Jump to content

How to stop a logged in user from editing another user's details?

Rbo99

By Rbo99
in MySQL Help

 Share

Recommended Posts

Rbo99 Newbie

Rbo99

Posted
Posted

:confused:

 

Hi there,

 

I've been bashing my brains out to try and get this happening, but seem to be striking a brick wall on this one and I am up against a deadline (having limped past the slightly injured ones a week ago *smile*)

 

I can get my users registered, logged in and editing their information in the mysql table, however they are also able to edit other users data too.

 

Could you please give me a simple method for restricting users to only changing their own data? (Preferably in simple terms, my brains gone to mush after a week of obsessing). Sincere apologies for the appalling mess I've made trying to get it happening with trial and error, over hours with only google searches to assist.

 

Here's a sample of the relevant code:

 

view_users.php

<?php # view_users.php
#This script retrieves all the records from the users table.
//Set the page title and include the HTML header
//This allows the results to be sorted in different ways.
$page_title = 'View the Current Members';
include ('./includes/member_header.html');
//Page header
echo'<h1 id="mainhead">View the Current Members</h1>';
require_once('../mysql_connect.php');//Connect to the db.
//Number of records to show per page
$display = 10;
//Determine how many pages there are
if (isset($_GET['np'])){//Already determnined
$num_pages = $_GET['np'];
}else{//Need to determine
//Count the number of records
$query = "SELECT COUNT (*) FROM users ORDER BY registration_date ASC";
$result = @mysql_query($query);
$row = @mysql_fetch_array($result, MYSQL_NUM);
$num_records = $row[0];
//Calculate the number of pages
if($num_records > $display){//More than 1 page
	$num_pages = ceil($num_records/$display);
}else{
	$num_pages = 1;
}
}//End of np IF
//Determine where in the database to start returning results
if (isset($_GET['s'])){
$start=$_GET['s'];
}else{
$start=0;
}
//Default column links
$link1 = "{$_SERVER['PHP_SELF']}?sort=lna";
$link2 = "{$_SERVER['PHP_SELF']}?sort=fna";
$link3 = "{$_SERVER['PHP_SELF']}?sort=dra";
//Determine the sorting order
if(isset($_GET['sort'])){
//Use exisiting order
switch ($_GET['sort']){
	case 'lna':
		$order_by = 'last_name ASC';
		$link1 = "{$_SERVER['PHP_SELF']}?sort=lnd";
		break;
	case 'lnd':
		$order_by = 'last_name DESC';
		$link1 = "{$_SERVER['PHP_SELF']}?sort=lna";
		break;
	case 'fna':
		$order_by = 'first_name ASC';
		$link2 = "{$_SERVER['PHP_SELF']}?sort=fnd";
		break;
	case 'fnd':
		$order_by = 'first_name DESC';
		$link2 = "{$_SERVER['PHP_SELF']}?sort=fna";
		break;
	case 'dra':
		$order_by = 'registration_date ASC';
		$link3 = "{$_SERVER['PHP_SELF']}?sort=drd";
		break;
	case 'drd':
		$order_by = 'last_name DESC';
		$link3 = "{$_SERVER['PHP_SELF']}?sort=dra";
		break;
	default:
		$order_by = 'registration_date DESC';
		break;
}
//$sort will be appended to the pagination links
$sort = $_GET['sort'];
}else{//Use default sorting order
$order_by = 'registration_date ASC';
$sort = 'drd';
}
//Make the query
$query = "SELECT last_name, first_name, DATE_FORMAT(registration_date, '%d %M %Y') AS dr, user_id FROM users ORDER BY $order_by LIMIT $start, $display";
$result = @mysql_query($query); //Run the query
//Table header
echo '<table align="center" cellspacing="0" cellpadding="5">
<tr>
<td align="left"><b>Edit</b></td>
<td align="left"><b>Delete</b></td>
<td align="left"><b><a href="'.$link1.'">Last Name</a></b></td>
<td align="left"><b><a href="'.$link2.'">First Name</a></b></td>
<td align="left"><b><a href="'.$link3.'">Date Registered</a></b></td>
</tr>
';
//Fetch and print all the records
$bg='#eeeeee';//Set the background colour
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)){
$bg=($bg=='#eeeeee' ? '#ffffff' : '#eeeeee'); //Switch the background colour
echo '<tr bgcolor="'.$bg.'">

