How do I check if a user can view a page

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

How do I check if a user can view a page

Post by mhouldridge »

Hi,

I have a php page which shows an edit screen for properties, depending on the url id;

the page url is as follows;

http://www.somthing.com/property_page?var=1

I would like to prevent other users from accessing pages by typing in a generic var number, ie;

http://www.something.com/property_page?var=2 ... 3... 4... etc

I have a session id for the users in numerics, ie, 1, 2, 3 etc. and this is how the users are identified.

I have already performed a basic security check to see whether the user is logged in or not, if not they are redirected.

I would also like to redirect logged in users who attempt to pull up data for other properties using url insertion as above.

The database currently consists of two tables;

users
homes

When a user posts a new home the home has a posted_by value, which is the same as the user_id value.

I would like to carry out a query and then a loop to check whether the current user_id matches the var (url) value.


Please help.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

So are you trying authenticate the user against what is passed by the URL or authenticate the home?
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

Post by mhouldridge »

Yes,

I want to use the url variable to check within the database to see whether they can view it.

Just to stop people putting in any url variable, ie. ?var=15..... ?var=20
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

When you get the details from the database add a clause to check the posted by field..

Code: Select all

$r = mysql_query("select * from home where id = '".$_GET['var']."' and posted_by = '".$_SESSION['user']."'",$databaseLink);
if (mysql_num_rows($r)==0) {
  echo "Hackers make baby Jesus cry.";
} else {
  $home = mysql_fetch_object($r);
  //stuff
}
Post Reply