[SOLVED] security problem [need help asap]

[chris_rulez001]

i have a problem (security) when im logged in as my test account (non-admin), i can edit anyones account, it shows the edit profile and other links, what should i do?

 

my code:

 

<?php
session_start();
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<?php
include('includes/mysql_connect_users.php');
// Connect to server and select databse.
mysql_connect("$location", "$mysqlusername", "$mysqlpassword")or die("cannot connect");
mysql_select_db("$database")or die("cannot select DB");

// get value of id that sent from address bar
$id = $_GET['id'];

$sql2="SELECT * FROM users WHERE `id`='$id'";
$result=mysql_query($sql2);

$rows=mysql_fetch_array($result);

?>
<title>Minispace - Viewing Profile: <?php echo $rows['username']; ?></title>
<link rel="stylesheet" href="css/stylesheet.css" />
<?php
include ('includes/general.php');
?>
</head>

<body>
<table width="86%" border="1" align="center">
  <tr>
    <td height="26" class="headerback"><?php echo $site_name; ?></td>
  </tr>
  <tr>
    <td class="topnav" height="5"><a href="index.php" class="style2">Home</a> | <a href="members.php">Members</a> | <a href="forum/index.php">Forum</a> | <a href="faq.php">FAQ</a> | <a href="view_user.php">Profile</a> | <?php if (!isset($_SESSION['username']) == false) echo "<a href='logout.php'>Logout</a>";
else{
echo "<a href='login.php'>Login</a> | <a href='register.php'>Register</a>"; }?></td>
  </tr>
  <tr>
    <td class="siteback1"><div align="left" class="username">Viewing Profile: <?php echo $rows['username']; ?></div>
      <table width="310" border="0">
        <tr>
          <td width="408"><div id='piclayout2'><img src='images/no_pic.gif' width='106' height='90' /></div>
	  <?php
	  if (!isset($_SESSION['username']) == false)
	  echo "<div align='right' style='padding-right:20px'>
	  <p><a href='profile_edit.php' style='color:#000099'>Edit Profile</a></p>
              <p><a href='account_settings.php' style='color:#000099'>Account Settings</a> </p>
              <p><a href='manage_images.php' style='color:#000099'>Manage Images</a> </p>
		  <a href='manage_blog.php' style='color:#000099'>Manage Blog</a><br />
          </div><div align='left' style='padding-left:45px'><strong>View My:</strong><br /></div>
	  <div align='left' style='padding-left:35px'>
	  <a href='view_user.php?id=".$rows['id']."' style='color:#000099'>Profile</a> | 
	  <a href='view_pics.php?user=".$rows['username']."' style='color:#000099'>Pics</a> | 
	  <a href='view_blog.php?user=".$rows['username']."' style='color:#000099'>Blog</a><br />
	  <a href='view_friends.php?user=".$rows['username']."' style='color:#000099'>Friends</a> | 
	  <a href='view_comments.php?user=".$rows['username']."' style='color:#000099'>Profile</a></div><br/><br/>
	  <div align='left' style='padding-left:8px'><strong>My Profile Url:</strong> <a href='view_user.php?id=".$rows['id']."' style='color:#000099'>mysite/view_user.php?id=".$rows['id']."</div>";
      else{
       echo "<br/><div align='right' style='padding-right:80px'>
	  <p>".$rows['age']." Years Old</p>
          <p>".$rows['gender']."</p>
          </div><br/><br/>
	  <table width='100' border='1'>
	  <tr>
	  <td align='center'>
	  Contacting, ".$rows['username']."
	  </td>
	  </tr>
	  <tr>
	  <td style='padding-right:15px'>
	  <img src='images/msn-icon.gif'> MSN: ".$rows['msn']."<br/><br/>
	  <img src='images/imaim.png'> AOL IM: ".$rows['aolim']."<br/><br/>
	  <img src='images/icon_yim.gif'> YAHOO IM: ".$rows['yim']."<br/><br/>
	  </td>
	  </tr>
	  </table>"; }?>
	   </td>
        </tr>
      </table>
      <p> </p></td>
  </tr>
</table><br />
<br /><div align="center"><?php echo $copyright; ?></div>

[Lumio]

Did you set some rights to a user?

[chris_rulez001]

i was going to set some rights but i dont know how to do it, can you help me?

[GingerRobot]

Unless im being blind, you've not yet done anything to only allow these options to certain people. I would suggest the best method is to query the database for the user who is currently logged in(e.g. get their username/id from the session), and then only display these options if they are an admin etc. For example, lets suppose you have a field called user_level in your users table:

 

<?php
$sql = mysql_query("SELECT `user_level` FROM `users` WHERE `username`='$_SESSION[username]'") or die(mysql_error());
$status_level=mysql_result($sql,0,"user_level");
if($status_level >= 3){//im guessing you might have more that one level of staff
//show various options
}
?>

 

Dont forget, if these options are links to php files, you'll want to check that the user accessing those pages has the right user level. Also, you might want to consider putting this into a file that you'll include where necessary, or maybe a function to check for the right level.

[pocobueno1388]

EDIT: While I was typing this I was beat to posting it, but it is pretty much the same method described above.

 

In the table you use to store you users information, you need to add a column called "rank". Then you can assign people ranks such as "member", "admin", "mod", or whatever. Then in your code you could do this:

 

<?php

$query = mysql_query("SELECT rank FROM users WHERE id='$id'");
$row = mysql_fetch_assoc($query);

if ($row['rank'] == "admin"){
//Put things here that only admins can see/do

} else if ($row['rank'] == "member"){
  //Put the basic display without any editing tools for what members can see here
}

?>

[chris_rulez001]

thanks for your help, im going to add the permissions now