PNewCode Posted February 24, 2023 Share Posted February 24, 2023 (edited) Hello all you wonderful people This week I have been working on a way to switch the pages, depending on what is in the database table (see the script below). What I am including is a fully functioning switch. However, what I would like to add, is a way to prevent directly going to one of the pages unless it's stated so in the database. So another words, for this, if the database says "off" then the person can't go to "on.php" and will force to go to "off.php" Currently, when someone goes to this page it will send them to the correct page depending on what I set the database column as (I have a different page that updates it to on or off with a button) But that doesn't prevent someone from typing in "on.php" manually in the browser. Ps... If you're wondering what I did ... this way, it's because I'm still learning and what I found online in my adventure is making it work so far. Thats why EDIT: What I have tried is about 100 or so variations that just made each of them keep refreshing itself and lead to a crash. I didn't post those fails here because, well they failed haha Any thoughts? <?php $servername = "localhost"; $username = "removed for posting"; $password = "removed for posting"; $dbname = "removed for posting"; // Create connection $conn = new mysqli($servername, $username, $password, $dbname); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $sql = "SELECT id, switch FROM sale"; $result = $conn->query($sql); $row = $result->fetch_assoc(); if ($row['switch'] == "off"){ header("Location: off.php"); } else { header("Location: on.php"); } $conn->close(); ?> Edited February 24, 2023 by PNewCode Quote Link to comment Share on other sites More sharing options...
jodunno Posted February 24, 2023 Share Posted February 24, 2023 Hello PNew Code, Apache (or whatever server you are using) should be the first line of defense not php. A firewall [0] in conjunction with the server [1] is even better. Then use a session variable as a last line of defense. Apache code to be placed in the www or public directory in the htconfig file (or an .htaccess file): <FilesMatch ".php$"> Order deny,allow Deny from all </FilesMatch> <FilesMatch "^index\.php$"> Order deny,allow Allow from all </FilesMatch> The garbage that is to be found online, such as !d and !f, simply means if the file or directory doesn't exist. One should not use such code as php files should not be requestable files. Only allow index.php or whatever you want to name your index files using the aforementioned FilesMatch rules in Apache. Once again, to be clear, this is not a true php problem. The php specialists should not have to reply to such questions. I'm trying to help out by steering you in the right direction. Best wishes, John Quote Link to comment Share on other sites More sharing options...
PNewCode Posted February 24, 2023 Author Share Posted February 24, 2023 @jodunno Thank you for your reply. I'm on a linux server. Just to expand on your post, the reason I'm asking for assistance with this in PHP is because that is what I'm learning right now. I will be interested in learning alternative ways when I figure out what I want to know with PHP. So therefore I feel like my question is suitable for such php questions. Again I appreciate your insight Quote Link to comment Share on other sites More sharing options...
dodgeitorelse3 Posted February 24, 2023 Share Posted February 24, 2023 In order to avoid folks opening a page that shouldn't be opened via url I use this. I put it in the header on the page that should not be opened via url. <script type="text/javascript"> if (top.location.href != "http://<?php echo $host_name; ?>/index.php") top.location.href = "../index.php"; </script> perhaps you can modify it to work in conjunction with what you have for your switch. Quote Link to comment Share on other sites More sharing options...
jodunno Posted February 24, 2023 Share Posted February 24, 2023 okay but Linux is an Operating System. In your code you are using a header for redirection but you have failed to exit the php script, thus it continues execution of the script (which ends up at on.php !). However, you shouldn't redirect here because it is not really a legitimate reason to do so. Simply store the db switch in a session variable instead. ALSO use one page and change the view based upon the switch. Like so: then in the on_or_off_single_switch_page.php page: if (!empty($_SESSION['MyPagePermissionSwitch']) && $_SESSION['MyPagePermissionSwitch'] === 'on') { echo 'the page is really turned on, LOL'; require_once on.php; /* require_once dirname(__FILE__) . '/../outofrootfolder/on.php'; /* } else { echo 'you are not permitted to view this file. The page is a big turn off!'; require_once off.php; /* or whatever action/consequence that you desire is to be enacted in this condition block */ /* we want off to be the default, right? } the above code is just an example. Handle the condition according to your code. I am not a php specialist, so you should wait for the specialists to reply. Is this helpful to you? Best wishes, John Quote Link to comment Share on other sites More sharing options...
