I have two tables (blog_members and blog_posts) which are related 1 to many, 1 member to many posts. Therefore, in order to be able to relate the two I had to make one field in blog_posts named memberID and set up the relation between this field and the one from blog_members.
Now, I'm trying to make a script to add posts into the database. The thing is, now I have the field memberID in blog_posts which needs to be the same with the one from blog_members in order to be related. So, I'm trying to get the current logged in memberID from the blog_members so I can introduce it into the blog_posts.
I know this can be done with an input where you can type your ID but it doesn't feel right, I want this to be in the back, not to be seen.
Short story:
$memberID = get current logged in memberID from blog_members;
//insert into database
$sql="INSERT INTO blog_posts (memberID, postTitle,postDesc,postCont,postDate) VALUES('$memberID',$postTitle','$postDesc','$postCont','$postDate')";
$result=mysqli_query($link,$sql);
if($result){
echo '<p>Added successfully!</p>';
}else {
echo "Error: ".$sql."<br>".mysqli_error($link);
}
Normally you would store the ID of the logged in user in a session:
$_SESSION['login_userid'] = // THE USER ID OBTAINED FROM LOGIN
Now it will be stored in the browser as $_SESSION['login_userid'] and you can just put this to the top of your code:
$memberID = $_SESSION['login_userid'];
On every page where you use sessions you must run session_start() before the first line of HTML code. If you are not sure how to create your own login system, have a look at this tutorial.
Note: memberID is not unique in the blog_posts table, as one user can create many posts. You should probably create a primary key blogpostID as well.
Related
I made a login function with bruteforce protection, different bot protection functions like honeypot.., input filtering, Argon2 encrypted password.
But in the end to identify the user i save the id inside a session after a successful login.
With this id until now i checked if the column "admin" has the value 1 or 0.
If this value is 1 the user can do everything.
How i could improve the security ?
How else i could check if a user is an admin ?
You should do as I will direct you
As long as you have user id in act so it's half of the way
I will assume that you have function.php which have all the functions you use in website
Also you have login function that check user account details and give access
You now need to improve that to restrict user access
First:
Create table in MySQL call it group this table will have two records or as you like so. Admin will have id 1 and members id 2 then you can make much modifications like make another column in that table called upload and set admin to yes while members to no
Second in your login function use the following
$res = mysql_query("SELECT * FROM users INNER JOIN group ON users.class=group.group_id WHERE users.enabled='yes' AND users.status = 'confirmed'") or die(mysql_error());
$row = mysql_fetch_array($res);
Users.class is the group id and users is the table users
Now you can check group credits as example if on upload page you do the following
if($row["can_upload"]=="no")
echo("admin only can upload ");
You can check credentials on group as you need also you can make much classes like admin , members, uploders, reviewers,authors and give every class special permissions as website content is viewed
On admin.php you can use
if($row["admin"]=="no")
ech("admin only can view this page ");
In both examples above Admin and can_upload is colum in group table and it's changed by user class .
I have written an SQL query and a $_SESSION cookie called "username" basically what I am trying to do is query the database for the "logged in" users rank that is contained in the "rank" column in the "members" table of my database.
Here is my header code to check that they are actually logged in (otherwise it redirects them to the login page)
session_start();
if (!isset($_SESSION['username'])) {
header("location:login/main_login.php");
}
AND Here is what I have so far for my query but I have absolutely no clue how to proceed in only selecting the user that is logged in. Note: I am aware that the query is not completed
$result = $conn->query("SELECT rank FROM members WHERE ");
$userrank = $result->fetchAll(PDO::FETCH_OBJ);
I've also set a variable for MyRank so that I can check the users rank to display specific content. (Not sure if that really matters in terms of my query but hopefully you get the idea.)
$MyRank = $userrank[1]->rank;
EDIT: additional information.
So basically I am trying to display content based on what the users rank is in my database. IE) if they are an administrator I want to show specific html. If they are a user I want to show a different set of html. How I'm doing it currently (that isn't working) is by a php if statement like so:
if ($MyRank == "Administrator"){
echo adminpanel();
}else if ($MyRank == "User") {
echo userpanel();
}
Basically the problem I'm having is that my User or Admin panels wont display unless ALL the users in my database are "Administrator" or "User". If there is an Administrator and a User in that table it will show nothing at all.
Based on guesses:
$authUser = $_SESSION['username']; // get the logged in user from session, guess this is the username
$result = $conn->query("SELECT rank FROM members WHERE username='$authUser';");
// if its userid then userid=$authUser without single quotes
$userrank = $result->fetchAll(PDO::FETCH_OBJ);
So right now, I've got a working PHP script that can delete posts from my network. But right now, everyone is able to delete everyones posts if they are logged in. I want restrict this to the authors of the posts, so they are only able to delete their own posts. How can I do this?
