Page 1 of 1
Problem With user restriction for transaction history
Posted: Sun Feb 19, 2012 12:09 pm
by XPS710
Hi All
I have this piece of code here, what it does it pulls out all the payment transaction from mysql to the page, I have a membership site setup and everything and every user has its own profile section, but this piece of code shows all the other users payment and records as well,
How Do I restrict each user to view their own payment based on a user? Can I do a quick hardcode?
Code: Select all
<?php
define("_VALID_PHP", true);
require_once("init.php");
if (!$user->logged_in)
redirect_to("index.php");
?>
<?php
$transrow = $member->getPayments($user);
?>
<p class="info">Here you can view all your payment transactions.</p>
<h2><span><a href="controller.php?exportTransactions" title="Export To Excel Format" class="tooltip"><img src="../images/xls.png" alt="" class="img-wrap2"/></a> <a href="index.php?do=transactions&action=salesyear" title="View Sales Report" class="tooltip"><img src="../images/chart.png" alt="" class="img-wrap2"/></a></span>Viewing Transactions</h2>
<table cellpadding="0" cellspacing="0" class="display" border="1">
<thead>
<tr>
<th width="20">#</th>
<th class="left">Membership Title</th>
<th class="left"> </th>
<th class="left">Amount</th>
<th class="left">Payment Date</th>
<th>Type of OS</th>
<th>Status</th>
</tr>
</thead>
<tbody>
<?php if($transrow == 0):?>
<tr>
<td colspan="8"><?php echo $core->msgAlert('<span>Alert!</span>You don\'t have any transactions yet...',false);?></td>
</tr>
<?php else:?>
<?php foreach ($transrow as $row):?>
<?php $image = ($row['status'] == 0) ? "pending":"completed";?>
<?php $status = ($row['status'] == 0) ? 1:0;?>
<tr>
<th></th>
<td><?php echo $row['title'];?> <em>(<?php echo $row['pp'];?>)</em></td>
<td><?php /*?><a href="index.php?do=users&action=edit&userid=<?php echo $row['user_id'];?>"><?php */?><?php echo $row['username'];?></a></td>
<td><?php echo $core->formatMoney($row['rate_amount']);?></td>
<td><?php echo $row['created'];?></td>
<td align="center"><img src="http://www.hhpc.ca/membership/images/<?php echo $row['pp'];?>.png"/></td>
<td align="center"><img src="http://www.hhpc.ca/membership/images/<?php echo $image;?>.png" alt="" class="tooltip img-wrap2" title="Status: <?php echo ucfirst($image);?>"/></td>
</tr>
<?php endforeach;?>
<?php unset($row);?>
<?php if($pager->items_total >= $pager->items_per_page):?>
<tr style="background-color:transparent">
<td colspan="8"><div class="pagination"><span class="inner"><?php echo $pager->display_pages();?></span></div></td>
</tr>
<?php endif;?>
<?php endif;?>
</tbody>
</table>
Re: Problem With user restriction for transaction history
Posted: Sun Feb 19, 2012 3:40 pm
by social_experiment
You would have to modify the "SELECT" query that retrieves the information to only selection information where something is unique to a specific user. In the code you've pasted there is no way to do this; you will likely have to modify getPayments() to achieve it;
Re: Problem With user restriction for transaction history
Posted: Sun Feb 19, 2012 4:04 pm
by XPS710
social_experiment wrote:You would have to modify the "SELECT" query that retrieves the information to only selection information where something is unique to a specific user. In the code you've pasted there is no way to do this; you will likely have to modify getPayments() to achieve it;
Thanks for your reply, how would i edit this then?
