Page 1 of 1

Problem With user restriction for transaction history

Posted: Sun Feb 19, 2012 12:09 pm
by XPS710
Hi All
I have this piece of code here, what it does it pulls out all the payment transaction from mysql to the page, I have a membership site setup and everything and every user has its own profile section, but this piece of code shows all the other users payment and records as well,

How Do I restrict each user to view their own payment based on a user? Can I do a quick hardcode?

Code: Select all



<?php
  
	  
  define("_VALID_PHP", true);
  require_once("init.php");
  
  if (!$user->logged_in)
      redirect_to("index.php");
?>


<?php

  $transrow = $member->getPayments($user);
  
?>

<p class="info">Here you can view all your payment transactions.</p>
<h2><span><a href="controller.php?exportTransactions" title="Export To Excel Format" class="tooltip"><img src="../images/xls.png" alt="" class="img-wrap2"/></a> <a href="index.php?do=transactions&action=salesyear" title="View Sales Report" class="tooltip"><img src="../images/chart.png" alt="" class="img-wrap2"/></a></span>Viewing Transactions</h2>

<table cellpadding="0" cellspacing="0" class="display" border="1">
  <thead>
    <tr>
      <th width="20">#</th>
      <th class="left">Membership Title</th>
      <th class="left">&nbsp;</th>
      <th class="left">Amount</th>
      <th class="left">Payment Date</th>
      <th>Type of OS</th>
      <th>Status</th>
      
    </tr>
  </thead>
  <tbody>
    <?php if($transrow == 0):?>
    <tr>
      <td colspan="8"><?php echo $core->msgAlert('<span>Alert!</span>You don\'t have any transactions yet...',false);?></td>
    </tr>
    <?php else:?>
    <?php foreach ($transrow as $row):?>
    <?php $image = ($row['status'] == 0) ? "pending":"completed";?>
    <?php $status = ($row['status'] == 0) ? 1:0;?>
    <tr>
      <th></th>
      <td><?php echo $row['title'];?> <em>(<?php echo $row['pp'];?>)</em></td>
      <td><?php /*?><a href="index.php?do=users&action=edit&userid=<?php echo $row['user_id'];?>"><?php */?><?php echo $row['username'];?></a></td>
      <td><?php echo $core->formatMoney($row['rate_amount']);?></td>
      <td><?php echo $row['created'];?></td>
      <td align="center"><img src="http://www.hhpc.ca/membership/images/<?php echo $row['pp'];?>.png"/></td>
      <td align="center"><img src="http://www.hhpc.ca/membership/images/<?php echo $image;?>.png" alt="" class="tooltip img-wrap2" title="Status: <?php echo ucfirst($image);?>"/></td>
   
    </tr>
    <?php endforeach;?>
    <?php unset($row);?>
    <?php if($pager->items_total >= $pager->items_per_page):?>
    <tr style="background-color:transparent">
      <td colspan="8"><div class="pagination"><span class="inner"><?php echo $pager->display_pages();?></span></div></td>
    </tr>
    <?php endif;?>
    <?php endif;?>
  </tbody>
</table>


Re: Problem With user restriction for transaction history

Posted: Sun Feb 19, 2012 3:40 pm
by social_experiment
You would have to modify the "SELECT" query that retrieves the information to only selection information where something is unique to a specific user. In the code you've pasted there is no way to do this; you will likely have to modify getPayments() to achieve it;

Re: Problem With user restriction for transaction history

Posted: Sun Feb 19, 2012 4:04 pm
by XPS710
social_experiment wrote:You would have to modify the "SELECT" query that retrieves the information to only selection information where something is unique to a specific user. In the code you've pasted there is no way to do this; you will likely have to modify getPayments() to achieve it;
Thanks for your reply, how would i edit this then?

this is my getPayments()

Code: Select all

   public function getPayments($where = false, $from = false)
      {
		  global $db, $core, $pager, $row, $user;
		  
		  require_once(BASEPATH . "lib/class_paginate.php");

