Chrisj Posted July 19, 2019 Share Posted July 19, 2019 The php web video script that I’m using displays a User’s profile page, by simply adding (for example) …/@UserName after the url into a browser. I tried to have a User’s profile page only display to Users who are logged into the site, by adding session code: if(!isset($_SESSION['username'])){ header("Location:../login"); exit(); } like so: <?php if(!isset($_SESSION['username'])){ header("Location:../login"); exit(); } if (empty($_GET['id'])) { header("Location: " . PT_Link('')); exit(); } $username = PT_Secure($_GET['id']); $user_id = $db->where('username', $username)->getOne(T_USERS); $lists = false; if (empty($user_id)) { header("Location: " . PT_Link('')); exit(); } $pt->page_url_ = $pt->config->site_url.'/@'.$username ; $pt->second_page = 'videos'; if (!empty($_GET['page'])) { switch ($_GET['page']) { case 'liked-videos': $pt->second_page = 'liked-videos'; break; case 'about': $pt->second_page = 'about'; break; case 'play-lists': $pt->second_page = 'play-lists'; $lists = true; break; } $pt->page_url_ = $pt->config->site_url.'/@'.$username."?page=".$pt->second_page; } $user_data = PT_UserData($user_id, array( 'data' => true )); etc... but was unsuccessful. The problem is although the …/@UserName no longer displays in the browser field (and redirects to the login page) (with that additional code), once logged in, the User can’t see his Profile Page either. I also tried adding this: if(!isset($_SESSION['username'])){ header("Location:../login"); print_r($_SESSION); exit; } but I see no printed results. I have tried this: <?php session_start(); if(!isset($_SESSION['username'])){ header("Location:../login"); exit(); } but, when I select the drop-down menu > profile, it just seems to refresh the same page (that I'm on, and doesn't take me to the ../@chrisj profile page, as it did before I added this: if(!isset($_SESSION['username'])){ header("Location:../login"); exit(); } Also, the .htaccess file shows this: RewriteRule ^@([^\/]+)(\/|)$ index.php?link1=timeline&id=$1 [QSA] if that is any clue. I went ahead and asked the developer, and he simply said: “Its happening because file is same so no remedy for now”. So, now I’m looking for ideas on what I might try as a work around. just FYI -When a user logs in it sets the $_SESSION[‘username’] variable, id, etc.) I’m guessing that maybe the main page that I’m on simply refreshes (rather than redirects to the ‘Profile’ Page) is because I am (already)logged in: if(!isset($_SESSION['username'])){ header("Location:../login"); So, is there a solution that might instruct to say something like 'if already logged in go to @ the username’s profile page? something like: if (IS_LOGGED == true) { any additional suggestions are welcomed Quote Link to comment Share on other sites More sharing options...
requinix Posted July 19, 2019 Share Posted July 19, 2019 In case it's the answer to this, What's the rewriting rule that handles this whatever page but without the @username bit? Quote Link to comment Share on other sites More sharing options...
Chrisj Posted July 19, 2019 Author Share Posted July 19, 2019 Thanks for your reply, but, I'd have to guess. Maybe this: RewriteRule ^([^\/]+)(\/|)$ index.php?link1=$1 [QSA] or this? RewriteRule ^v/(.*)$ index.php?v=$1 [NC,QSA] or this? RewriteRule ^$ index.php?link1=home [NC,QSA] or? RewriteRule ^aj/([^/.]+)/([^/.]+)/([^/.]+)/?$ ajax.php?type=$1&first=$2&second=$3 [L,QSA] another bit of information, when i asked the script's developer "I want to keep the User account page from displaying in web searches... with ”noindex”..., he said to use this in the html: $pt->second_page == ‘about’ I don't know if that is at all helpful. Any additional suggestions is appreciated Quote Link to comment Share on other sites More sharing options...
requinix Posted July 19, 2019 Share Posted July 19, 2019 5 minutes ago, Chrisj said: Thanks for your reply, but, I'd have to guess. How about the entire .htaccess then? Quote Link to comment Share on other sites More sharing options...
Chrisj Posted July 20, 2019 Author Share Posted July 20, 2019 Thanks again for your reply. Here's the .htaccess file: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^$ index.php?link1=home [NC,QSA] RewriteRule ^reset-password/([^\/]+)(\/|)$ index.php?link1=reset-password&code=$1 [NC,QSA] RewriteRule ^confirm/(.*)/(.*)$ index.php?link1=confirm&code=$1&email=$2 [NC,QSA] RewriteRule ^two_factor_login/$ index.php?link1=two_factor_login [NC,QSA] RewriteRule ^two_factor_submit/$ index.php?link1=two_factor_submit [NC,QSA] RewriteRule ^v/(.*)$ index.php?v=$1 [NC,QSA] RewriteRule ^api/v(([0-9])([.][0-9]+))(\/|)$ api.php?v=$1 [QSA] RewriteRule ^admin-cp$ admincp.php [NC,QSA] RewriteRule ^admin-cp/(.*)$ admincp.php?page=$1 [NC,QSA] RewriteRule ^admin-cdn/(.*)$ admin-panel/$1 [L] RewriteRule ^videos/category/(.*)/rss(\/|)$ index.php?link1=videos&page=category&id=$1&feed=rss [NC,QSA] RewriteRule ^videos/category/(.*)/(.*)$ index.php?link1=videos&page=category&id=$1&sub_id=$2 [NC,QSA] RewriteRule ^videos/category/(.*)$ index.php?link1=videos&page=category&id=$1 [NC,QSA] RewriteRule ^videos/(.*)/rss(\/|)$ index.php?link1=videos&page=$1&feed=rss [NC,QSA] RewriteRule ^videos/(.*)$ index.php?link1=videos&page=$1 [NC,QSA] RewriteRule ^articles(\/|)$ index.php?link1=articles [NC,QSA] RewriteRule ^articles/category/(.*)(\/|)$ index.php?link1=articles&category_id=$1 [NC,QSA] RewriteRule ^articles/read/(.*)(\/|)$ index.php?link1=read&id=$1 [NC,QSA] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^aj/([^/.]+)/?$ ajax.php?type=$1&first=$2 [L,QSA] RewriteRule ^aj/([^/.]+)/([^/.]+)/?$ ajax.php?type=$1&first=$2 [L,QSA] RewriteRule ^aj/([^/.]+)/([^/.]+)/([^/.]+)/?$ ajax.php?type=$1&first=$2&second=$3 [L,QSA] RewriteRule ^edit-video/(.*)?$ index.php?link1=edit-video&id=$1 [L,QSA] RewriteRule ^watch/([^\/]+)(\/|)?$ index.php?link1=watch&id=$1 [L,QSA] RewriteRule ^watch/([^\/]+)/list/([^\/]+)(\/|)?$ index.php?link1=watch&id=$1&list=$2 [L,QSA] RewriteRule ^embed/(.*)?$ index.php?link1=embed&id=$1 [L,QSA] RewriteRule ^resend/(.*)/(.*)?$ index.php?link1=resend&id=$1&u_id=$2 [L,QSA] RewriteRule ^redirect/(.*)?$ index.php?link1=redirect&id=$1 [L,QSA] RewriteRule ^settings/(.*)/(.*)$ index.php?link1=settings&page=$1&user=$2 [NC,QSA] RewriteRule ^settings/(.*)$ index.php?link1=settings&page=$1 [NC,QSA] RewriteRule ^terms/([^\/]+)(\/|)$ index.php?link1=terms&type=$1 [QSA] RewriteRule ^go_pro(\/|)$ index.php?link1=go_pro [QSA] RewriteRule ^ads(\/|)$ index.php?link1=ads [QSA] RewriteRule ^ads/create(\/|)$ index.php?link1=create_ads [QSA] RewriteRule ^ads/edit/(\d+)(\/|)$ index.php?link1=edit_ads&id=$1 [QSA] RewriteRule ^ads/analytics/(\d+)(\/|)$ index.php?link1=ads_analytics&id=$1 [QSA] RewriteRule ^contact-us(\/|)$ index.php?link1=contact [QSA] RewriteRule ^@([^\/]+)(\/|)$ index.php?link1=timeline&id=$1 [QSA] RewriteRule ^messages/(.*)$ index.php?link1=messages&id=$1 [NC,QSA] RewriteRule ^view_analytics/(.*)$ index.php?link1=view_analytics&id=$1 [NC,QSA] RewriteRule ^video_studio/(.*)$ index.php?link1=video_studio [NC,QSA] RewriteRule ^comments/$ index.php?link1=comments [NC,QSA] RewriteRule ^dashboard/$ index.php?link1=dashboard [NC,QSA] RewriteRule ^popular_channels/$ index.php?link1=popular_channels [NC,QSA] RewriteRule ^create_article/$ index.php?link1=create_article [NC,QSA] RewriteRule ^my_articles/$ index.php?link1=my_articles [NC,QSA] RewriteRule ^edit_articles/(.*)?$ index.php?link1=edit_articles&id=$1 [NC,QSA] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^([^\/]+)(\/|)$ index.php?link1=$1 [QSA] <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE image/x-icon AddOutputFilterByType DEFLATE image/svg+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/x-font AddOutputFilterByType DEFLATE application/x-font-truetype AddOutputFilterByType DEFLATE application/x-font-ttf AddOutputFilterByType DEFLATE application/x-font-otf AddOutputFilterByType DEFLATE application/x-font-opentype AddOutputFilterByType DEFLATE application/vnd.ms-fontobject AddOutputFilterByType DEFLATE font/ttf AddOutputFilterByType DEFLATE font/otf AddOutputFilterByType DEFLATE font/opentype BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html </IfModule> <IfModule mod_security.c> SecFilterScanPOST Off </IfModule> ## EXPIRES CACHING ## <IfModule mod_expires.c> ExpiresActive On ExpiresByType image/jpg "access plus 1 year" ExpiresByType image/jpeg "access plus 1 year" ExpiresByType image/gif "access plus 1 year" ExpiresByType image/png "access plus 1 year" ExpiresByType text/css "access plus 1 month" ExpiresByType application/pdf "access plus 1 month" ExpiresByType text/x-javascript "access plus 1 month" ExpiresByType application/x-shockwave-flash "access plus 1 month" ExpiresByType image/x-icon "access plus 1 year" ExpiresDefault "access plus 190 days" </IfModule> ## EXPIRES CACHING ## # BEGIN cPanel-generated php ini directives, do not edit # Manual editing of this file may result in unexpected