Please help passing session to next page

[lingo5]

Hi,

I have a user/password protected page that displays a list of clients.

When clicking on them you're redirected to the client record update page. This is how I am linking to taht page now:

<a href="DIST_clientes_update.php?id_cliente=<?php echo $row_clients_RS['id_cliente']; ?>

The problem with this is that the client id is appended to the url and so if the user chnges it will be able to access records from a different user...and I dont want that.

So I have created a session:

$_SESSION["idCliente"] = $row_clients_RS['id_cliente'];

but how do I pass it to the update page without showing in the url?

Thanks

 

[Pikachu2000]

Remove the ? and everything after it from the URL string, then use the $_SESSION variable instead of the $_GET variable for the subsequent query.

[lingo5]

sorry Pikachu, is this what you mean?

 

<a href="DIST_clientes_update.php<?php echo $_SESSION["idCliente"];?>

[Drummin]

At the top of your new page add...

<?PHP
session_start();
$idCliente=$_SESSION["idCliente"];
//Then user variable for queries etc.

[Pikachu2000]

sorry Pikachu, is this what you mean?

 

<a href="DIST_clientes_update.php<?php echo $_SESSION["idCliente"];?>

 

No. There should be nothing appended to the URL when you're using a $_SESSION variable (unless there is some other parameter that you aren't using a $_SESSION variable for).

[lingo5]

OK, I'm a bit confused now... I have created a session after the query in my main page like this:

mysql_select_db($database_MySQLconnect, $MySQLconnect);
$query_clientes_RS = sprintf("SELECT * FROM t_clientes WHERE cliente_isclientOf = %s", GetSQLValueString($colname_clientes_RS, "text"));
$query_limit_clientes_RS = sprintf("%s LIMIT %d, %d", $query_clientes_RS, $startRow_clientes_RS, $maxRows_clientes_RS);
$clientes_RS = mysql_query($query_limit_clientes_RS, $MySQLconnect) or die(mysql_error());
$row_clientes_RS = mysql_fetch_assoc($clientes_RS);

session_start();
$_SESSION["idCliente"] = $row_clientes_RS['id_cliente'];//creamos sesion id para que no se vea en la url

 

this should get the client id for each client right

 

Then I'm linking each client on the list to the update page like this:

 

<a href="DIST_clientes_update.php

 

At the top of the update page I have this:

session_start();
$idCliente=$_SESSION["idCliente"];

 

My update query is like this:

ysql_select_db($database_MySQLconnect, $MySQLconnect);
$query_clientes_RS = sprintf("SELECT * FROM t_clientes WHERE id_cliente = $idCliente", GetSQLValueString($colname_clientes_RS, "int"));
$clientes_RS = mysql_query($query_clientes_RS, $MySQLconnect) or die(mysql_error());
$row_clientes_RS = mysql_fetch_assoc($clientes_RS);
$totalRows_clientes_RS = mysql_num_rows($clientes_RS);

 

..but all I get on the update page is the first client from the list no matter on which client from the list I click....

[Pikachu2000]

How about providing an overall description of what it is you're trying to accomplish?

[litebearer]

VERY rough thought process...

 

login00.php

this page displays the form for the user/client to login

 

login01.php

<?PHP

session_start();

process the info from login00.php

if NOT valid user, send back to login00.php

if VALID user, set a session variable; $_SESSION['userid'] = id from user table

send to welcome page

 

welcome.php (AND ALL user only pages)

<?PHP

session_start();

1. check that $_SESSION['userid'] is set AND that it an integer >0; if NOT send to login00.php

2. display page content

 

edit00.php (the page where user can edit his own data)

<?PHP

session_start();

1. check that $_SESSION['userid'] is set AND that it an integer >0; if NOT send to login00.php

2. query db WHERE userid == $_SESSION['userid']

3. display data from db for editing

[lingo5]

OK, the login process I have sorted, my problem is that I want each user to be able to:

 

1. see his clients only

2. update these clients

 

Step 1 I have achieved by selecting those clients linked up to the user's login name by using a username session.

 

Now, once I've pulled up the list of clients for a given user, I need to be able to edit them by clicking on them and opening them in the update page.

I want to do this without appending the id_cliente to the url for obvious reasons.

 

So what I need to do is to create a session that gets the id_cliente for each client on the client list and pass it on to the update page.

 

...I'm all confused now

[lingo5]

Is this possible at all?. Why is the session $_session['id_cliente'] not passing the values of each client and just the value of the first client of the list instead?

Please, I need to see the light. Thanks

[Pikachu2000]

I don't think you're going about it right, now that I see a bigger picture of what you're after. You need to go back to the way you had it, passing the value in the URL with $_GET variables, and then use the id of the logged in user (which hopefully is already in a $_SESSION variable) in the query as well, to make sure the user 'owns'  the record that he is attempting to access.

[lingo5]

Thanks Pikachu. How would I include the user session variable in the query?...would it be something like this?

SELECT FROM mytable 
WHERE id_cliente=passed-url-value 
AND user_session = $_SESSSION['my_user_session']

[lingo5]

Thanks a lot Pikachu...i have added a new owner_username column to the database that stores the login username.

I have then created a query that pulls a client record from the dB acording to the owner_username:

$query_clientes_RS = sprintf("SELECT * FROM t_clientes WHERE id_cliente = %s AND owner_username= '$ownerusername'", 
$clientes_RS = mysql_query($query_clientes_RS, $MySQLconnect) or die(mysql_error());

..and it works perfect. I have tried changing manually the client id passed in the URL to a client id belonging to a different user and by doing this a blank record is shown..which is perfect to test that the system is working BUT....now I would like to show a warning message instead of a blank record when this happens...is this something thatcan be done easily or is it something complicated?

 

Thanks again

[Muddy_Funster]

you could fling a message out on the page by checking the mysql_num_rows() of your query.  obviously there will not be any rows returned if the page has been accessed through error or maliciousness, so if mysql_num_rows($yourQuery) < 1 then show a message.

[lingo5]

Thanks Muddy,

where would I put that code in my query?...something like this?

 

mysql_select_db($database_MySQLconnect, $MySQLconnect);
$query_clientes_RS = sprintf("SELECT * FROM t_clientes WHERE id_cliente = %s AND owner_username= '$ownerusername'", GetSQLValueString($colname_clientes_RS, "int"));
$clientes_RS = mysql_query($query_clientes_RS, $MySQLconnect) or die(mysql_error());
$row_clientes_RS = mysql_fetch_assoc($clientes_RS);
$totalRows_clientes_RS = mysql_num_rows($clientes_RS);

if mysql_num_rows($clientes_RS) < 1 
{
echo "ooooooops";

}

[Muddy_Funster]

that should work, you want to get it as close to the top of the page as you can, so less code is parsed before it is checked.  It would be better if changed slightly:

$totalRows_clientes_RS = mysql_num_rows($clientes_RS);

if mysql_num_rows($clientes_RS) < 1 
{
echo "ooooooops";

}

would be better as:

$totalRows_clientes_RS = mysql_num_rows($clientes_RS);

if ($totalRows_clientes_RS < 1 )
{
echo "ooooooops";
        break;
}

call the break within the if condition to protect the rest of your code (and to keep things light on the server, no need to parse code that's not going to get used).  Also, as you already assign the value of mysql_num_rows() to a variable, it's better to reuse the variable than call the function again.

[lingo5]

Thanks Muddy...I will try this after lunch!!!...

[lingo5]

Works great!!!!!...Thanks a lot Muddy.

Thanks everybody.