jodunno Posted February 24, 2023 Share Posted February 24, 2023 (edited) 15 minutes ago, dodgeitorelse3 said: In order to avoid folks opening a page that shouldn't be opened via url I use this. I put it in the header on the page that should not be opened via url. <script type="text/javascript"> if (top.location.href != "http://<?php echo $host_name; ?>/index.php") top.location.href = "../index.php"; </script> perhaps you can modify it to work in conjunction with what you have for your switch. Please do not implement a script (client side technology) in place of server-side control. I hope that you are really not using such code on a live website. I hope that you understand why this is a bad suggestion. Thanks for trying to be helpful but this is really hurtful advice. I hope that you do not think that i am being rude. I'm just shocked that you would make such a suggestion. 🤯 Edited February 24, 2023 by jodunno Quote Link to comment Share on other sites More sharing options...
dodgeitorelse3 Posted February 24, 2023 Share Posted February 24, 2023 10 minutes ago, jodunno said: Please do not implement a script (client side technology) in place of server-side control. I hope that you are really not using such code on a live website. I hope that you understand why this is a bad suggestion. Thanks for trying to be helpful but this is really hurtful advice. I hope that you do not think that i am being rude. I'm just shocked that you would make such a suggestion. So maybe you can explain why? I am no professional by any means. Quote Link to comment Share on other sites More sharing options...
PNewCode Posted February 24, 2023 Author Share Posted February 24, 2023 (edited) @jodunno So I took that advice to use the php scripting to check the status. However, it seems that weather the database value says "yes" or is empty, either way it still allows to show the whole page. You're thoughts? This now checks if the person is logged into their account for the session. I'm trying to get this to allow access to the page if "yes" is in the database. And if it's blank then it goes to "nosale.php" Also, not everyone will have that status. Since people are purchasing access to the sale page, then it is based on their id status that "salescheck" in the database reads yes or blank EDIT: None of this is given to the public yet. It's in a link that nobody knows about till it's right <?php session_start(); include_once "config.php"; if(!isset($_SESSION['id']) && $_SESSION['salecheck'] == "yes"){ header("location: nosale.php"); } ?> ///// a bunch of html that shows the sales and special prices to members that purchased the sales option Edited February 24, 2023 by PNewCode Quote Link to comment Share on other sites More sharing options...
jodunno Posted February 24, 2023 Share Posted February 24, 2023 28 minutes ago, dodgeitorelse3 said: So maybe you can explain why? I am no professional by any means. client side versus server side should not be a foreign concept to you. So what do you do when i disable JavaScript in my web browser? or what do you do if i use fiddler to fiddle with the request? Imagine if your bank used Javascript to control access to a page. If i could use a shaking my head while holding it in my hands in a downward shamed posiion, then i would use such an emoji here and now. Quote Link to comment Share on other sites More sharing options...