behavior. # To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor) # For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI) <IfModule php7_module> php_value post_max_size 2024M php_value upload_max_filesize 2024M php_value output_buffering Off php_value max_execution_time 4000 php_value max_input_vars 3000 php_value max_input_time 5000 php_flag zlib.output_compression Off php_flag log_errors On php_value error_reporting 32767 php_value error_log "/home/.../public_html/error_log" </IfModule> <IfModule lsapi_module> php_value post_max_size 2024M php_value upload_max_filesize 2024M php_value output_buffering Off php_value max_execution_time 4000 php_value max_input_vars 3000 php_value max_input_time 5000 php_flag zlib.output_compression Off php_flag log_errors On php_value error_reporting 32767 php_value error_log "/home/.../public_html/error_log" </IfModule> # END cPanel-generated php ini directives, do not edit I look forward to any additional assistance Quote Link to comment Share on other sites More sharing options...
ginerjm Posted July 20, 2019 Share Posted July 20, 2019 I don't understand any of this discussion. But the worst part of that lack is that I don't see any usage of "session_start()" in any of the many code samples. So my question is "What is the real problem"? Perhaps you could just explain what you are trying to accomplish? Quote Link to comment Share on other sites More sharing options...
Chrisj Posted July 20, 2019 Author Share Posted July 20, 2019 Thanks for your reply. Sorry for any confusion. "session_start()" appears in my initial posting. I'm trying to "have a User’s profile page only display to Users who are logged into the site", and not have any profile pages display in any web searches (only be available to display to logged in users). any additional help is appreciated Quote Link to comment Share on other sites More sharing options...
ginerjm Posted July 20, 2019 Share Posted July 20, 2019 (edited) So - however you accept a request from any person on your site to "see" a profile page - you need to simply check if they are signed in. If that means they have to have a certain $_SESSION element set, then all you do is call isset() for that item, no? What is the question about session_start all about? Obviously every script you execute should begin like this: <?php ... ... session_start(); Edited July 20, 2019 by ginerjm Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted July 20, 2019 Share Posted July 20, 2019 (edited) 20 hours ago, Chrisj said: like so: <?php if(!isset($_SESSION['username'])){ header("Location:../login"); exit(); } if (empty($_GET['id'])) { header("Location: " . PT_Link('')); exit(); } $username = PT_Secure($_GET['id']); $user_id = $db->where('username', $username)->getOne(T_USERS); $lists = false; if (empty($user_id)) { header("Location: " . PT_Link('')); exit(); } $pt->page_url_ = $pt->config->site_url.'/@'.$username ; $pt->second_page = 'videos'; if (!empty($_GET['page'])) { switch ($_GET['page']) { case 'liked-videos': $pt->second_page = 'liked-videos'; break; case 'about': $pt->second_page = 'about'; break; case 'play-lists': $pt->second_page = 'play-lists'; $lists = true; break; } $pt->page_url_ = $pt->config->site_url.'/@'.$username."?page=".$pt->second_page; } $user_data = PT_UserData($user_id, array( 'data' => true )); etc... these un-commented, out of context, snippets of code, are almost useless to us. we don't know how they fit into the grand scheme of what the application is doing. if the author of the code, who does have knowledge of and access to the whole script, cannot solve this, what makes you think we can based on seeing a small part of the script? is this a free script that is available for download on the web? if someone can download this to examine or test changes on, you will get quicker and more accurate solutions to your threads. i did get a couple of LOLs out of the above code. it has hard-code logic testing permitted page values, that would have to be found and edited, probably in several locations, anytime a new choice is added and even though the application is using pretty urls, it is building one with a ?page=... parameter in it. the way to build urls is to produce an associative array, usually starting with a copy of the existing $_GET array, adding, removing, or modifying elements in the array, and than call a user written function that knows the rules on how to produce the actual url from the entries in this array. dynamic values being put into the url must be urlencoded so as to not accidentally break the url. either on this forum or elsewhere, i helped you a number of times with the previous phpmotion script you were trying to use. it was written and organized very badly, making each change difficult and repetitive. while it looks like this current script is using some better implementation practices, it still appears to be just a brute-force built, hard-coded, un-commented, massive wall of code, that is difficult to make changes to. i hope you didn't spend any money on this. edit: and here is a problem with storing the username in a session variable to indicate who is logged in. it makes it harder to allow usernames to be edited by the user and impossible if a username needs to be edited by a moderator/administrator. only the user's id (auto-increment integer primary index) should be stored in a session variable to identify who a user is. any other user information should be retrieved on each page request. Edited July 20, 2019 by mac_gyver Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted July 21, 2019 Share Posted July 21, 2019 19 hours ago, mac_gyver said: $username = PT_Secure($_GET['id']); here's another problem with the posted code. the $username value is being used in both an sql and a html/url context. the way to provide protection in each of those contexts is different, so the function could just 'look' like it works for expected values, but could be ineffective with the unexpected kind of values hackers would use. Quote Link to comment Share on other sites More sharing options...
requinix Posted July 21, 2019 Share Posted July 21, 2019 Rewinding a bit, and without commenting on design or code quality, If adding the check for $_SESSION[username] isn't working then that's not where the username is being stored. If it's stored at all, of course. The session_start() is required to use $_SESSION, and checking for the username (if stored) should be sufficient to know whether the user is logged in. If the page "refreshes" then it likely means you were redirected to the login page because the check failed, but the login page properly detected you were logged in and sent you... wherever. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted July 21, 2019 Author Share Posted July 21, 2019 Much thanks for all the replies. Regarding "the author of the code, who does have knowledge of and access to the whole script, cannot solve this", I believe he just didn't want to delve into it currently, based on his 'for now' remark. I understand that most scripts are imperfect, but I'm trying to improve this one as I go, one step at a time, and this particular issue presently. Regarding "if adding the check for $_SESSION[username] isn't working then that's not where the username is being stored", yes, you're right, it is stored in the db > users table > 'username' column. Regarding "the check failed, but the login page properly detected you were logged in", that makes sense, so is there a solution that could instruct: even though the users' profile pages are blocked ( ../@username) from web searches, once a user is logged in and @username is selected, then ../@username page is available to visit/view? I look forward to ant additional guidance. Quote Link to comment Share on other sites More sharing options...
requinix Posted July 21, 2019 Share Posted July 21, 2019 11 minutes ago, Chrisj said: Regarding "if adding the check for $_SESSION[username] isn't working then that's not where the username is being stored", yes, you're right, it is stored in the db > users table > 'username' column. ... Stored in the session. That's not where the information is being stored in the session. 11 minutes ago, Chrisj said: even though the users' profile pages are blocked ( ../@username) from web searches, once a user is logged in and @username is selected, then ../@username page is available to visit/view? That's the whole point of what you're trying to do, right? Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted July 21, 2019 Share Posted July 21, 2019 from one of your previous threads on this forum - if (IS_LOGGED == false) { header("Location: " . PT_Link('login')); exit(); } or more simply - if (!IS_LOGGED) { header("Location: " . PT_Link('login')); exit(); } this of course assumes that the code producing the IS_LOGGED defined constant is consistently being used and exists before the code you have posted. a feature like controlling who can view a certain page, like the profiles, should be part of the user permission system. does this code have a general purpose user permission system in it? 1 Quote Link to comment Share on other sites More sharing options...
Chrisj Posted July 21, 2019 Author Share Posted July 21, 2019 Much thanks again for your replies. It appears that when I added your: if (!IS_LOGGED) { header("Location: " . PT_Link('login')); exit(); } and added this code back into another file: <?php if ($pt->second_page == 'about') echo "<meta name='robots' content='noindex'>"; ?> that my goal has been reached of blocking web searches of ../@username, but having ../@username available after login. Does that seem correct? I'm surprised. If you suspect I don't have something correct, please let me know, but I cleared the cache and tested in chrome, firefox and bing. I look forward to your comments. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.