          $pager = new Paginator();
          $counter = countEntries($this->pTable);
          $pager->items_total = $counter;
          $pager->default_ipp = $core->perpage;
          $pager->paginate();
          
          if ($counter == 0) {
              $pager->limit = null;
          }
		  
          $clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";

		  if (isset($_GET['sort'])) {
			  list($sort, $order) = explode("-", $_GET['sort']);
			  $sort = sanitize($sort);
			  $order = sanitize($order);
			  if (in_array($sort, array("user_id", "rate_amount", "pp", "date"))) {
				  $ord = ($order == 'DESC') ? " DESC" : " ASC";
				  $sorting = " p." . $sort . $ord;
			  } else {
				  $sorting = " p.date DESC";
			  }
		  } else {
			  $sorting = " p.date DESC";
		  }
		  
          if (isset($_POST['fromdate']) && $_POST['fromdate'] <> "" || isset($from) && $from != '') {
              $enddate = date("Y-m-d");
              $fromdate = (empty($from)) ? $_POST['fromdate'] : $from;
              if (isset($_POST['enddate']) && $_POST['enddate'] <> "") {
                  $enddate = $_POST['enddate'];
              }
              $clause .= " WHERE p.date BETWEEN '" . trim($fromdate) . "' AND '" . trim($enddate) . " 23:59:59'";
          } 
		  
          $sql = "SELECT p.*, p.id as id, u.username, m.title,"
		  . "\n DATE_FORMAT(p.date, '%d. %b. %Y.') as created"
		  . "\n FROM ".$this->pTable." as p"
		  . "\n LEFT JOIN users as u ON u.id = p.user_id" 
		  . "\n LEFT JOIN ".$this->mTable." as m ON m.id = p.membership_id" 
		  . "\n " . $clause . " ORDER BY " . $sorting . $pager->limit;
		   
          $row = $db->fetch_all($sql);
          
		  return ($row) ? $row : 0;
      }




Re: Problem With user restriction for transaction history

Posted: Sun Feb 19, 2012 4:53 pm
by social_experiment

Code: Select all

$clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";
I would say this variable needs to be modified;
Make a back-up (if you haven't already) before you edit it :) Hth

Re: Problem With user restriction for transaction history

Posted: Sun Feb 19, 2012 4:56 pm
by XPS710
social_experiment wrote:

Code: Select all

$clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";
I would say this variable needs to be modified;
Make a back-up (if you haven't already) before you edit it :) Hth

Thanks for your input, this is also my user class you think i gotta do something here as well?


Code: Select all


<?php 
  /** 
   * User Class 
   * 
   * @copyright 2010 
   * @version $Id: class_user.php, v2.00 2011-07-10 10:12:05 gewa Exp $ 
   */ 
   
  if (!defined("_VALID_PHP")) 
      die('Direct access to this location is not allowed.'); 

  class Users 
  { 
      private $uTable = "users"; 
      public $logged_in = null; 
      public $uid = 0; 
      public $userid = 0; 
      public $username; 
      public $email; 
      public $name; 
      public $membership_id = 0; 
      public $userlevel; 
      private $lastlogin = "NOW()"; 
       

      /** 
       * Users::__construct() 
       * 
       * @return 
       */ 
      function __construct() 
      { 
          $this->getUserId(); 
          $this->startSession(); 
      } 

      /** 
       * Users::getUserId() 
       * 
       * @return 
       */ 
      private function getUserId() 
      { 
            global $core; 
          if (isset($_GET['userid'])) { 
              $userid = (is_numeric($_GET['userid']) && $_GET['userid'] > -1) ? intval($_GET['userid']) : false; 
              $userid = sanitize($userid); 
               
              if ($userid == false) { 
                  $core->error("You have selected an Invalid Userid","Users::getUserId()"); 
              } else 
                  return $this->userid = $userid; 
          } 
      }   

