dpedroia Posted July 19, 2010 Share Posted July 19, 2010 I have a website setup here: http://www.vyfx.com/sportaccess/ There is a test account of: '[email protected] | test' should it help in troubleshooting this issue.. When users login to the site (still under construction) they have the ability to create events. The Create Event can be found by hovering over 'Events' at the top and selecting Create Event. All events are linked to the logged-in user's unique "user ID", which is a field labeled 'id' in the `users` table of the MySQL database. The problem is this.. once a user has created an event, they may view their event(s) in the 'My Account > My SportAccess > Manage Your Events' page. However, although the correct events are listed initially and nothing seems to be of an issue, clicking around other pages in the site and returning to the 'Manage Your Events' page will often display another user's events instead. Obviously this is an issue because I don't want users to be able to manage other users' events or information. I don't know why this could be happening but am thinking along the lines of a loop somewhere that may be incrementing the $id variable, thus displaying another user's information.. The code I have for 'mysa-events.php', the page where this is occurring, is: <?php require_once('config.php'); $max_col = 100; $query = "SELECT * FROM events WHERE user = $user"; $result = mysql_query($query) or die(mysql_error()); echo "<table class='sortable tableFormat' cellspacing=5> <tr> <th>Event ID </th> <th>Event Name </th> <th>Sport </th> <th>State </th> <th>Venue </th> <th>Date </th> <th>Manage </th> </tr>"; $col = 0; while($row = mysql_fetch_array($result)) { extract($row); $col++; echo "<tr> <td><a href=events.php?event=$id>$id</a> </td> <td>$eventname </td> <td>$sport </td> <td>$state </td> <td>$venue </td> <td>$month/$day/$year </td> <td><a href=manageevent.php?event=$id>Manage</a> </td> </tr>"; } echo"</table>"; ?> My 'config.php' file is: <?php session_start(); $conn = mysql_connect('ADDRESS','USERNAME','PASSWORD'); mysql_select_db('sportaccess'); ?> The code for the Create Event page, 'createevent.php', is: <?php require_once('config.php'); if ( !isset($_SESSION['user']) ) { include('login.php'); exit; } if ( isset($_POST['Submit']) ) { if ( trim($_POST['EventName']) == '' ) { $error['eventname'] = 1; } if ( trim($_POST['Venue']) == '' ) { $error['venue'] = 1; } if ( !isset($error) ) { echo "<center><br><p class=success>You have successfully created an event.</p><br> </center>"; $sql = 'INSERT INTO `events` (`user`,`eventname`,`sport`,`state`,`venue`,`month`,`day`,`year`,`pubpriv`) values (\'' . mysql_real_escape_string($_SESSION['user']) . '\',\'' . mysql_real_escape_string($_POST['EventName']) . '\',\'' . mysql_real_escape_string($_POST['Sport']) . '\',\'' . mysql_real_escape_string($_POST['State']) . '\',\'' . mysql_real_escape_string($_POST['Venue']) . '\',\'' . mysql_real_escape_string($_POST['Month']) . '\',\'' . mysql_real_escape_string($_POST['Day']) . '\',\'' . mysql_real_escape_string($_POST['Year']) . '\',\'' . mysql_real_escape_string($_POST['PubPriv']) . '\')'; $res = mysql_query($sql) or die(mysql_error()); ?> <?php } else { if ( isset($error['eventname']) ) { echo "<center><br><p class=loginfailure>You must enter a name for your event.</p><br> </center>"; ?> <?php } if ( isset($error['venue']) ) { echo "<center><br><p class=loginfailure>You must enter a venue for your event.</p><br> </center>"; ?> <?php } if ( isset($error['event']) ) { echo "<center><br><p class=loginfailure>There were errors creating your event. Please try again.</p><br> </center>"; ?> <?php } } } ?> <form name="form1" method="post" action=""> <strong>Creating your event is quick and easy.</strong><br><br> <label> Event Name:<br> <input type="text" name="EventName" id="EventName"> </label> <br> <br> <label> Sport:<br> <select name="Sport" id="Sport"> <option value="Baseball">Baseball</option> <option value="Basketball">Basketball</option> <option value="Football">Football</option> <option value="Hockey">Hockey</option> </select> </label> <br> <br> State:<br> <label> <select name="State" id="State"> <option value="STATES ARE HERE">STATES ARE HERE</option> </select> </label> <br> <br> Venue / Location:<br> <label> <input type="text" name="Venue" id="Venue"> </label> <br> <br> Event Date:<br> <label> <select name="Month" id="Month"> <option value="1">January</option> <option value="2">February</option> <option value="3">March</option> <option value="4">April</option> <option