** 
       * Users::getUserInfo() 
       * 
       * @param mixed $username 
       * @return 
       */ 
      private function getUserInfo($username) 
      { 
          global $db; 
          $username = sanitize($username); 
          $username = $db->escape($username); 
           
          $sql = "SELECT * FROM " . $this->uTable . " WHERE username = '" . $username . "'"; 
          $row = $db->first($sql); 
          if (!$username) 
              return false; 
           
          return ($row) ? $row : 0; 
      } 

      /** 
       * Users::checkStatus() 
       * 
       * @param mixed $username 
       * @param mixed $pass 
       * @return 
       */ 
      public function checkStatus($username, $pass) 
      { 
          global $db; 
           
          $username = sanitize($username); 
          $username = $db->escape($username); 
          $pass = sanitize($pass); 
           
          $sql = "SELECT password, active FROM " . $this->uTable 
          . "\n WHERE username = '".$username."'"; 
          $result = $db->query($sql); 
           
          if ($db->numrows($result) == 0) 
              return 0; 
               
          $row = $db->fetch($result); 
          $entered_pass = sha1($pass); 
           
          switch ($row['active']) { 
              case "b": 
                  return 1; 
                  break; 
                   
              case "n": 
                  return 2; 
                  break; 
                   
              case "t": 
                  return 3; 
                  break; 
                   
              case "y" && $entered_pass == $row['password']: 
                  return 5; 
                  break; 
          } 
      } 

      /** 
       * Users::getUsers() 
       * 
       * @param bool $from 
       * @return 
       */ 
      public function getUsers($from = false) 
      { 
          global $db, $pager, $core; 
           
          require_once(BASEPATH . "lib/class_paginate.php"); 
          $pager = new Paginator(); 
           
          $counter = countEntries($this->uTable); 
          $pager->items_total = $counter; 
          $pager->default_ipp = $core->perpage; 
          $pager->paginate(); 
           
          if ($counter == 0) { 
              $pager->limit = null; 
          } 

          if (isset($_GET['sort'])) { 
              list($sort, $order) = explode("-", $_GET['sort']); 
              $sort = sanitize($sort); 
              $order = sanitize($order); 
              if (in_array($sort, array("username", "fname", "lname", "email", "created"))) { 
                  $ord = ($order == 'DESC') ? " DESC" : " ASC"; 
                  $sorting = " u." . $sort . $ord; 
              } else { 
                  $sorting = " u.created DESC"; 
              } 
          } else { 
              $sorting = " u.created DESC"; 
          } 
           
          $clause = (isset($clause)) ? $clause : null; 
           
          if (isset($_POST['fromdate']) && $_POST['fromdate'] <> "" || isset($from) && $from != '') { 
              $enddate = date("Y-m-d"); 
              $fromdate = (empty($from)) ? $_POST['fromdate'] : $from; 
              if (isset($_POST['enddate']) && $_POST['enddate'] <> "") { 
                  $enddate = $_POST['enddate']; 
              } 
              $clause .= " WHERE u.created BETWEEN '" . trim($fromdate) . "' AND '" . trim($enddate) . " 23:59:59'"; 
          } 
           
          $sql = "SELECT u.*, CONCAT(u.fname,' ',u.lname) as name, m.title, m.id as mid," 
          . "\n DATE_FORMAT(u.created, '%d. %b. %Y.') as cdate," 
          . "\n DATE_FORMAT(u.lastlogin, '%d. %b. %Y.') as adate" 
          . "\n FROM " . $this->uTable . " as u" 
          . "\n LEFT JOIN memberships as m ON m.id = u.membership_id" 
          . "\n " . $clause 
          . "\n ORDER BY " . $sorting . $pager->limit; 
          $row = $db->fetch_all($sql); 
           
          return ($row) ? $row : 0; 
      }



User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Problem With user restriction for transaction history

Post by social_experiment »

I wouldn't since the method to update isn't part of this class; A quick glance reveals no method from the 'Users' class being used elsewhere in the code pasted innitially
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply