crf1121359 Posted March 12, 2013 Share Posted March 12, 2013 I have this php member page which will show a very basic information from the mysql database. The issue that i noticed is that if you are logged out and visit the members page i.e.http://www.mywebsite.co.uk/member.php?id=17 and refresh the page from the browser, it will log you into the users account. and it doesn't really matter where and who it is. it will just logs the visitors into that account with id 17 or any other id on PAGE Refresh!! this is my code for member.php <?php error_reporting(E_ALL); ini_set('display_errors', '1'); ?> <?php session_start(); // Must start session first thing // See if they are a logged in member by checking Session data $toplinks = ""; if (isset($_SESSION['id'])) { // Put stored session variables into local php variable $userid = $_SESSION['id']; $username = $_SESSION['username']; $toplinks = '<a href="member.php?id=' . $userid . '">' . $username . '</a> • <a href="member.php">Account</a> • <a href="logout.php">Log Out</a>'; } else { $toplinks = '<a href="join_form.php">Register</a> • <a href="login.php">Login</a>'; } ?> <?php // Use the URL 'id' variable to set who we want to query info about $id = preg_replace("[^0-9]", "", $_GET['id']); // filter everything but numbers for security if ($id == "") { echo "Missing Data to Run"; exit(); } //Connect to the database through our include include_once "config/connect.php"; // Query member data from the database and ready it for display $sql = "SELECT * FROM members WHERE id='$id' LIMIT 1"; $query = mysqli_query($db_conx, $sql); $count = mysqli_num_rows($query); if ($count > 1) { echo "There is no user with that id here."; exit(); } while($row = mysqli_fetch_array($query, MYSQLI_ASSOC)){ $username = $row["username"]; $_SESSION['username'] = $username; $userid = $row["id"]; $_SESSION['id'] = $userid; // Convert the sign up date to be more readable by humans $signupdate = strftime("%b %d, %Y", strtotime($row['signupdate'])); } ?> I know the issue is caused by $userid = $_SESSION['id']; but I cannot figure out how to solve it for the life of me. any help would be appreciated. Thanks Quote Link to comment https://forums.phpfreaks.com/topic/275560-php-members-page-works-without-users-credentials/ Share on other sites More sharing options...
Strider64 Posted March 12, 2013 Share Posted March 12, 2013 Instead of getting speific why don't you just see if a user is login with sessions? For example // First we execute our common code to connection to the database and start the session require("includes/common.php"); // At the top of the page we check to see whether the user is logged in or not if(empty($_SESSION['user'])) { // If they are not, we redirect them to the login page. header("Location: login.php"); // Remember that this die statement is absolutely critical. Without it, // people can view your members-only content without logging in. die("Redirecting to login.php"); } Quote Link to comment https://forums.phpfreaks.com/topic/275560-php-members-page-works-without-users-credentials/#findComment-1418225 Share on other sites More sharing options...
crf1121359 Posted March 12, 2013 Author Share Posted March 12, 2013 (edited) Thanks. that worked like a charm. Edited March 12, 2013 by crf1121359 Quote Link to comment https://forums.phpfreaks.com/topic/275560-php-members-page-works-without-users-credentials/#findComment-1418231 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.