I'm trying to have a universal "Accounts" page that displays user profiles based on who is viewing it. If as a signed in user, this is my page, content served reflects my ownership. I tried something like
<title>
<?php
if ($_SESSION["first_name"]) { //this $_SESSION["first_name"] = $_COOKIE["first_name"]?
?> My Profile </title>
<?php
}
else
?>
User's Profile </title> <!--This line is wrong-->
But it does not do what I want it to. Also, that last line User Profile, does it mean I have to create a unique index page for each user? I thought PHP can dynamically make it possible to view a user's profile without doing a file write at each sign up?
Actually i cant understand ur question but its my guess that u need this .
$user_id = //user id from db of current viewing user
if($_SESSION['user_id'] == $user_id)
{
echo 'My profile';
}
else
{
echo 'user profile';
}
Related
I have an issue regarding viewing of data. I'm working on some real estate project where there is a Code Page (to enter the code for House Status) and a Status Page (where details of house are displayed). Now, I can block the users from redirecting to Status Page on entering wrong code until they enter the correct one. What if the user tries to enter some random code in the URL of Status Page, then in case of wrong code, the page displays errors. How can I avoid this? And how can I just redirect the user back to Code Page in this case?
Updated:
I have used the condition on my View Page:
<body id="status-page">
<?php
if($listing[0]['code'] != $listing_code){
die();
}else{ ?>
<!-- Content -->
<div class="page-loader-wrapper">
....
</div>
<?php } ?>
Controller:
function index(){
$listing_code = $this->uri->segment(3);
$result = $this->status_model->get_listing($listing_code);
$data['listing'] = $result;
$data['listing_code'] = $listing_code;
}
Model:
function get_listing($listing_code){
$this->db->select('*');
$this->db->from($this->listings_table);
$this->db->where('code',$listing_code);
$query = $this->db->get();
$result = $query->result_array();
return $result;
}
Everything's working fine except that when i change the url code for a wrong one then instead of terminating the Page, it displays errors....
You have different options
1 ) Generate a hard code to guess , you can do that by using something like this
$code = substr(md5(rand(16, time())), 0, 16);
In case the user types in a wrong code and it displace error
use an if command to kill the rest of the pageif(condition to check if code exists ) {die();}
2) Or create a login and create a table listing the people who can use the code
With help from #teresko I've managed to create dynamic pages (& their urls) for my site using the loop below. My problem is how do i get the newly created page at ahref to combine data I have in database with the template (which I already have ready), so that when the user clicks on it, she/he goes to the page populated with the data. Am i supposed to use a javascript click function (would rather not). How would i do it with php and html?
Here is the loop generating the URLs:
<?php foreach ($reciperow as $recipe) { ?>
<h2><?php echo $recipe['rectitle'];?></h2>
<p class="subhead"><?php echo $recipe['recsummary']; ?></p>
<?php } ?>
Would really appreciate a solution that stays clear of routing, since my site's a basic project and I plan to get to MVC and PHP routing in the next projects. Thanks.
If you meant How, when user clicks generated link, show him page with data from database accordingly to "id" he/she selected, then do the following:
<?php
$id = intval($_REQUEST['id']);
if ($id) { // user get here by clicking on link with id
$data = ... // fetch data from database
?>
<sometag>Some data from database:<?php echo $data['somecollumn']; ?></sometag>
...
<?php
} else {
// user just opened first page
// generate links list as usual
...
foreach ($reciperow as $recipe) {
?>
<h2><?php echo $recipe['rectitle'];?></h2>
<p class="subhead"><?php echo $recipe['recsummary']; ?></p>
<?php
}
...
}
?>
Edit:
Is this how it is normally done for simple sites?
Depends.
If you has only one entity in datadabe, then there will be no arguments clash, id is identifier only for recipies, but if you intent to show also details for, f.e. ingredients, furniture and/or more, then you must add specificators.
Like, links will look like
<a href="?show=recipie&id=<?php echo $recipe['uniqno'];?>">
<a href="?show=ingredient&id=<?php echo $ingredients['id'];?>">
... and then data must be fetched and displayed correspondingly:
$id = ...;
if ($id)
switch ($_REQUEST['show']) {
case 'recipie':
// show recipie data
break;
case 'ingredient':
// show ingredient data
break;
case ...
default:
// show start page
}
But with addition of another entities yours .php file will grow. Another solution will be to add separate scripts for handling each entity:
// generate links list as usual
...
foreach ($reciperow as $recipe) { // look at `recipie.php` portion of link's href
?>
<h2><?php echo $recipe['rectitle'];?></h2>
<p class="subhead"><?php echo $recipe['recsummary']; ?></p>
<?php
}
And add recipie.php file in the same folder as base script with following contents:
<?php
$id = intval($_REQUEST['id']);
if ($id) { // user get here by clicking on link with id
$data = ... // fetch data from database
?>
<sometag>Some data from database:<?php echo $data['somecollumn']; ?></sometag>
...
