Page 1 of 1

How to display only logged in users records?

Posted: Thu Jun 02, 2005 10:41 am
by mchinery
Hi,
I am new to the forum and new to PHP and Mysql too.
I have an application that displays all records to only logged in users but I want to display only the records for the logged in user.

I have a class called session that holds the username of the logged in user. This class starts the session in all pages. All user records have a field called userid.

How can I ensure that only the logged in users records are displayed? I was thinking that modifying the sql statement was the answer but I am unsure of how to do this.

Here is the code that I think I need to change to achieve this.

Code: Select all

include("session.php");
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<title>Property View</title>
	<?
		if($session->logged_in){
   echo "Logged In";
   echo "Welcome <b>$session->username</b>, you are logged in. <br><br>";
   }
   ?>
<?php

	include("./language.php");
	include("./lib.php");
	include("./property_dml.php");
	
	$x = new DataList;
	if($HTTP_POST_VARS["Filter_x"] != ""  || $HTTP_POST_VARS['CSV_x'] != "")
	{
		// Query used in filters page and CSV output
		$x->Query = "select property.propcode as 'Property Code', property.your_ref as 'Your Reference', property.rec_status as 'Status', property.prop_type as 'Type', property.message as 'SMS Text Message' from property";
	}
	else
	{
		// Query used in table view
		$x->Query = "select property.propcode as 'Property Code', property.your_ref as 'Your Reference', property.rec_status as 'Status', property.prop_type as 'Type' from property";
	}
	$x->DataHeight = 150;
	$x->AllowSelection = 1;
	$x->AllowDelete = 0;
	$x->AllowInsert = 0;
	$x->AllowUpdate = 1;
	$x->AllowFilters = 1;
	$x->AllowSavingFilters = 0;
	$x->AllowSorting = 1;
	$x->AllowNavigation = 1;
	$x->AllowPrinting = 1;
	$x->AllowCSV = 1;
	$x->HideTableView = 0;
	$x->RecordsPerPage = 10;
	$x->QuickSearch = 1;
	$x->QuickSearchText = $Translation["quick search"];
	$x->ScriptFileName = "property_view.php";
	$x->TableTitle = "Property";
	$x->PrimaryKey = "property.id";
	$x->ColWidth[] = 150;
	$x->ColWidth[] = 150;
	$x->ColWidth[] = 150;
	$x->ColWidth[] = 150;
	$x->Render();
	
//	include("./header.php");
	echo $x->HTML;
//	include("./footer.php");
?>
And the second php file is:

Code: Select all

<?php

// Data functions for table property

function insert()
{
	global $HTTP_SERVER_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_POST_FILES, $Translation;
	
	if(get_magic_quotes_gpc())
	{
		$propcode = $HTTP_POST_VARS["propcode"];
		$your_ref = $HTTP_POST_VARS["your_ref"];
		$rec_status = $HTTP_POST_VARS["rec_status"];
		$prop_type = $HTTP_POST_VARS["prop_type"];
		$message = $HTTP_POST_VARS["message"];
		$contact = $HTTP_POST_VARS["contact"];
		$userid = $HTTP_POST_VARS["userid"];
	}
	else
	{
		$propcode = addslashes($HTTP_POST_VARS["propcode"]);
		$your_ref = addslashes($HTTP_POST_VARS["your_ref"]);
		$rec_status = addslashes($HTTP_POST_VARS["rec_status"]);
		$prop_type = addslashes($HTTP_POST_VARS["prop_type"]);
		$message = addslashes($HTTP_POST_VARS["message"]);
		$contact = addslashes($HTTP_POST_VARS["contact"]);
		$userid = addslashes($HTTP_POST_VARS["userid"]);
	}
	$image = PrepareUploadedFile("image", 100000);
	
	sql("insert into property (your_ref, rec_status, prop_type, message, contact, image) values (" . (($your_ref != "") ? "'$your_ref'" : "NULL") . ", " . (($rec_status != "") ? "'$rec_status'" : "NULL") . ", " . (($prop_type != "") ? "'$prop_type'" : "NULL") . ", " . (($message != "") ? "'$message'" : "NULL") . ", " . (($contact != "") ? "'$contact'" : "NULL") . ", " . (($image != "") ? "'$image'" : "NULL") . ")");
	return mysql_insert_id();
}

