Rbo99 Posted November 14, 2010 Share Posted November 14, 2010 Hi there, I've been bashing my brains out to try and get this happening, but seem to be striking a brick wall on this one and I am up against a deadline (having limped past the slightly injured ones a week ago *smile*) I can get my users registered, logged in and editing their information in the mysql table, however they are also able to edit other users data too. Could you please give me a simple method for restricting users to only changing their own data? (Preferably in simple terms, my brains gone to mush after a week of obsessing). Sincere apologies for the appalling mess I've made trying to get it happening with trial and error, over hours with only google searches to assist. Here's a sample of the relevant code: view_users.php <?php # view_users.php #This script retrieves all the records from the users table. //Set the page title and include the HTML header //This allows the results to be sorted in different ways. $page_title = 'View the Current Members'; include ('./includes/member_header.html'); //Page header echo'<h1 id="mainhead">View the Current Members</h1>'; require_once('../mysql_connect.php');//Connect to the db. //Number of records to show per page $display = 10; //Determine how many pages there are if (isset($_GET['np'])){//Already determnined $num_pages = $_GET['np']; }else{//Need to determine //Count the number of records $query = "SELECT COUNT (*) FROM users ORDER BY registration_date ASC"; $result = @mysql_query($query); $row = @mysql_fetch_array($result, MYSQL_NUM); $num_records = $row[0]; //Calculate the number of pages if($num_records > $display){//More than 1 page $num_pages = ceil($num_records/$display); }else{ $num_pages = 1; } }//End of np IF //Determine where in the database to start returning results if (isset($_GET['s'])){ $start=$_GET['s']; }else{ $start=0; } //Default column links $link1 = "{$_SERVER['PHP_SELF']}?sort=lna"; $link2 = "{$_SERVER['PHP_SELF']}?sort=fna"; $link3 = "{$_SERVER['PHP_SELF']}?sort=dra"; //Determine the sorting order if(isset($_GET['sort'])){ //Use exisiting order switch ($_GET['sort']){ case 'lna': $order_by = 'last_name ASC'; $link1 = "{$_SERVER['PHP_SELF']}?sort=lnd"; break; case 'lnd': $order_by = 'last_name DESC'; $link1 = "{$_SERVER['PHP_SELF']}?sort=lna"; break; case 'fna': $order_by = 'first_name ASC'; $link2 = "{$_SERVER['PHP_SELF']}?sort=fnd"; break; case 'fnd': $order_by = 'first_name DESC'; $link2 = "{$_SERVER['PHP_SELF']}?sort=fna"; break; case 'dra': $order_by = 'registration_date ASC'; $link3 = "{$_SERVER['PHP_SELF']}?sort=drd"; break; case 'drd': $order_by = 'last_name DESC'; $link3 = "{$_SERVER['PHP_SELF']}?sort=dra"; break; default: $order_by = 'registration_date DESC'; break; } //$sort will be appended to the pagination links $sort = $_GET['sort']; }else{//Use default sorting order $order_by = 'registration_date ASC'; $sort = 'drd'; } //Make the query $query = "SELECT last_name, first_name, DATE_FORMAT(registration_date, '%d %M %Y') AS dr, user_id FROM users ORDER BY $order_by LIMIT $start, $display"; $result = @mysql_query($query); //Run the query //Table header echo '<table align="center" cellspacing="0" cellpadding="5"> <tr> <td align="left"><b>Edit</b></td> <td align="left"><b>Delete</b></td> <td align="left"><b><a href="'.$link1.'">Last Name</a></b></td> <td align="left"><b><a href="'.$link2.'">First Name</a></b></td> <td align="left"><b><a href="'.$link3.'">Date Registered</a></b></td> </tr> '; //Fetch and print all the records $bg='#eeeeee';//Set the background colour while ($row = mysql_fetch_array($result, MYSQL_ASSOC)){ $bg=($bg=='#eeeeee' ? '#ffffff' : '#eeeeee'); //Switch the background colour echo '<tr bgcolor="'.$bg.'"> <td align="left"><a href="edit_user.php?id='.$row['user_id'].'">Edit</a></td> <td align="left"><a href="delete_user.php?id='.$row['user_id'].'">Delete</a></td> <td align="left">'.$row['last_name'].'</td> <td align="left">'.$row['first_name'].'</td> <td align="left">'.$row['dr'].'</td> </tr> '; } edit_user.php <link href="css/layout.css" rel="stylesheet" type="text/css" /> <?php # edit_user.php //This page edits a user //This page is accessed through view_users.php $page_title = 'Edit a User'; include ('includes/member_header.html'); echo'<h1 id="mainhead">Edit your details</h1>'; //Check for a valid user ID, through GET or POST if ((isset($_GET['id']))&&(is_numeric($_GET['id']))){//Accessed through view_users.php $id = $_GET['id']; }elseif((isset($_POST['id']))&&(is_numeric($_POST['id']))){//Form has been submitted $id = $_POST['id']; }else{//No valid ID, kill the script echo'<h1 id="mainhead">PAGE ERROR</h1> <p class="error">You are not logged in, Please try again.</p><p><br/><br/></p>'; include('includes/member_footer.html'); exit(); } /*require_once ('../mysql_connect.php');//Connect to database $query="SELECT user_id FROM users WHERE user_id =$id"; $result=mysql_query($query); if(mysql_num_rows($result)==0){ echo'<h1 id="mainhead">PAGE ERROR</h1> <p class="error">You have attempted to access another user's details, please try again!</p><p><br/><br/></p>'; include('includes/member_footer.html'); exit(); }*/ /*if ((isset($_COOKIE['user_id']))) != ((isset($_GET['id']))) echo'<h1 id="mainhead">PAGE ERROR</h1> <p class="error">You have attempted to access another user's details, please try again!</p><p><br/><br/></p>'; include('includes/member_footer.html'); exit(); }*/ //Check if the form has been submitted if(isset($_POST['submitted'])){ $errors=array();//Initialise error array //Check for a first name if (empty($_POST['first_name'])){ $errors[]='You forgot to enter your first name.'; }else{ $fn=escape_data($_POST['first_name']); } //Check for last name if (empty($_POST['last_name'])){ $errors[]='You forgot to enter your last name.'; }else{ $ln=escape_data($_POST['last_name']); } //Check for postcode if (empty($_POST['postcode'])){ $errors[]='You forgot to enter a valid postcode.'; }else{ $pc=escape_data($_POST['postcode']); } //Check for an email address if (empty($_POST['email'])){ $errors[]='You forgot to enter your email address.'; }else{ $e=escape_data($_POST['email']); } if(empty($errors)){//If everything is ok //Test for a unique email address $query="SELECT user_id FROM users WHERE email='$e' AND user_id !=$id"; $result=mysql_query($query); if(mysql_num_rows($result)==0){ Many thanks, Bill Link to comment https://forums.phpfreaks.com/topic/218614-how-to-stop-a-logged-in-user-from-editing-another-users-details/ Share on other sites More sharing options...
joel24 Posted November 14, 2010 Share Posted November 14, 2010 you're passing the users id through $_GET, hence why it is easy for anyone to edit any other users profile. when the user logs in, you should set some session variables, userID would be one. Then when the user goes to the edit page, it will update the database where userID={$_SESSION['userID']} have a look here for a quick sessions tute http://www.tizag.com/phpT/phpsessions.php Link to comment https://forums.phpfreaks.com/topic/218614-how-to-stop-a-logged-in-user-from-editing-another-users-details/#findComment-1134165 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.