value="5">May</option> <option value="6">June</option> <option value="7">July</option> <option value="8">August</option> <option value="9">September</option> <option value="10">October</option> <option value="11">November</option> <option value="12">December</option> </select> / <select name="Day" id="Day"> <option value="DAYS OF THE MONTH ARE HERE">DAYS OF THE MONTH ARE HERE</option> </select> / <select name="Year" id="Year"> <option value="2010">2010</option> <option value="2011">2011</option> <option value="2012">2012</option> <option value="2013">2013</option> <option value="2014">2014</option> <option value="2015">2015</option> </select> </label> <br> <br> Public or Private:<br> <label> <select name="PubPriv" id="PubPriv"> <option value="Public">Public</option> <option value="Private">Private</option> </select> </label><br><br> <input type="submit" name="Submit" id="Submit" value="Create Event"> </label> </form> If anybody could provide some guidance as to why the page may be displaying another user's events it would be greatly appreciated. Thank you! Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/ Share on other sites More sharing options...
PFMaBiSmAd Posted July 19, 2010 Share Posted July 19, 2010 $query = "SELECT * FROM events WHERE user = $user"; ^^^ where are you setting the $user variable for the above query? Edit: And where in the mysa-events.php code are you verifying that the current visitor is logged in? Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1088343 Share on other sites More sharing options...
simshaun Posted July 19, 2010 Share Posted July 19, 2010 In mysa-events.php, where is $user coming from? Also, sorta unrelated, do you have anything in place on manageevent.php to prevent me from editing somebody else's event? Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1088344 Share on other sites More sharing options...
dpedroia Posted July 19, 2010 Author Share Posted July 19, 2010 Ah, the $user variable isn't "declared" anywhere, per se.. I'm relatively new to PHP, but I've added (and forgot to put in my initial post): <?php if ( isset($_SESSION['user']) ) { ..to the mysa-events.php page. I'd assumed $user would read the 'user' ID and thus output that particular user's events. I guess this is definitely where the issue lies. Now, I believe what I need to do is modify: $query = "SELECT * FROM events WHERE user = $user"; ..by declaring what $user is, but I'm unsure of how to set $user to the user ID of the person logged in. As for ensuring manageevent.php will only output your events, I'll have a check to make sure the user logged in's user ID matches the user ID of the event creator, but that's yet to come. Thanks again. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1088347 Share on other sites More sharing options...
simshaun Posted July 19, 2010 Share Posted July 19, 2010 If register_globals were on, $user would pull it out of the session. But seing as how register_globals are bad and you shouldn't be using them, you would use $_SESSION['user'] to get the user's id. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1088350 Share on other sites More sharing options...
dpedroia Posted July 19, 2010 Author Share Posted July 19, 2010 If register_globals were on, $user would pull it out of the session. But seing as how register_globals are bad and you shouldn't be using them, you would use $_SESSION['user'] to get the user's id. Okay, I added: $user = $_SESSION['user']; ...above... $max_col = 100; $query = "SELECT * FROM events WHERE user = $user"; $result = mysql_query($query) or die(mysql_error()); ...to get... $user = $_SESSION['user']; $max_col = 100; $query = "SELECT * FROM events WHERE user = $user"; $result = mysql_query($query) or die(mysql_error()); ..in mysa-events.php, but the issue still seems to be present. I'm logged into the test account and the events under 'Manage Your Events' continuously rotate between "The Fens Showdown" and "I'm Hungry for French Fries" (both test events). In my database, the '[email protected]' account has a user ID of 7. The event "The Fens Showdown" was created by the user with an ID of 6. "I'm Hungry for French Fries" was created by the user with an ID of 7. After clicking around and going back to mysa-events.php nearly 50 times I've only seen those two events alternate.. don't know if this is a coincidence or if the other event, "Public Event", is not showing for a reason. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1088354 Share on other sites More sharing options...