function delete($selected_id)
{
	// insure referential integrity ...
	global $Translation;

	sql("delete from property where id='$selected_id'");
}

function update($selected_id)
{
	global $HTTP_SERVER_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $Translation;
	
	if(get_magic_quotes_gpc())
	{
		$propcode = $HTTP_POST_VARS["propcode"];
		$your_ref = $HTTP_POST_VARS["your_ref"];
		$rec_status = $HTTP_POST_VARS["rec_status"];
		$prop_type = $HTTP_POST_VARS["prop_type"];
		$message = $HTTP_POST_VARS["message"];
		$contact = $HTTP_POST_VARS["contact"];
		$userid = $HTTP_POST_VARS["userid"];
	}
	else
	{
		$propcode = addslashes($HTTP_POST_VARS["propcode"]);
		$your_ref = addslashes($HTTP_POST_VARS["your_ref"]);
		$rec_status = addslashes($HTTP_POST_VARS["rec_status"]);
		$prop_type = addslashes($HTTP_POST_VARS["prop_type"]);
		$message = addslashes($HTTP_POST_VARS["message"]);
		$contact = addslashes($HTTP_POST_VARS["contact"]);
		$userid = addslashes($HTTP_POST_VARS["userid"]);
	}

	if($HTTP_POST_VARS['image_remove'] == 1){
		$image = "";
	}else{
		$image = PrepareUploadedFile("image", 100000);
	}
	sql("update property set " . "your_ref=" . (($your_ref != "") ? "'$your_ref'" : "NULL") . ", " . "rec_status=" . (($rec_status != "") ? "'$rec_status'" : "NULL") . ", " . "prop_type=" . (($prop_type != "") ? "'$prop_type'" : "NULL") . ", " . "message=" . (($message != "") ? "'$message'" : "NULL") . ", " . "contact=" . (($contact != "") ? "'$contact'" : "NULL") . ", " . ($image!="" ? "image='$image'" : ($HTTP_POST_VARS['image_remove'] != 1 ? "image=image" : "image=NULL")) . " where id='$selected_id'");
}

function form($selected_id = "", $AllowUpdate = 1, $AllowInsert = 1, $AllowDelete = 1)
{
	// function to return an editable form for a table records
	// and fill it with data of record whose ID is $selected_id. If $selected_id
	// is empty, an empty form is shown, with only an 'Add New'
	// button displayed.
	
	global $Translation;
	
	if(!$AllowInsert && $selected_id==""){  return ""; }
	
	$code = "<br><table border=1 bordercolor=navy cellpadding=0 cellspacing=0><tr><td><div class=TableTitle>Detail View</div></td></tr><tr><td><table>";
	$code .= "\n\t<tr><td colspan=2></td><td rowspan=7 valign=top>";
	if($AllowInsert)
		$code .= "<div><input type=image src=insert.gif name=insert alt='" . $Translation["add new record"] . "'></div>";
	
	// combobox: rec_status
	$combo_rec_status = new Combo;
	$combo_rec_status->ListItem = explode(";;", " ;;Active;;Inactive");
	$combo_rec_status->ListData = explode(";;", " ;;Active;;Inactive");
	$combo_rec_status->SelectName = "rec_status";
	// combobox: prop_type
	$combo_prop_type = new Combo;
	$combo_prop_type->ListItem = explode(";;", "Sale;;Rental;;Auction;;Commercial;;Other");
	$combo_prop_type->ListData = explode(";;", "Sale;;Rental;;Auction;;Commercial;;Other");
	$combo_prop_type->SelectName = "prop_type";

	if($selected_id)
	{
		$res = sql("select * from property where id='$selected_id'");
		$row = mysql_fetch_array($res);
		$combo_rec_status->SelectedData = $row["rec_status"];
		$combo_prop_type->SelectedData = $row["prop_type"];

		$code .= "<br>";
		if($AllowUpdate)
			$code .= "<div><input type=image src=update.gif vspace=1 name=update alt='" . $Translation["update record"] . "'></div>";
		if($AllowDelete)
			$code .= "<div><input type=image src=delete.gif vspace=1 name=delete alt='" . $Translation["delete record"] . "' onclick='return confirm(\"" . $Translation["are you sure?"] . "\");'></div>";
		$code .= "<div><input type=image src=deselect.gif vspace=1 name=deselect alt='" . $Translation["deselect record"] . "'></div>";
	}
	$combo_rec_status->Render();
	$combo_prop_type->Render();