	<td align="left"><a href="edit_user.php?id='.$row['user_id'].'">Edit</a></td>
	<td align="left"><a href="delete_user.php?id='.$row['user_id'].'">Delete</a></td>

	<td align="left">'.$row['last_name'].'</td>
	<td align="left">'.$row['first_name'].'</td>
	<td align="left">'.$row['dr'].'</td>
</tr>
';
}

edit_user.php
<link href="css/layout.css" rel="stylesheet" type="text/css" />
<?php # edit_user.php
//This page edits a user
//This page is accessed through view_users.php
$page_title = 'Edit a User';
include ('includes/member_header.html');
echo'<h1 id="mainhead">Edit your details</h1>';
//Check for a valid user ID, through GET or POST
if ((isset($_GET['id']))&&(is_numeric($_GET['id']))){//Accessed through view_users.php
$id = $_GET['id'];
}elseif((isset($_POST['id']))&&(is_numeric($_POST['id']))){//Form has been submitted
$id = $_POST['id'];
}else{//No valid ID, kill the script
echo'<h1 id="mainhead">PAGE ERROR</h1>
<p class="error">You are not logged in, Please try again.</p><p><br/><br/></p>';
include('includes/member_footer.html');
exit();
}
/*require_once ('../mysql_connect.php');//Connect to database
$query="SELECT user_id FROM users WHERE user_id =$id";
$result=mysql_query($query);
if(mysql_num_rows($result)==0){
	echo'<h1 id="mainhead">PAGE ERROR</h1>
<p class="error">You have attempted to access another user's details, please try again!</p><p><br/><br/></p>';
include('includes/member_footer.html');
exit();
}*/
/*if ((isset($_COOKIE['user_id']))) != ((isset($_GET['id'])))
echo'<h1 id="mainhead">PAGE ERROR</h1>
<p class="error">You have attempted to access another user's details, please try again!</p><p><br/><br/></p>';
include('includes/member_footer.html');
exit();
}*/
//Check if the form has been submitted
if(isset($_POST['submitted'])){
$errors=array();//Initialise error array
//Check for a first name
if (empty($_POST['first_name'])){
	$errors[]='You forgot to enter your first name.';
}else{
	$fn=escape_data($_POST['first_name']);
}
//Check for last name
	if (empty($_POST['last_name'])){
	$errors[]='You forgot to enter your last name.';
}else{
	$ln=escape_data($_POST['last_name']);
}
//Check for postcode
	if (empty($_POST['postcode'])){
	$errors[]='You forgot to enter a valid postcode.';
}else{
	$pc=escape_data($_POST['postcode']);
}	
//Check for an email address
	if (empty($_POST['email'])){
	$errors[]='You forgot to enter your email address.';
}else{
	$e=escape_data($_POST['email']);
}
if(empty($errors)){//If everything is ok
//Test for a unique email address
$query="SELECT user_id FROM users WHERE email='$e' AND user_id !=$id";
$result=mysql_query($query);
if(mysql_num_rows($result)==0){

Many thanks,

Bill

Link to comment
Share on other sites
joel24 Member

joel24

Posted
Posted

you're passing the users id through $_GET, hence why it is easy for anyone to edit any other users profile.

when the user logs in, you should set some session variables, userID would be one.

Then when the user goes to the edit page, it will update the database where userID={$_SESSION['userID']}

 

have a look here for a quick sessions tute http://www.tizag.com/phpT/phpsessions.php

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.