<?php
} else {
?>
<h1 class="error">No recipie ID specified</h1>
<?php
}
<?
Further exploring will bring you to concepts of MVC and routing via human-friendly-links format, when links looks like /home, /recipie/12 and/or /recipie/?id=12 or even /recipie/12-cream-pie. But that's story for another time...
I want to hide button in search menu to specific page for normal users so they can't access to page witch is for administrators only. i'm new at writing this code so i'm asking you guys who have much more knowledge than me for help.
I want to hide File/page name upload.php for normal users and show for administrators only
Is anyone know how could i do this with php?
i'm really appreciate for every help. Thank you!
You can capture user type of user's in session. And, according to user type show / hide button.
<?
if(S_SESSION['userType'] == 'Admin') {
//Show
}
if(S_SESSION['userType'] == 'User') {
//Hide
}
?>
It's hard to give an advice without your context, but an simple example for your scenario:
// Normal Page
if($_SESSION['user_level'] > x){
//show button
}
// Admin-Only-Page
if($_SESSION['user_level'] < x){
die("Access denied");
}
Depends of how you define the administrator, if he is the user whose the Id is 1 for example, use the following script:
<?php
$current_user_id = // get it from the session if user is logged in
If ($current_user_id == 1):
?>
<input ...>
<?php endif; ?>
For that you need to set one flag in Database as user is admin or normal user.
after that in your code check with condition that logged in user is admin or not;
for example admin role is 1 then:
if($user->role == 1){
// your button code
}
simple, Enjoy :)
for example, you can use following Conditional statement :
if ($user -> role == 1){
// `enter code here`
}
I have two MySQL tables. The first one is for the user's credentials i.e. username, password, business_id (system generated). The second one has the user's profile for multiple entities e.g. business name, location, profile_id and business id (system genrated - the same number for the business_id).
The user can edit the details of their business details i.e. their details in the second table. The business id would be say 'abcdef' and profile id would be say 1234567, if they have a second business profile it would be say 1235879.
In order to edit each profile I would have to have the following URL
Edit Business Profile
For the second one it would be
Edit Business Profile
In turn when the a href is clicked the url in the browser would be edit_profile.php?id=1234567 and for the second one would be edit_profile.php?id=1235879
Would it be possible that instead of having edit_profile.php?id=1234567 and edit_profile.php?id=1235879 in the URL I would have edit_profile.php?id=1234567 and for the second one would be edit_profile.php
I don't want the User to see the id i.e. have only edit_profile.php
Ideally, I would like to use a PHP solution, please.
Yes, it is possible, but not exactly what are you trying to do
Solution #1
Intoduction
First of all, it should work only on users who are currently logged in and are trying to see their profile. The final results to reach is to not display ID in URL if ID is equal to current logged user's ID. It is more common than Solution #2 but if you want to hide all IDs, skip this solution.
Pluses:
There is not too much to change, just add a few more lines for checking current user ID
You can still use <a></a> tags for Edit Business Profile links.
Minuses:
Only current logged user's ID will be hidden in the URL
So what to do...
You probably use sessions to let users remain logged in even if they refreshed the page. You are on the right path, but you should add at least one more element to $_SESSION (Profile identification, so we can call it as profile_id for example).
Assume you are using this login formula:
function check_login($username, $password)
{
// query to find user with these inputs (encrypted password, prepared statements, etc)
if($query->num_rows > 0) // user exists
{
// fetch your query
// ...
session_start();
// set the session probably user is logged
// some return on success (probably redirect)
}
else
{
// some return on false
}
}
Now you should add one more $_SESSION element to save your current profile_id value:
session_start();
// ...
$_SESSION['profile_id'] = $result->profile_id; // <--- THIS IMPLEMENT
// some return on success (probably redirect)
1/2 is done!
Half of the problem is already finished, now all you need to do is compare $_GET input with $_SESSION.
Again, assuming your edit_profile.php file looks like this:
if(isset($_GET['id']) && !empty(trim($_GET['id'])))
{
$profile_id = intval($_GET['id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
So now instead of error profile id is not defined we can assign to $profile_id variable index profile_id of superglobal $_SESSION:
else
{
$profile_id = intval($_SESSION['profile_id']);
}
Notice that I am assuming you have condition to reject access to this script, if user is not logged (some condition at the start).
Now your code should work but maybe you are asking the question what if user knows his ID and types it into URL?
So you have two choices:
Let it be as it is
Add condition to check if $_GET['id'] equals to $_SESSION['profile_id'] then redirect to edit_profile.php
Final thoughts...
