Jump to content

PHP member's page works without users credentials?

crf1121359

By crf1121359
in PHP Coding Help

 Share

Recommended Posts

crf1121359 Member

crf1121359

Posted
Posted

I have this php member page which will show a very basic information from the mysql database.

The issue that i noticed is that if you are logged out and visit the members page i.e.http://www.mywebsite.co.uk/member.php?id=17 and refresh the page from the browser, it will log you into the users account. and it doesn't really matter where and who it is. it will just logs the visitors into that account with id 17 or any other id on PAGE Refresh!!

this is my code for member.php

 

 <?php 
error_reporting(E_ALL);
ini_set('display_errors', '1');
?>
<?php
session_start(); // Must start session first thing
// See if they are a logged in member by checking Session data
$toplinks = "";
if (isset($_SESSION['id'])) {
    // Put stored session variables into local php variable
    $userid = $_SESSION['id'];
    $username = $_SESSION['username'];
    $toplinks = '<a href="member.php?id=' . $userid . '">' . $username . '</a> • 
    <a href="member.php">Account</a> • 
    <a href="logout.php">Log Out</a>';
} else {
    $toplinks = '<a href="join_form.php">Register</a> • <a href="login.php">Login</a>';
}
?>
<?php
// Use the URL 'id' variable to set who we want to query info about
$id = preg_replace("[^0-9]", "", $_GET['id']); // filter everything but numbers for security
if ($id == "") {
    echo "Missing Data to Run";
    exit();
}
//Connect to the database through our include 
include_once "config/connect.php";
// Query member data from the database and ready it for display
$sql = "SELECT * FROM members WHERE id='$id' LIMIT 1";
$query = mysqli_query($db_conx, $sql);
$count = mysqli_num_rows($query);
if ($count > 1) {
    echo "There is no user with that id here.";
    exit(); 
}
while($row = mysqli_fetch_array($query, MYSQLI_ASSOC)){
$username = $row["username"];
$_SESSION['username'] = $username;
$userid = $row["id"];
$_SESSION['id'] = $userid;
// Convert the sign up date to be more readable by humans
$signupdate = strftime("%b %d, %Y", strtotime($row['signupdate']));
}
?>

 

 

I know the issue is caused by

 

$userid = $_SESSION['id']; 
 

but I cannot figure out how to solve it  for the life of me.

 

any help would be appreciated.

 

Thanks

 

Link to comment
Share on other sites
Strider64 Advanced Member

Strider64

Posted
Posted

Instead of getting speific why don't you just see if a user is login with sessions?

 

For example

 

    // First we execute our common code to connection to the database and start the session
    require("includes/common.php");
    
    // At the top of the page we check to see whether the user is logged in or not
    if(empty($_SESSION['user']))
    {
        // If they are not, we redirect them to the login page.
        header("Location: login.php");
        
        // Remember that this die statement is absolutely critical.  Without it,
        // people can view your members-only content without logging in.
        die("Redirecting to login.php");
    }
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.