Jump to content

Recommended Posts

Hi,

I have a user/password protected page that displays a list of clients.

When clicking on them you're redirected to the client record update page. This is how I am linking to taht page now:

<a href="DIST_clientes_update.php?id_cliente=<?php echo $row_clients_RS['id_cliente']; ?>

The problem with this is that the client id is appended to the url and so if the user chnges it will be able to access records from a different user...and I dont want that.

So I have created a session:

$_SESSION["idCliente"] = $row_clients_RS['id_cliente'];

but how do I pass it to the update page without showing in the url?

Thanks

 

sorry Pikachu, is this what you mean?

 

<a href="DIST_clientes_update.php<?php echo $_SESSION["idCliente"];?>

 

No. There should be nothing appended to the URL when you're using a $_SESSION variable (unless there is some other parameter that you aren't using a $_SESSION variable for).

OK, I'm a bit confused now... I have created a session after the query in my main page like this:

mysql_select_db($database_MySQLconnect, $MySQLconnect);
$query_clientes_RS = sprintf("SELECT * FROM t_clientes WHERE cliente_isclientOf = %s", GetSQLValueString($colname_clientes_RS, "text"));
$query_limit_clientes_RS = sprintf("%s LIMIT %d, %d", $query_clientes_RS, $startRow_clientes_RS, $maxRows_clientes_RS);
$clientes_RS = mysql_query($query_limit_clientes_RS, $MySQLconnect) or die(mysql_error());
$row_clientes_RS = mysql_fetch_assoc($clientes_RS);

session_start();
$_SESSION["idCliente"] = $row_clientes_RS['id_cliente'];//creamos sesion id para que no se vea en la url

 

this should get the client id for each client right

 

Then I'm linking each client on the list to the update page like this:

 

<a href="DIST_clientes_update.php

 

At the top of the update page I have this:

session_start();
$idCliente=$_SESSION["idCliente"];

 

My update query is like this:

ysql_select_db($database_MySQLconnect, $MySQLconnect);
$query_clientes_RS = sprintf("SELECT * FROM t_clientes WHERE id_cliente = $idCliente", GetSQLValueString($colname_clientes_RS, "int"));
$clientes_RS = mysql_query($query_clientes_RS, $MySQLconnect) or die(mysql_error());
$row_clientes_RS = mysql_fetch_assoc($clientes_RS);
$totalRows_clientes_RS = mysql_num_rows($clientes_RS);

 

..but all I get on the update page is the first client from the list no matter on which client from the list I click....

VERY rough thought process...

 

login00.php

this page displays the form for the user/client to login

 

login01.php

<?PHP

session_start();

process the info from login00.php

if NOT valid user, send back to login00.php

if VALID user, set a session variable; $_SESSION['userid'] = id from user table

send to welcome page

 

welcome.php (AND ALL user only pages)

<?PHP

session_start();

1. check that $_SESSION['userid'] is set AND that it an integer >0; if NOT send to login00.php

2. display page content

 

edit00.php (the page where user can edit his own data)

<?PHP

session_start();

1. check that $_SESSION['userid'] is set AND that it an integer >0; if NOT send to login00.php

2. query db WHERE userid == $_SESSION['userid']

3. display data from db for editing

OK, the login process I have sorted, my problem is that I want each user to be able to:

 

1. see his clients only

2. update these clients

 

Step 1 I have achieved by selecting those clients linked up to the user's login name by using a username session.

 

Now, once I've pulled up the list of clients for a given user, I need to be able to edit them by clicking on them and opening them in the update page.

I want to do this without appending the id_cliente to the url for obvious reasons.

 

So what I need to do is to create a session that gets the id_cliente for each client on the client list and pass it on to the update page.

 

...I'm all confused now

I don't think you're going about it right, now that I see a bigger picture of what you're after. You need to go back to the way you had it, passing the value in the URL with $_GET variables, and then use the id of the logged in user (which hopefully is already in a $_SESSION variable) in the query as well, to make sure the user 'owns'  the record that he is attempting to access.

Thanks a lot Pikachu...i have added a new owner_username column to the database that stores the login username.

I have then created a query that pulls a client record from the dB acording to the owner_username:

$query_clientes_RS = sprintf("SELECT * FROM t_clientes WHERE id_cliente = %s AND owner_username= '$ownerusername'", 
$clientes_RS = mysql_query($query_clientes_RS, $MySQLconnect) or die(mysql_error());

..and it works perfect. I have tried changing manually the client id passed in the URL to a client id belonging to a different user and by doing this a blank record is shown..which is perfect to test that the system is working BUT....now I would like to show a warning message instead of a blank record when this happens...is this something thatcan be done easily or is it something complicated?

 

Thanks again

you could fling a message out on the page by checking the mysql_num_rows() of your query.  obviously there will not be any rows returned if the page has been accessed through error or maliciousness, so if mysql_num_rows($yourQuery) < 1 then show a message.

Thanks Muddy,

where would I put that code in my query?...something like this?

 

mysql_select_db($database_MySQLconnect, $MySQLconnect);
$query_clientes_RS = sprintf("SELECT * FROM t_clientes WHERE id_cliente = %s AND owner_username= '$ownerusername'", GetSQLValueString($colname_clientes_RS, "int"));
$clientes_RS = mysql_query($query_clientes_RS, $MySQLconnect) or die(mysql_error());
$row_clientes_RS = mysql_fetch_assoc($clientes_RS);
$totalRows_clientes_RS = mysql_num_rows($clientes_RS);

if mysql_num_rows($clientes_RS) < 1 
{
echo "ooooooops";

}

that should work, you want to get it as close to the top of the page as you can, so less code is parsed before it is checked.  It would be better if changed slightly:

$totalRows_clientes_RS = mysql_num_rows($clientes_RS);

if mysql_num_rows($clientes_RS) < 1 
{
echo "ooooooops";

}

would be better as:

$totalRows_clientes_RS = mysql_num_rows($clientes_RS);

if ($totalRows_clientes_RS < 1 )
{
echo "ooooooops";
        break;
}

call the break within the if condition to protect the rest of your code (and to keep things light on the server, no need to parse code that's not going to get used).  Also, as you already assign the value of mysql_num_rows() to a variable, it's better to reuse the variable than call the function again.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.