simshaun Posted July 19, 2010 Share Posted July 19, 2010 After calling session_start(), put echo '<pre>'; print_r($_SESSION); echo '</pre>'; and verify $_SESSION['user'] is staying the same. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1088355 Share on other sites More sharing options...
dpedroia Posted July 19, 2010 Author Share Posted July 19, 2010 After calling session_start(), put echo '<pre>'; print_r($_SESSION); echo '</pre>'; and verify $_SESSION['user'] is staying the same. Hmm, did that and it seems to be randomly alternating between 6 and 7 still. It doesn't seem to be happening after any certain number of page clicks, refreshes, etc., and happens on more than the mysa-events.php page (I've noticed the ID changing on all of the Standings pages as well using that line of code). Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1088357 Share on other sites More sharing options...
PFMaBiSmAd Posted July 19, 2010 Share Posted July 19, 2010 The problem is because you are getting two different sessions because you are changing the URL between one that has a www. on it and one that doesn't. If you log in at www.yourdomain.com and log in at just yourdomain.com you will get a different event to show for that test account. You need to either cause your site to redirect non-www addresses to the www. version and/or set the session.cookie_domain so that it matches all variations of your domain. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1088359 Share on other sites More sharing options...
dpedroia Posted July 19, 2010 Author Share Posted July 19, 2010 The problem is because you are getting two different sessions because you are changing the URL between one that has a www. on it and one that doesn't. If you log in at www.yourdomain.com and log in at just yourdomain.com you will get a different event to show for that test account. You need to either cause your site to redirect non-www addresses to the www. version and/or set the session.cookie_domain so that it matches all variations of your domain. Very interesting, I would've never considered that as a possible reason. I tried 'mydomain.com/...' and 'www.mydomain.com/...' and did notice a difference.. definitely will give this a shot and I'll report back with the results. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1088361 Share on other sites More sharing options...
dpedroia Posted July 19, 2010 Author Share Posted July 19, 2010 (Unintentional bump; could not modify my previous reply) So I added the following to my .htaccess: RewriteEngine On RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC] RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L] ..and now all non-WWW visits are being forced to .WWW.. I had some issues with the same events being displayed but cleared my cookies and tried again.. all seems to be well I'll wait 24 hours to see if everything remains the same. Thanks to all who assisted thus far. Hoping the issue is now resolved for good! Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1088370 Share on other sites More sharing options...
dpedroia Posted July 21, 2010 Author Share Posted July 21, 2010 Well although it looked like the problem was resolved by forcing all users/visitors to 'www', it apparently wasn't. I was just clicking around on the site and noticed the problem still exists with being able to view other users' events. Does anyone have any further opinions as to why this could be happening? I modified my .htaccess file as stated before to force all visitors to 'www'. My login.php file is: <?php require_once('config.php'); if ( isset($_POST['Login']) ) { $sql = 'SELECT * FROM `users` where `email` = \'' . mysql_real_escape_string($_POST['Username']) . '\' and `password` = \'' . mysql_real_escape_string($_POST['Password']) . '\''; $res = mysql_query($sql); if ( mysql_num_rows($res) != 0 ) { $row = mysql_fetch_array($res); $_SESSION['user'] = $row['id']; header('Location:index.php'); exit; } else { echo "<center><br><p class=loginfailure>Invalid login. Please check your credentials and try again.</p><br> </center>";?><?php } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1089288 Share on other sites More sharing options...
PFMaBiSmAd Posted July 21, 2010 Share Posted July 21, 2010 You need to investigate, if, where, and how $_SESSION['user'] is getting set to a different value. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1089289 Share on other sites More sharing options...
