Page 1 of 1

How do I check if a user can view a page

Posted: Thu Jul 20, 2006 2:59 pm
by mhouldridge
Hi,

I have a php page which shows an edit screen for properties, depending on the url id;

the page url is as follows;

http://www.somthing.com/property_page?var=1

I would like to prevent other users from accessing pages by typing in a generic var number, ie;

http://www.something.com/property_page?var=2 ... 3... 4... etc

I have a session id for the users in numerics, ie, 1, 2, 3 etc. and this is how the users are identified.

I have already performed a basic security check to see whether the user is logged in or not, if not they are redirected.

I would also like to redirect logged in users who attempt to pull up data for other properties using url insertion as above.

The database currently consists of two tables;

users
homes

When a user posts a new home the home has a posted_by value, which is the same as the user_id value.

I would like to carry out a query and then a loop to check whether the current user_id matches the var (url) value.


Please help.

Posted: Thu Jul 20, 2006 3:01 pm
by RobertGonzalez
So are you trying authenticate the user against what is passed by the URL or authenticate the home?

Posted: Fri Jul 21, 2006 4:40 am
by mhouldridge
Yes,

I want to use the url variable to check within the database to see whether they can view it.

Just to stop people putting in any url variable, ie. ?var=15..... ?var=20

Posted: Fri Jul 21, 2006 6:11 am
by onion2k
When you get the details from the database add a clause to check the posted by field..

Code: Select all

$r = mysql_query("select * from home where id = '".$_GET['var']."' and posted_by = '".$_SESSION['user']."'",$databaseLink);
if (mysql_num_rows($r)==0) {
  echo "Hackers make baby Jesus cry.";
} else {
  $home = mysql_fetch_object($r);
  //stuff
}