jodunno Posted February 24, 2023 Share Posted February 24, 2023 9 minutes ago, PNewCode said: @jodunno So I took that advice to use the php scripting to check the status. However, it seems that weather the database value says "yes" or is empty, either way it still allows to show the whole page. You're thoughts? This now checks if the person is logged into their account for the session. I'm trying to get this to allow access to the page if "yes" is in the database. And if it's blank then it goes to "nosale.php" Also, not everyone will have that status. Since people are purchasing access to the sale page, then it is based on their id status that "salescheck" in the database reads yes or blank EDIT: None of this is given to the public yet. It's in a link that nobody knows about till it's right <?php session_start(); include_once "config.php"; if(!isset($_SESSION['id']) && $_SESSION['salecheck'] == "yes"){ header("location: nosale.php"); } ?> ///// a bunch of html that shows the sales and special prices to members that purchased the sales option I see that my advice is a bit much, so let me just work off of your data. Add an exit immediately after the header redirection and try the script again. so: <?php session_start(); include_once "config.php"; if(!isset($_SESSION['id']) && $_SESSION['salecheck'] == "yes"){ header("location: nosale.php"); exit; } ?> Quote Link to comment Share on other sites More sharing options...
PNewCode Posted February 24, 2023 Author Share Posted February 24, 2023 @jodunno Unfortunately that didn't work either. Regardless of what is in "salecheck" it still shows the sale page. Weather it has a "yes" value or is empty Quote Link to comment Share on other sites More sharing options...
jodunno Posted February 24, 2023 Share Posted February 24, 2023 !isset($_SESSION['id']) if NOT isset $_SESSION['id'] AND $_SESSION['salecheck'] == "yes" session id is not set and session salecheck is yes if yes means that a user is supposed to view the page and the user should have a session id, then this code is failing because session id is set. you are simply misunderstanding the logic.if IS set Session ID AND session salecheck === yes should allow the logged in user with yes permission to view the page if (isset($_SESSION['id']) && $_SESSION['salecheck'] === 'yes') you still need to exit after a header. Quote Link to comment Share on other sites More sharing options...
dodgeitorelse3 Posted February 24, 2023 Share Posted February 24, 2023 1 hour ago, jodunno said: client side versus server side should not be a foreign concept to you. So what do you do when i disable JavaScript in my web browser? or what do you do if i use fiddler to fiddle with the request? Imagine if your bank used Javascript to control access to a page. If i could use a shaking my head while holding it in my hands in a downward shamed posiion, then i would use such an emoji here and now. Thank you for your explanation and delicacy. I now have more knowledge. If i could use a nodding my head, while holding 2 thumbs up in an upward proud position, then i would use such an emoji here and now. 1 Quote Link to comment Share on other sites More sharing options...
PNewCode Posted February 24, 2023 Author Share Posted February 24, 2023 (edited) @jodunno Thank you again for the reply. I can't seem to grasp what I'm missing here. It could be because I'm becoming ancient and my brain isn't as sharp hahaha. I tried using a NOT statement and that didn't make a difference. So then I put in exactly like you had in the second part of your last post and the page is still showing all of the content, regardless if the value is "yes" or empty. And yes, it should be that the visitor is BOTH logged in, and with "yes" as the status in 'salecheck' to be able to see the page I fear I may end up completely bald from pulling my hair so much on this one haha <?php session_start(); include_once "config.php"; if (isset($_SESSION['id']) && $_SESSION['salecheck'] === 'yes'){ header("location: nosale.php"); exit; } ?> <html> <title> Something </title> The sales stuff will be seen here for those that are logged in and have yes in the value </html> Edited February 24, 2023 by PNewCode Quote Link to comment Share on other sites More sharing options...