      /** 
       * Users::startSession() 
       * 
       * @return 
       */ 
      private function startSession() 
      { 
        session_start(); 
        $this->logged_in = $this->loginCheck(); 
         
        if (!$this->logged_in) { 
            $this->username = $_SESSION['username'] = "Guest"; 
            $this->userlevel = 0; 
        } 
      } 

      /** 
       * Users::loginCheck() 
       * 
       * @return 
       */ 
      private function loginCheck() 
      { 
          if (isset($_SESSION['username']) && $_SESSION['username'] != "Guest") { 
               
              $row = $this->getUserInfo($_SESSION['username']); 
              $this->uid = $row['id']; 
              $this->username = $row['username']; 
              $this->email = $row['email']; 
              $this->name = $row['fname'].' '.$row['lname']; 
              $this->userlevel = $row['userlevel']; 
              $this->membership_id = $row['membership_id']; 
              return true; 
          } else { 
              return false; 
          }   
      } 

      /** 
       * Users::is_Admin() 
       * 
       * @return 
       */ 
      public function is_Admin() 
      { 
          return($this->userlevel == 9); 
       
      }     

      /** 
       * Users::login() 
       * 
       * @param mixed $username 
       * @param mixed $pass 
       * @return 
       */ 
      public function login($username, $pass) 
      { 
          global $db, $core; 

          if ($username == "" && $pass == "") { 
              $core->msgs['username'] = 'Please enter valid username and password.'; 
          } else { 
              $status = $this->checkStatus($username, $pass); 
               
              switch ($status) { 
                  case 0: 
                      $core->msgs['username'] = 'Login and/or password did not match to the database.'; 
                      break; 
                       
                  case 1: 
                      $core->msgs['username'] = 'Your account has been banned.'; 
                      break; 
                       
                  case 2: 
                      $core->msgs['username'] = 'Your account it\'s not activated.'; 
                      break; 
                       
                  case 3: 
                      $core->msgs['username'] = 'You need to verify your email address.'; 
                      break; 
              } 
          } 
          if (empty($core->msgs) && $status == 5) { 
              $row = $this->getUserInfo($username); 
              $this->uid = $_SESSION['userid'] = $row['id']; 
              $this->username = $_SESSION['username'] = $row['username']; 
              $this->email = $_SESSION['email'] = $row['email']; 
              $this->name = $_SESSION['userlevel'] = $row['userlevel']; 
              $this->userlevel = $_SESSION['userlevel'] = $row['userlevel']; 
              $this->membership_id = $_SESSION['membership_id'] = $row['membership_id']; 

              $data = array( 
                    'lastlogin' => $this->lastlogin, 
                    'lastip' => sanitize($_SERVER['REMOTE_ADDR']) 
              ); 
              $db->update($this->uTable, $data, "username='" . $this->username . "'"); 
              if(!$this->validateMembership()) { 
                $data = array( 
                      'membership_id' => 0, 
                      'mem_expire' => "0000-00-00 00:00:00" 
                ); 
                $db->update($this->uTable, $data, "username='" . $this->username . "'"); 
              } 
                   
              return true; 
          } else 
              $core->msgStatus(); 
      } 

      /** 
       * Users::logout() 
       * 
       * @return 
       */ 
      public function logout() 
      { 
          unset($_SESSION['username']); 
          unset($_SESSION['email']); 
          unset($_SESSION['name']); 
          unset($_SESSION['membership_id']); 
          unset($_SESSION['userid']); 
          session_destroy(); 
          session_regenerate_id(); 
           
          $this->logged_in = false; 
          $this->username = "Guest"; 
          $this->userlevel = 0; 
      } 

      /** 
       * Users::getUserInfo() 
       * 
       * @param mixed $username 
       * @return 
       */ 
      private function getUserInfo($username) 
      { 
          global $db; 
          $username = sanitize($username); 
          $username = $db->escape($username); 
           