this is my getPayments()
Code: Select all
public function getPayments($where = false, $from = false)
{
global $db, $core, $pager, $row, $user;
require_once(BASEPATH . "lib/class_paginate.php");
$pager = new Paginator();
$counter = countEntries($this->pTable);
$pager->items_total = $counter;
$pager->default_ipp = $core->perpage;
$pager->paginate();
if ($counter == 0) {
$pager->limit = null;
}
$clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";
if (isset($_GET['sort'])) {
list($sort, $order) = explode("-", $_GET['sort']);
$sort = sanitize($sort);
$order = sanitize($order);
if (in_array($sort, array("user_id", "rate_amount", "pp", "date"))) {
$ord = ($order == 'DESC') ? " DESC" : " ASC";
$sorting = " p." . $sort . $ord;
} else {
$sorting = " p.date DESC";
}
} else {
$sorting = " p.date DESC";
}
if (isset($_POST['fromdate']) && $_POST['fromdate'] <> "" || isset($from) && $from != '') {
$enddate = date("Y-m-d");
$fromdate = (empty($from)) ? $_POST['fromdate'] : $from;
if (isset($_POST['enddate']) && $_POST['enddate'] <> "") {
$enddate = $_POST['enddate'];
}
$clause .= " WHERE p.date BETWEEN '" . trim($fromdate) . "' AND '" . trim($enddate) . " 23:59:59'";
}
$sql = "SELECT p.*, p.id as id, u.username, m.title,"
. "\n DATE_FORMAT(p.date, '%d. %b. %Y.') as created"
. "\n FROM ".$this->pTable." as p"
. "\n LEFT JOIN users as u ON u.id = p.user_id"
. "\n LEFT JOIN ".$this->mTable." as m ON m.id = p.membership_id"
. "\n " . $clause . " ORDER BY " . $sorting . $pager->limit;
$row = $db->fetch_all($sql);
return ($row) ? $row : 0;
}
Re: Problem With user restriction for transaction history
Posted: Sun Feb 19, 2012 4:53 pm
by social_experiment
Code: Select all
$clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";
I would say this variable needs to be modified;
Make a back-up (if you haven't already) before you edit it

Hth
Re: Problem With user restriction for transaction history
Posted: Sun Feb 19, 2012 4:56 pm
by XPS710
social_experiment wrote:Code: Select all
$clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";
I would say this variable needs to be modified;
Make a back-up (if you haven't already) before you edit it

Hth
Thanks for your input, this is also my user class you think i gotta do something here as well?
Code: Select all
<?php
/**
* User Class
*
* @copyright 2010
* @version $Id: class_user.php, v2.00 2011-07-10 10:12:05 gewa Exp $
*/
if (!defined("_VALID_PHP"))
die('Direct access to this location is not allowed.');
class Users
{
private $uTable = "users";
public $logged_in = null;
public $uid = 0;
public $userid = 0;
public $username;
public $email;
public $name;
public $membership_id = 0;
public $userlevel;
private $lastlogin = "NOW()";
/**
* Users::__construct()
*
* @return
*/
function __construct()
{
$this->getUserId();
$this->startSession();
}
/**
* Users::getUserId()
*
* @return
*/
private function getUserId()
{
global $core;
if (isset($_GET['userid'])) {
$userid = (is_numeric($_GET['userid']) && $_GET['userid'] > -1) ? intval($_GET['userid']) : false;
$userid = sanitize($userid);
if ($userid == false) {
$core->error("You have selected an Invalid Userid","Users::getUserId()");
} else
return $this->userid = $userid;
}
}
/**
* Users::startSession()
*
* @return
*/
private function startSession()
{
session_start();
$this->logged_in = $this->loginCheck();
if (!$this->logged_in) {
$this->username = $_SESSION['username'] = "Guest";
$this->userlevel = 0;
}
}
/**
* Users::loginCheck()
*
* @return
*/
private function loginCheck()
{
if (isset($_SESSION['username']) && $_SESSION['username'] != "Guest") {
$row = $this->getUserInfo($_SESSION['username']);
$this->uid = $row['id'];
$this->username = $row['username'];
$this->email = $row['email'];
$this->name = $row['fname'].' '.$row['lname'];
$this->userlevel = $row['userlevel'];
$this->membership_id = $row['membership_id'];
return true;
} else {
return false;
}
}
/**
* Users::is_Admin()
*
* @return
*/
public function is_Admin()
{
return($this->userlevel == 9);
}
/**
* Users::login()
*
* @param mixed $username
* @param mixed $pass
* @return
*/
public function login($username, $pass)
{
global $db, $core;
if ($username == "" && $pass == "") {
$core->msgs['username'] = 'Please enter valid username and password.';
} else {
$status = $this->checkStatus($username, $pass);
switch ($status) {
case 0:
$core->msgs['username'] = 'Login and/or password did not match to the database.';
break;
case 1:
$core->msgs['username'] = 'Your account has been banned.';
break;
case 2:
$core->msgs['username'] = 'Your account it\'s not activated.';
break;
case 3:
$core->msgs['username'] = 'You need to verify your email address.';
break;
}
}
if (empty($core->msgs) && $status == 5) {
$row = $this->getUserInfo($username);
$this->uid = $_SESSION['userid'] = $row['id'];
$this->username = $_SESSION['username'] = $row['username'];
$this->email = $_SESSION['email'] = $row['email'];
$this->name = $_SESSION['userlevel'] = $row['userlevel'];
$this->userlevel = $_SESSION['userlevel'] = $row['userlevel'];
$this->membership_id = $_SESSION['membership_id'] = $row['membership_id'];
$data = array(
'lastlogin' => $this->lastlogin,
'lastip' => sanitize($_SERVER['REMOTE_ADDR'])
);
$db->update($this->uTable, $data, "username='" . $this->username . "'");
if(!$this->validateMembership()) {
$data = array(
'membership_id' => 0,
'mem_expire' => "0000-00-00 00:00:00"
);
$db->update($this->uTable, $data, "username='" . $this->username . "'");
}
return true;
} else
$core->msgStatus();
}
/**
* Users::logout()
*
* @return
*/
public function logout()
{
unset($_SESSION['username']);
unset($_SESSION['email']);
unset($_SESSION['name']);
unset($_SESSION['membership_id']);
unset($_SESSION['userid']);
session_destroy();
session_regenerate_id();
$this->logged_in = false;
$this->username = "Guest";
$this->userlevel = 0;
}
/**
* Users::getUserInfo()
*
* @param mixed $username
* @return
*/
private function getUserInfo($username)
{
global $db;
$username = sanitize($username);
$username = $db->escape($username);
$sql = "SELECT * FROM " . $this->uTable . " WHERE username = '" . $username . "'";
$row = $db->first($sql);
if (!$username)
return false;
return ($row) ? $row : 0;
}
/**
* Users::checkStatus()
*
* @param mixed $username
* @param mixed $pass
* @return
*/
public function checkStatus($username, $pass)
{
global $db;
$username = sanitize($username);
$username = $db->escape($username);
$pass = sanitize($pass);
$sql = "SELECT password, active FROM " . $this->uTable
. "\n WHERE username = '".$username."'";
$result = $db->query($sql);
if ($db->numrows($result) == 0)
return 0;
$row = $db->fetch($result);
$entered_pass = sha1($pass);
switch ($row['active']) {
case "b":
return 1;
break;
case "n":
return 2;
break;
case "t":
return 3;
break;
case "y" && $entered_pass == $row['password']:
return 5;
break;
}
}
/**
* Users::getUsers()
*
* @param bool $from
* @return
*/
public function getUsers($from = false)
{
global $db, $pager, $core;
require_once(BASEPATH . "lib/class_paginate.php");
$pager = new Paginator();
$counter = countEntries($this->uTable);
$pager->items_total = $counter;
$pager->default_ipp = $core->perpage;
$pager->paginate();
if ($counter == 0) {
$pager->limit = null;
}
if (isset($_GET['sort'])) {
list($sort, $order) = explode("-", $_GET['sort']);
$sort = sanitize($sort);
$order = sanitize($order);
if (in_array($sort, array("username", "fname", "lname", "email", "created"))) {
$ord = ($order == 'DESC') ? " DESC" : " ASC";
$sorting = " u." . $sort . $ord;
} else {
$sorting = " u.created DESC";
}
} else {
$sorting = " u.created DESC";
}
$clause = (isset($clause)) ? $clause : null;
if (isset($_POST['fromdate']) && $_POST['fromdate'] <> "" || isset($from) && $from != '') {
$enddate = date("Y-m-d");
$fromdate = (empty($from)) ? $_POST['fromdate'] : $from;
if (isset($_POST['enddate']) && $_POST['enddate'] <> "") {
$enddate = $_POST['enddate'];
}
$clause .= " WHERE u.created BETWEEN '" . trim($fromdate) . "' AND '" . trim($enddate) . " 23:59:59'";
}
$sql = "SELECT u.*, CONCAT(u.fname,' ',u.lname) as name, m.title, m.id as mid,"
. "\n DATE_FORMAT(u.created, '%d. %b. %Y.') as cdate,"
. "\n DATE_FORMAT(u.lastlogin, '%d. %b. %Y.') as adate"
. "\n FROM " . $this->uTable . " as u"
. "\n LEFT JOIN memberships as m ON m.id = u.membership_id"
. "\n " . $clause
. "\n ORDER BY " . $sorting . $pager->limit;
$row = $db->fetch_all($sql);
return ($row) ? $row : 0;
}
Re: Problem With user restriction for transaction history
Posted: Mon Feb 20, 2012 1:18 am
by social_experiment
I wouldn't since the method to update isn't part of this class; A quick glance reveals no method from the 'Users' class being used elsewhere in the code pasted innitially