jodunno Posted February 24, 2023 Share Posted February 24, 2023 (edited) 31 minutes ago, PNewCode said: @jodunno Thank you again for the reply. I can't seem to grasp what I'm missing here. It could be because I'm becoming ancient and my brain isn't as sharp hahaha. I tried using a NOT statement and that didn't make a difference. So then I put in exactly like you had in the second part of your last post and the page is still showing all of the content, regardless if the value is "yes" or empty. And yes, it should be that the visitor is BOTH logged in, and with "yes" as the status in 'salecheck' to be able to see the page I fear I may end up completely bald from pulling my hair so much on this one haha <?php session_start(); include_once "config.php"; if (isset($_SESSION['id']) && $_SESSION['salecheck'] === 'yes'){ header("location: nosale.php"); exit; } ?> <html> <title> Something </title> The sales stuff will be seen here for those that are logged in and have yes in the value </html> okay, so i was confused about what you are doing (since i cannot see your complete page and i am obviously failing to listen to your problem carefully.) I apologize for misunderstanding your goals. Simply check for the lack of a session id and redirect. <?php session_start(); include_once "config.php"; if (!isset($_SESSION['id'])/*.*/){ header("location: nosale.php"); exit; } ?> also, i always add a small comment between parentheses because if statements with too many parentheses can be confusing. I often miss one somewhere and it drives me nuts. redirecting a user that does not have an id (logged in?). The sales page will be viewable now if the session id is set, otherwise the redirection will take you to nosale.php. edit: the salecheck session variable should be an error if the user is not logged in, so the header redirect does not happen. You would have to check if both session variables are set to escape this problem. But then it begs the question 'why use a yes switch if it isn't really used?' Edited February 24, 2023 by jodunno clarify the cause of the erroneous result Quote Link to comment Share on other sites More sharing options...
jodunno Posted February 24, 2023 Share Posted February 24, 2023 (edited) And if you want to check if a logged in user has a no too then use the following code model <?php declare (strict_types = 1); (array) $_FakeSESSION = ['id' => 1, 'salecheck'=> 'yes']; if (!isset($_FakeSESSION['id']) || !empty($_FakeSESSION['salecheck']) && $_FakeSESSION['salecheck'] === 'no') { header('Location: nosale.php'); exit; } echo 'this is the YES page view.'; ?> what we are doing is better if we read it to ourselves. if session id is not set OR a session salecheck is not empty AND its value equates to no, then nosale.php otherwise, load the sales page data because user is logged in and the salecheck is yes. does this solve your problem? Edited February 24, 2023 by jodunno error in my code Quote Link to comment Share on other sites More sharing options...
PNewCode Posted February 24, 2023 Author Share Posted February 24, 2023 @jodunno Yes that works for checking if they are logged in only. Here's the trouble though. Say the user "bob" wants to go shopping. He has to login to his account to go through anything on my site at all. So he logs in and starts looking through things to shop for. Then Bob sees the link that says "Exclusive Sales" and he wants to see those sales. But Bob didn't pay for that extra membership so he does not have "yes" in his SALECHECK column. So when he gets there, he will only see some html that will have a form and stuff offering him to get the extra membership Now, Bob likes this so he pays for the extra and his column in salecheck now says "yes" Bob is now logged in AND can see the exclusive sales Quote Link to comment Share on other sites More sharing options...
gizmola Posted February 24, 2023 Share Posted February 24, 2023 44 minutes ago, PNewCode said: <?php session_start(); include_once "config.php"; if (isset($_SESSION['id']) && $_SESSION['salecheck'] === 'yes'){ header("location: nosale.php"); exit; } ?> <html> <title> Something </title> The sales stuff will be seen here for those that are logged in and have yes in the value </html> So this code redirects to nosale.php if the person has a session id and $_SESSION['salecheck'] === 'yes'. It seems you want the opposite. A couple of things: Login is login. You shouldn't have a situation where you check login state AND something else like this for a business rule. You should have generic "always run" code that checks for login state, and redirects them to the login page (for any pages that are meant to be secured. Typically you would put that code into a function or class, and include the function or class. Then you can have at the top of any secured page something like: <?php require_once('security_functions.php'); checkLogin(); // If gets to here then they were logged in // Do page specific things if (!$_SESSION['salecheck'] === true) { header("location: nosale.php"); exit; } Use PHP booleans in your session rather than a string. Nobody sees the session variables, other than your code. //Somewhere in your code $_SESSION['salecheck'] = true; Quote Link to comment Share on other sites More sharing options...