	$code .= "</td></tr>";


	// Detail view form fields
/*	$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>ID</div></td><td class=TableBody width=300>" . $row['id'] . "&nbsp;&nbsp;</td></tr>";
*/	$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Property Code</div></td><td class=TableBody width=300>" . $row['propcode'] . "&nbsp;&nbsp;</td></tr>";
	$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Your Reference</div></td><td class=TableBody width=300><textarea class=TextBox name=your_ref cols=50 rows=4>" . htmlspecialchars($row["your_ref"], ENT_QUOTES) . "</textarea>&nbsp;&nbsp;</td></tr>";
	$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Status</div></td><td class=TableBody width=300>$combo_rec_status->HTML&nbsp;&nbsp;</td></tr>";
	$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Type</div></td><td class=TableBody width=300>$combo_prop_type->HTML&nbsp;&nbsp;</td></tr>";
	$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>SMS Text Message</div></td><td class=TableBody width=300><textarea class=TextBox name=message cols=50 rows=4>" . htmlspecialchars($row["message"], ENT_QUOTES) . "</textarea>&nbsp;&nbsp;</td></tr>";
	$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Contact</div></td><td class=TableBody width=300><textarea class=TextBox name=contact cols=50 rows=3>" . htmlspecialchars($row["contact"], ENT_QUOTES) . "</textarea>&nbsp;&nbsp;</td></tr>";
	$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Image</div></td><td class=TableBody width=300>";
		if($row["image"]) $code .= "<img src=" . $Translation['ImageFolder'] . $row['image'] . " border=0>";
		$code .= "<input type=hidden name=MAX_FILE_SIZE value=100000>";
		$code .= "<br>" . $Translation["upload image"] . " <input type=file name=\"image\" class=TextBox>";
		if($AllowUpdate && $row["image"]!=""){
			// Comment the line below to hide the 'Remove image' checkbox
			$code .= "<br><input type=checkbox name='image_remove' value='1'> <b class=Error>" . $Translation["remove image"] . "</b>";
		}
		$code .= "&nbsp;&nbsp;</td></tr>";
/*	$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Userid</div></td><td class=TableBody width=300>" . $row['userid'] . "&nbsp;&nbsp;</td></tr>";
*/
	$code .= "</table></td></tr></table>";

	return $code;
}
?>
Any help would be gratefully received.

Posted: Thu Jun 02, 2005 10:53 am
by Burrito
that's a lot of code to chew through and it would have been a lot easier to read had you put it in php tags...for future reference, you might want to do that instead of code tags.

to answer your question:

you're going to need to determine the user's id on the database (alternatively, if the user names are unique, you could use that) and then run a query against the database and return all of the information from their specific row. Since you already have the session var set to display their username (assuming it is unique) just use that in your where clause when running a sql statement:

ex:

Code: Select all

$query = "select * from userTable where username = '".mysql_escape_string($session->username)."'";
if the user information is linked to other tables, then just join the tables in the where clause or use an alternate join type.

How to display only logged in users records?

Posted: Thu Jun 02, 2005 11:50 am
by mchinery
Hi,

Thanks for the quick reply. Sorry about the Code. Will use PHP next time.

All user records are created by an administrator and have the username in the userid field so what you suggest would work.
The problem is that I am not sure where in the script(s) to modify the statement? I did say I was new at this!!

I have tried some different options but no luck.

Posted: Thu Jun 02, 2005 12:11 pm
by Burrito
I don't see a select related to anything user...

you might just need to create it yourself (wouldn't have to be in the class).

what does your database look like? More specifically what does the user table look like? what information do you want to get off of there? do you want them to be able to modify that information or is it for display purposes only?

if you want them to be able to modify it, then you should create an html form that is prepopulated with their information.

this should prove to be a good learnign experience for you :P

Re:How to display only logged in users records?

Posted: Mon Jun 20, 2005 4:38 am
by mchinery
Hi,

I have fixed the problem by adding the variable in the select statement. I changed the statement to read

Code: Select all

$res = sql("select * from property where id='$selected_id' and userid= '".$_SESSION['username']."'");
This seems to have done the trick. Thanks for all your help.

Martin.