Haemp Posted May 7, 2008 Share Posted May 7, 2008 Hi guys. I'm currrently depeloping a site where users can create their own account and have their owns statistics (how many times they have logged in etc). The first way I did it was having a PHP script make a new .php file for every user. When the user then logged in the header tag would redirect them to /users/$usr_name.php. But I've now realised that this is a very Newbe style of handeling the users. In my secound try I have (on login) redirected the user to a /users/user.php to have as a "template" file. I use Sessions to store $logged_in and $id, and use the DB to get and display the info for that particular user. I figure this is a much better solution, but I'm still not sure. I have seen some sites use the $_GET variable in their links (ex. www.domain.com/index.php?view=movies), but will this destroy a session? If someone where $logged_in and wrote in the URL: www.mydomain.com/users/user.php?id=55, would he get access to the user? Thanks Quote Link to comment Share on other sites More sharing options...
rhodesa Posted May 7, 2008 Share Posted May 7, 2008 It won't destroy the session. But it will also show whatever you want it to show. If users shouldn't see information for other users, then don't bother with the GET variable and stick with this option you pointed out: In my secound try I have (on login) redirected the user to a /users/user.php to have as a "template" file. I use Sessions to store $logged_in and $id, and use the DB to get and display the info for that particular user. I figure this is a much better solution, but I'm still not sure. But, if there is some public information, similar to PHPfreaks: http://www.phpfreaks.com/forums/index.php?action=profile;u=63684, you'll want to use information in a GET variable to distinguish which user to display info on. Just remember, if you are determining which users info should be displayed from the GET variable, and aren't restricting access on that, there shouldn't be any personal info on the user (unless they choose to make it public) Quote Link to comment Share on other sites More sharing options...
Haemp Posted May 7, 2008 Author Share Posted May 7, 2008 Ok so lets say I forget about $_GET. To kick out unwelcome strangers I use an IF statement to check if their $_SESSION['logged_in'] == TRUE. BUT lets say a friend of mine creates an account and decides to stab me in the back: He loggs in ie. gets the $_SESSION['logged_in'] and then writes www.mydomain.com/users.php in the browser. The information on the users.php site is based on $_SESSION[user_id] which is set on login. Would this make him go to his own account? If so my $_SESSION haze is clearing. Many thanks //Haemp Quote Link to comment Share on other sites More sharing options...
rhodesa Posted May 7, 2008 Share Posted May 7, 2008 The SESSION stuff is a 'per browser' basis. So, if he logs in, everything in SESSION is his info. If you are logged in too, on some other computer, you have your own SESSION. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.