gizmola Posted February 24, 2023 Share Posted February 24, 2023 In regards to your membership levels, that is something that also ought to have a function or class. Then for a page you could configure it at the top with something like: require_once('security_functions.php'); checkLogin(); checkSecurityLevel(); // If gets to here then they were logged in // And they were of a membership level allowing them to see the page In short, avoid writing spaghetti by breaking down individual things into functions or class methods. This will be DRY, and easier to understand, debug and maintain. Quote Link to comment Share on other sites More sharing options...
jodunno Posted February 24, 2023 Share Posted February 24, 2023 10 minutes ago, PNewCode said: @jodunno Yes that works for checking if they are logged in only. Here's the trouble though. Say the user "bob" wants to go shopping. He has to login to his account to go through anything on my site at all. So he logs in and starts looking through things to shop for. Then Bob sees the link that says "Exclusive Sales" and he wants to see those sales. But Bob didn't pay for that extra membership so he does not have "yes" in his SALECHECK column. So when he gets there, he will only see some html that will have a form and stuff offering him to get the extra membership Now, Bob likes this so he pays for the extra and his column in salecheck now says "yes" Bob is now logged in AND can see the exclusive sales check my last post for that code. if !isset OR !empty AND no Quote Link to comment Share on other sites More sharing options...
PNewCode Posted February 24, 2023 Author Share Posted February 24, 2023 (edited) @gizmola and @jodunno thank you both so much for the efforts. I'm getting the same issue with all instances. I'm not too worried about security to be honest because I don't actually sell anything on my site. I just list things for other people that have sales. Everything gets routed back to their sites with a referal link from my site. So I don't process any personal information. In fact, when people sign up they only choose a username and password and thats all. When they pay for the "extra sales" (which hasn't started till I get this working) they will send me $5 via paypal on the side. They wont even pay through the site and I'll be changing their status manually (yeah I might look into having more automation as I learn more) So here is my ENTIRE page code. I posted it earlier. I just want to be able to have it get the session from being logged in, and if they have "yes" in that salecheck column, they can see the extra sales page (same page but see the content in html). So far, all efforts have made it so regardless if they have a yes or if it's blank, they can see the contents. *** I'm currently hitting my head on the keyboard like the muppet that got mad when he couldn't play a song on the piano right on the muppet show *** <?php session_start(); include_once "config.php"; if (isset($_SESSION['id']) && $_SESSION['salecheck'] === 'yes'){ header("location: nosale.php"); exit; } ?> ///////// Below is what they will see if they have "yes" in the 'salecheck' column ////// <html> <title> Something </title> The sales stuff will be seen here for those that are logged in and have yes in the value </html> And here is what I just tried based on a mix of the help I got <?php session_start(); include_once "config.php"; if (!$_SESSION['salecheck'] === true) { header("location: nosale.php"); exit; } $_SESSION['salecheck'] = true; ?> ///////// Below is what they will see if they have "yes" in the 'salecheck' column ////// <html> <title> Something </title> The sales stuff will be seen here for those that are logged in and have yes in the value </html> Edited February 24, 2023 by PNewCode Quote Link to comment Share on other sites More sharing options...
PNewCode Posted February 24, 2023 Author Share Posted February 24, 2023 @jodunno sorry I forgot to mention. Same thing. Regardless of what is in the column, it shows the content of the page. If it helps at all.... the column 'salecheck' is VARCHAR (255) not null 26 minutes ago, jodunno said: <?php declare (strict_types = 1); (array) $_FakeSESSION = ['id' => 1, 'salecheck'=> 'yes']; if (!isset($_FakeSESSION['id']) || !empty($_FakeSESSION['salecheck']) && $_FakeSESSION['salecheck'] === 'no') { header('Location: nosale.php'); exit; } echo 'this is the YES page view.'; ?> Quote Link to comment Share on other sites More sharing options...