dpedroia Posted July 21, 2010 Author Share Posted July 21, 2010 You need to investigate, if, where, and how $_SESSION['user'] is getting set to a different value. Thanks, just checked and searched the entire root folder containing all website files for instances of "$_SESSION" and the only two places where _$SESSION['user'] could even remotely potentially be taking on another value is in mysa-events.php and login.php, as seen below: mysa-events.php <?php $user = $_SESSION['user']; $max_col = 100; $query = "SELECT * FROM events WHERE user = $user"; $result = mysql_query($query) or die(mysql_error()); echo "<table class='sortable tableFormat' cellspacing=5> <tr> <th>Event ID </th> <th>Event Name </th> <th>Sport </th> <th>State </th> <th>Venue </th> <th>Date </th> <th>Manage </th> </tr>"; $col = 0; while($row = mysql_fetch_array($result)) { extract($row); $col++; echo "<tr> <td><a href=events.php?event=$id>$id</a> </td> <td>$eventname </td> <td>$sport </td> <td>$state </td> <td>$venue </td> <td>$month/$day/$year </td> <td><a href=manageevent.php?event=$id>Manage</a> </td> </tr>"; } echo"</table>"; ?> login.php <?php require_once('config.php'); if ( isset($_POST['Login']) ) { $sql = 'SELECT * FROM `users` where `email` = \'' . mysql_real_escape_string($_POST['Username']) . '\' and `password` = \'' . mysql_real_escape_string($_POST['Password']) . '\''; $res = mysql_query($sql); if ( mysql_num_rows($res) != 0 ) { $row = mysql_fetch_array($res); $_SESSION['user'] = $row['id']; header('Location:index.php'); exit; } else { echo "<center><br><p class=loginfailure>Invalid login. Please check your credentials and try again.</p><br> </center>";?><?php } } ?> These instances are $user = $_SESSION['user']; in mysa-events.php and $_SESSION['user'] = $row['id']; in login.php, and are the only calculations involving $_SESSION['user'];. All other instances are in if-statements checking if the user is logged in and wouldn't in any way alter the value of $_SESSION['user'];. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1089295 Share on other sites More sharing options...
PFMaBiSmAd Posted July 21, 2010 Share Posted July 21, 2010 extract($row); If register_globals are on (what does a phpinfo() statement show for register_globals?), when you use extract on each row from your query, it is setting $user and that would be setting $_SESSION['user'] with the last value retrieved from the database. If you are going to use extract(), you should use it with a prefix (see the EXTR_PREFIX_ALL setting) so that there is no chance that it will overwrite any of your existing variables. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1089297 Share on other sites More sharing options...
dpedroia Posted July 21, 2010 Author Share Posted July 21, 2010 extract($row); If register_globals are on (what does a phpinfo() statement show for register_globals?), when you use extract on each row from your query, it is setting $user and that would be setting $_SESSION['user'] with the last value retrieved from the database. If you are going to use extract(), you should use it with a prefix (see the EXTR_PREFIX_ALL setting) so that there is no chance that it will overwrite any of your existing variables. phpinfo() is showing: register_globals On On 'Local Value | Master Value' for On and On, respectively ..so apparently register_globals is on. I'm relatively new to PHP and don't really understand the prefix part. I've read a bit on EXTR_PREFIX_ALL and understand I should modify extract to something like the following: extract($row, EXTR_PREFIX_ALL, 'row') Does this look right? Ah. I am referencing the instructions found on w3schools.com but do not understand Example 2 and how, why or where 'dup' comes into play for that particular example. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1089338 Share on other sites More sharing options...
Pikachu2000 Posted July 21, 2010 Share Posted July 21, 2010 You need to kill register_globals. Your hosting company should have instructions on how to use a local php.ini file to override the global ini settings. They really shouldn't even have it on by default at all. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1089341 Share on other sites More sharing options...
fantomel Posted July 21, 2010 Share Posted July 21, 2010 Well i`m quite tired it's almost morning but if the $user var doesn't come from $_SESSION['user']; ( or how it is there ) then the user can simply modify his username there and the sql will retrive that one...(if it isn't provided by the session. i think you should solve the problem by first checking if the $user == $_SESSION['user']; and only then can perform the query(that's the method i`m using it) if anyone has a better idea / method please post it (someone with more experience. cheers Later Edit: if i did a mistake i apologize but i`m sleepy very sleepy can't fix very well Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1089356 Share on other sites More sharing options...
dpedroia Posted July 23, 2010 Author Share Posted July 23, 2010 Sorry for the late reply. Since I'm on a shared hosting account the company could not universally kill register_globals, so I turned them off manually using a php.ini file and setting: register_globals = false No problems yet. Hopefully this was the fix needed.. will report back if further issues arise. Thanks again for the help thus far. Quote Link to comment https://forums.phpfreaks.com/topic/208225-logged-in-users-seeing-other-users-information/#findComment-1089999 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.