          $sql = "SELECT * FROM " . $this->uTable . " WHERE username = '" . $username . "'"; 
          $row = $db->first($sql); 
          if (!$username) 
              return false; 
           
          return ($row) ? $row : 0; 
      } 

      /** 
       * Users::checkStatus() 
       * 
       * @param mixed $username 
       * @param mixed $pass 
       * @return 
       */ 
      public function checkStatus($username, $pass) 
      { 
          global $db; 
           
          $username = sanitize($username); 
          $username = $db->escape($username); 
          $pass = sanitize($pass); 
           
          $sql = "SELECT password, active FROM " . $this->uTable 
          . "\n WHERE username = '".$username."'"; 
          $result = $db->query($sql); 
           
          if ($db->numrows($result) == 0) 
              return 0; 
               
          $row = $db->fetch($result); 
          $entered_pass = sha1($pass); 
           
          switch ($row['active']) { 
              case "b": 
                  return 1; 
                  break; 
                   
              case "n": 
                  return 2; 
                  break; 
                   
              case "t": 
                  return 3; 
                  break; 
                   
              case "y" && $entered_pass == $row['password']: 
                  return 5; 
                  break; 
          } 
      } 

      /** 
       * Users::getUsers() 
       * 
       * @param bool $from 
       * @return 
       */ 
      public function getUsers($from = false) 
      { 
          global $db, $pager, $core; 
           
          require_once(BASEPATH . "lib/class_paginate.php"); 
          $pager = new Paginator(); 
           
          $counter = countEntries($this->uTable); 
          $pager->items_total = $counter; 
          $pager->default_ipp = $core->perpage; 
          $pager->paginate(); 
           
          if ($counter == 0) { 
              $pager->limit = null; 
          } 

          if (isset($_GET['sort'])) { 
              list($sort, $order) = explode("-", $_GET['sort']); 
              $sort = sanitize($sort); 
              $order = sanitize($order); 
              if (in_array($sort, array("username", "fname", "lname", "email", "created"))) { 
                  $ord = ($order == 'DESC') ? " DESC" : " ASC"; 
                  $sorting = " u." . $sort . $ord; 
              } else { 
                  $sorting = " u.created DESC"; 
              } 
          } else { 
              $sorting = " u.created DESC"; 
          } 
           
          $clause = (isset($clause)) ? $clause : null; 
           
          if (isset($_POST['fromdate']) && $_POST['fromdate'] <> "" || isset($from) && $from != '') { 
              $enddate = date("Y-m-d"); 
              $fromdate = (empty($from)) ? $_POST['fromdate'] : $from; 
              if (isset($_POST['enddate']) && $_POST['enddate'] <> "") { 
                  $enddate = $_POST['enddate']; 
              } 
              $clause .= " WHERE u.created BETWEEN '" . trim($fromdate) . "' AND '" . trim($enddate) . " 23:59:59'"; 
          } 
           
          $sql = "SELECT u.*, CONCAT(u.fname,' ',u.lname) as name, m.title, m.id as mid," 
          . "\n DATE_FORMAT(u.created, '%d. %b. %Y.') as cdate," 
          . "\n DATE_FORMAT(u.lastlogin, '%d. %b. %Y.') as adate" 
          . "\n FROM " . $this->uTable . " as u" 
          . "\n LEFT JOIN memberships as m ON m.id = u.membership_id" 
          . "\n " . $clause 
          . "\n ORDER BY " . $sorting . $pager->limit; 
          $row = $db->fetch_all($sql); 
           
          return ($row) ? $row : 0; 
      }




Re: Problem With user restriction for transaction history

Posted: Mon Feb 20, 2012 1:18 am
by social_experiment
I wouldn't since the method to update isn't part of this class; A quick glance reveals no method from the 'Users' class being used elsewhere in the code pasted innitially