This is how my delete.php it looks like:
<?php
session_start();
if (empty($_SESSION['user_id'])) {
header('Location: index.php');
exit;
}
$user_id = $_SESSION['user_id'];
include "connect.php";
if(isset($_GET['id'], $user_id))
{
mysqli_query($GLOBALS["___mysqli_ston"], "DELETE FROM posts WHERE id=".$_GET['id']);
mysqli_query($GLOBALS["___mysqli_ston"], "UPDATE users SET posts = posts - 1 WHERE id='$user_id' ");
header("location: index.php");
}
mysqli_connect();
?>
In the main page where the posts are being displayed, the button is displayed like this:
Delete
It finds the postid itself. I have two tables, users and posts. Both has the column user_id, so the post table does get same user_id as in users_id.
First, your code is not safe!
Keep in mind that everyone can mess with your system when not escaping user input! You should read more about here
As you are checking already by the session if the deleting user is logged in, you now have to fetch the data from the deleting post (look for the post with the given post id in $_GET['id'] (ESCAPE IT!!!)) in table "posts". As you said, your table "posts" contains the field "user_id" and if you get this value you can simply compare it by the id given by $_SESSION["user_id"]
I'v got a registeration code which inserts user details into the table that I chose.
The problem is that I added a "confirm code" to the user, so every account is needed to verify his user through his mail. After the confirmation is done, the Column "confirmation" changes to "confirmed". If the user does not verify his account, the confirm code will stay in the "confirmation" Column.
The problem is that I made a table in html, which uses the DB in order to show the active users.
I don't want that the not-confirmed users will appear in the tbale, so I tried to add some conditions:
$cu = mysql_query("SELECT * FROM `users` where uname='$uname' && confirmation='confirmed'");
$cu = mysql_fetch_array($cu);
and another one :
$select2 = mysql_query("SELECT * FROM `users` WHERE uname='$uname' && confirmation='confirmed'");
It's working.. but only half way. I mean, when the not-confirmed user tries to log in, it shows him a blank page. It's ok, cuz I don't want the non-confirmed users will log in.
But... the confirmed users still see the not-cofirmed users in the active users table..
It's like the table doesn't even checks if the user is confirmed or not, it's just shows him either way.
So I thought about a way in which users will move to another table, called "hold", which will consist of all the non-confirmed users. Then, every user who will verify his account, the sql will recognize it and when the confirmation columm is changed to "confirmed", it's going to move the user to the "users" table, so his name will appear in the active user table.
How can I do it? How can I "make" the sql table to auto recongize if the user is confirmed or not, and move him to another table..
or.. if is there any way to "hide" the not-confirmed users from the active users table, it's also fine.
Thanks alot :)
Basically either you need to setup a cron which check if the user is not confirmed then move to hold tabe or write a trigger in mysql whenever any user got confirmed.
You can get the last result and insert after the last result.
See this example:
$sql = mysql_query("
INSERT INTO tabel_name(col1, col2,col3) values('foo','bar','some');
INSERT INTO table_name2(col,col2) SELECT col2,col3 FROM tabel_name
ORDER BY id DESC LIMIT 1;
");
I want to create a user history function that allows shows users what they done.
ex: commented on an ad, posted an ad, voted on an ad, etc.
How exactly do I do this?
I was thinking about...
in my site, when they log in it stores their user_id ($_SESSION['user_id'])
so I guess whenever an user posts an ad(postad.php),
comments(comment.php), I would just
store in a database table
"userhistory" what they did based on
whenever or not their user_id was
activate.
When they comment, I store the user_id in the comment dbc table, so
I'll also store it in the
"userhistory" table.
And then I would just queries all the rows in the dbc for the user to
show it
Any steps/improvements I can make? :)
Look at the statistics and logging section of media wiki schema. You can implement something similar to this.
http://upload.wikimedia.org/wikipedia/commons/4/41/Mediawiki-database-schema.png
Similarly, what you could do is have mySQL based logging, ie every page hit is logged in the mySQL database, which tracks the IP, userid, datetime and page requested.
Then for the page that you view history, you could have a script like this. This is just pseudo code, so take it at face value.
<?php
$actions = array('comment.php' => 'posted a comment', "postedad.php" => "posted an ad");
$query = mysql_query("SELECT * FROM logHits JOIN users ON users.id = logHits.userid WHERE loghits.userid = $userid");
while ($row = mysql_fetch_array($query)) {
echo $row['username']." ".$actions[$row['pagename']."<br />";
}
?>
Again, this is just pseudo code and you can most certainly improve the concept by it. You could possibly use a combination of printf();/sprintf(); and make it so, for example, "a comment" in the action text hyperlinks to the actual comment.
There are quite a few ways to go about this. This probably isn't the best way.
You could also just do an insert query to a table like userHistory whenever the persons does an action like you specified. This is probably the best way to go about it. You could have that able with fields like id, userid, actiontype, actionid
actiontype would be "comment" or so, and actionid would be the id of the posted entry. Then you could easily map actiontypes to the comment page (passing the actionid) to view the actual posted comment.