Hi,
I have a php page which shows an edit screen for properties, depending on the url id;
the page url is as follows;
http://www.somthing.com/property_page?var=1
I would like to prevent other users from accessing pages by typing in a generic var number, ie;
http://www.something.com/property_page?var=2 ... 3... 4... etc
I have a session id for the users in numerics, ie, 1, 2, 3 etc. and this is how the users are identified.
I have already performed a basic security check to see whether the user is logged in or not, if not they are redirected.
I would also like to redirect logged in users who attempt to pull up data for other properties using url insertion as above.
The database currently consists of two tables;
users
homes
When a user posts a new home the home has a posted_by value, which is the same as the user_id value.
I would like to carry out a query and then a loop to check whether the current user_id matches the var (url) value.
Please help.
How do I check if a user can view a page
Moderator: General Moderators
- mhouldridge
- Forum Contributor
- Posts: 267
- Joined: Wed Jan 26, 2005 5:13 am
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
- mhouldridge
- Forum Contributor
- Posts: 267
- Joined: Wed Jan 26, 2005 5:13 am
When you get the details from the database add a clause to check the posted by field..
Code: Select all
$r = mysql_query("select * from home where id = '".$_GET['var']."' and posted_by = '".$_SESSION['user']."'",$databaseLink);
if (mysql_num_rows($r)==0) {
echo "Hackers make baby Jesus cry.";
} else {
$home = mysql_fetch_object($r);
//stuff
}