gizmola Posted February 24, 2023 Share Posted February 24, 2023 Did you look at the code I posted? You also have a database involved apparently and yet there is no code you've shown that does anything with the database. If you're reading data from the database somewhere we don't know what that code looks like. It won't magically create session variables. Dont design something like "salecheck" in a database as a varchar(255) if all you want is a true/false yes/no. Assuming this is mysql, then use a tinyint defaulting to 0. Then when you want that to indicate true, you set it to 1. 1 Quote Link to comment Share on other sites More sharing options...
jodunno Posted February 24, 2023 Share Posted February 24, 2023 (edited) 25 minutes ago, PNewCode said: @jodunno sorry I forgot to mention. Same thing. Regardless of what is in the column, it shows the content of the page. If it helps at all.... the column 'salecheck' is VARCHAR (255) not null we started with on.php and off.php then we got to nosale.php. we started with off or on values, switched to yes or no values and now true or false. we need consistency to find the problem. select a value for salecheck session variable and maintain it until you resolve the issue. we should check the value of the session variable to learn more. Perhaps the variable is not being set in your db code. Somewhere you need to set the value in the session from the db. Let's revisit your db code and the row to the session variable: <?php $servername = "localhost"; $username = "removed for posting"; $password = "removed for posting"; $dbname = "removed for posting"; // Create connection $conn = new mysqli($servername, $username, $password, $dbname); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $sql = "SELECT id, switch FROM sale"; $result = $conn->query($sql); $row = $result->fetch_assoc(); $_SESSION['salecheck'] = $row['switch']; $conn->close(); ?> now try the following code to test the session variable <?php session_start(); include_once "config.php"; if (isset($_SESSION['id'])){ if (!empty($_SESSION['salecheck'])/*.*/) { echo $_SESSION['salecheck']; } echo '<p>this is the yes page.</p>'; } else { header("location: nosale.php"); exit; } ?> once you have the session variable working and settle on a value, then my earlier code should work. <?php session_start(); if (!isset($_SESSION['id']) || !empty($_SESSION['salecheck']) && $_SESSION['salecheck'] === 'no') { header('Location: nosale.php'); exit; } echo 'this is the YES page view.'; ?> let us know... Edited February 24, 2023 by jodunno removed erroneous value check Quote Link to comment Share on other sites More sharing options...
PNewCode Posted February 24, 2023 Author Share Posted February 24, 2023 (edited) Yes it is coming from my database. I'm sorry I should have went more in depth. Here is the entire structure that I have now. It seems that all of these attempts are only checking if the user is logged in and not paying attention to if the column saying "yes" or if it's empty. I didn't choose the add "no" in because the column will either have "yes" in it, or it's empty. If it's yes, then they see the html page that I'm making that is under the php code. Here is a code that is on a different page that checks only if they are logged in, and if they are, then they can see the page <?php session_start(); include_once "config.php"; if(!isset($_SESSION['id'])){ header("location: login.php"); } ?> The original switch page I put in my first original post I scrapped completely because after reading the replies, I decided it wasn't the right way to go. Here is the complete everything I have Here is my config.php <?php $hostname = "localhost"; $username = "deleted for posting"; $password = "deleted for posting"; $dbname = "deleted for posting"; $conn = mysqli_connect($hostname, $username, $password, $dbname); if(!$conn){ echo "Database connection error".mysqli_connect_error(); } ?> And then on the extrasale.php page (including the most recent attempt) <?php session_start(); include_once "config.php"; if (!isset($_SESSION['salecheck']) && ($_SESSION['salecheck'] == "yes")) { header('Location: nosale.php'); exit; } ?> ///////// Below is what they will see if they have "yes" in the 'salecheck' column ////// <html> <title> Something </title> The sales stuff will be seen here for those that are logged in and have yes in the value </html> And here is the mysql database And here is the nosale.php <html> <head> <title>Untitled Document</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body bgcolor="#FFFFFF"> //// This will be the page that will be directed to, if "Yes" isn't in the 'salecheck' column //// </body> </html> Edited February 24, 2023 by PNewCode Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.