PHP User ID validation

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Javrixx
Forum Commoner
Posts: 32
Joined: Thu Aug 24, 2006 2:05 pm

PHP User ID validation

Post by Javrixx »

So I'm building the second part of this project I'm doing for work. I've learned TONS of php to do this, but I don't know if I'm overthinking or what about this problem.

Basically, I've made certain folders for users. Each user gets a folder. I need to make it so if the user's ID doesn't equal to X, they are given a message or are redirected. And if the user's ID is equal to X, they are shown the rest of the page. I've tried like a million little scripts but none work, any experts know how to do this right off the bat?

Here is the INCOMPLETE .php file I am using.

(Note that the user must already be logged in at this point to even get this far)

results.php

Code: Select all

<?php

require('../../db_config.php');
require('../../global.php');

db_connect($mysql['username'],$mysql['password'],$mysql['database'],$mysql['host']);

$config = get_config($mysql['prefix']);

debug_mode($config['debug_mode']);

require('../auth.inc.php');

require('../../lib/MiniTemplator.class.php');
$template = new MiniTemplator;
$templatedir = '../../templates/';

if(isset($_GET['action']) && $_GET['action'] == 'delete' && isset($_GET['verify']))
{
	remove_user($_SESSION['username'],$mysql['prefix']);
	generate_htpasswd($mysql['prefix']);
	session_destroy();
	redirect('../../index.php');
}

$sql= 'SELECT * FROM '.$mysql['prefix'].'users WHERE username="'.$_SESSION['username'].'"';

if(!$result = mysql_query($sql))
{
	die('The following MySQL query failed. User data could not be retrieved. '.$sql);
}

while (($row = mysql_fetch_array($result)) != false)
{
	$firstname = $row['firstname'];
}


$template->readFileIntoString($templatedir."results_overall_header.html",$header);
$template->readFileIntoString($templatedir."results_results.html",$main);
$template->readFileIntoString($templatedir."results_overall_footer.html",$footer);

$template->setTemplateString($header . $main . $footer);

$template->setVariable("firstname",$firstname);


$template->setVariable("code",$javascript);
$template->addBlock("code");
$template->addBlock("javascript");

$template->setVariable("footer",show_user_footer($software_signature));
$template->setVariable("pagename","My Account");
$template->generateOutput();
?>
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

I need to make it so if the user's ID doesn't equal to X, they are given a message or are redirected

Code: Select all

if($user_id != $x)
{
    header('Location: some_page.php');
    exit;
}
:?:
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Javrixx
Forum Commoner
Posts: 32
Joined: Thu Aug 24, 2006 2:05 pm

Post by Javrixx »

Thanks for your help, I got it working and here is the code I am using for it:

Code: Select all

if($userid != 1)
{
    header('Location: ../../support/');
    exit;
}
Stevenr
Forum Newbie
Posts: 3
Joined: Sat Oct 14, 2006 7:54 pm

Post by Stevenr »

Javrixx wrote:Thanks for your help, I got it working and here is the code I am using for it:

Code: Select all

if($userid != 1)
{
    header('Location: ../../support/');
    exit;
}
You probably want to use the more correct way:

Code: Select all

if($userid !== true)
{
    header('Location: ../../support/');
    exit;
}
Post Reply