Maybe if you are generating the list of the users, where the user can edit the others' users profiles including himself's, you want to remove id parameter of the edit_profile.php URL if the user's ID is equal to current ID in fetch loop. You can inspire by this simple function:
function generate_profile_edit_url($id)
{
session_start(); // for the case, you don't have started session yet
return 'Edit Business Profile';
}
Just in every fetch iteration you will use this function, like in the example below:
// ...
echo generate_profile_edit_url($result->profile_id);
// ...
Solution #2
Introduction
This solution will reach to the editing user's profile without any ID parameter in URL. It is designed for situation where user has rights to edit someone else's profile (for example, a moderator or an admin) and you still don't want to have the users' ID in the URL.
Pluses:
No ID parameter in URL needed for all users
Minuses:
you have to change every profile link to little form using POST action without JavaScript knowledge
no more <a></a> links for profile edit, again without JavaScript knowledge
users are still able to get their id if they want to
So what to do...
Firstly, we need to change edit_profile.php file. We have to recieve $_POST data containing target's profile_id.
Like in Solution #1, assume your edit_profile.php looks like:
if(isSet($_GET['id']) && !empty(trim($_GET['id'])))
{
$profile_id = intval($_GET['id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
Most of the changes will be just replacing $_GET with $_POST:
if(isSet($_POST['profile_id']) && !empty(trim($_POST['profile_id'])))
{
$profile_id = intval($_POST['profile_id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
For this file, it is enough.
Now there is some more work to do if you have a placed profile links in different files. But we can make it easier using one simple function like this:
function get_profile_edit_button($profile_id)
{
$html = '<form action="edit_profile" method="POST">';
$html .= '<input type="hidden" name="profile_id" value="' . intval($profile_id) . '">';
$html .= '<input type="submit" value="Edit Business profile">';
$html .= '</form>';
return $html;
}
The last thing is replace current edit profile links with this function. For example you have fetch loop of users:
// ...
echo 'Edit Business Profile';
// ...
So you will replace this string with your function get_profile_edit_button():
// ...
echo get_profile_edit_button($result->profile_id);
// ...
Final thoughts...
As I mentioned in minuses, profiles' ids cannot be totally hidden. If someone opened Source code of your page, he can see profile_id in hidden form type:
<input type="hidden" name="profile_id" value="1234567">
It is only on you what solution you prefer, but I can recommend you Solution #1. There is nothing bad about having IDs in URL. Stack Overflow has it too as you can see it on questions, answers, comments and users.
Useful resources:
PHP Session Security
PHP form token usage and handling
When logging in, try saving the user ID and business ID inside session.
As for example..
$logged_in = some_logic_stuffs();
if($logged_in){
session_start();
$_SESSION['user_id'] = SOME_ID_FETCHED_FROM_LOGIN_LOGIC;
$_SESSION['business_id'] = SOME_ID_FETCHED_FROM_LOGIN_LOGIC;
}
Now, when user goes to edit_profile.php, do
session_start();
$business_id = $_SESSION['business_id'];
$user_id = $_SESSION['business_id'];
For the login logic, try reading this tutorial:
http://www.formget.com/login-form-in-php/
If the user can edit multiple business profiles, the $_SESSION solutions would not work. You would need to disguise what gets sent to the address bar:
You would need to change your code to POST the data rather than sending it as a GET request.
To do this you could either use JavaScript to fake a form post on the link click, or wrap your link in a form tag and set method="POST".
POST sends the data "behind the scenes" rather than exposing it in the browser. I should add that this would still be visible to anyone wanting to discover your IDs, but it would hide it from the casual user at least.
If you really wanted security, #BobBrown's suggestion to tokenise would be a great way forward. You may find, however, that just hiding the ID from display on-screen is enough. Just make sure your user management system will restrict who can edit a particular business.
Try this
<?php
session_start();
include('dbconnect.php');
if(isset($_SESSION['username']))
{
$username = $_SESSION['username'];
$userid = $_SESSION['id'];
}
else
{
$_SESSION['id'] = "";
$_SESSION['username'] = "";
}
if($username <> "")
{
$username = 'username';
$userid = 'id';
}
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 900))
{
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
?>
then
<?php
#if the form is set (meaning that the information was submitted then define what the parameters are for each
if(isset($_REQUEST['username']) == TRUE)
{
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
#make sure there are no blank fields
if($username == "" OR $password == "")
{
echo '<p class="text-danger">Please enter a Username and Password</p>';
}
else
{
$userid = finduser($username, $password);
if($userid > 0)
{
loginuser($userid);
}
else
{
echo '<p class="lead text-danger">The Username and/or Password enter is incorrect</p><br />';
}
}
}
?>
after that then this
<?php
if(isset($_SESSION['username']))
{
if($_SESSION['username'] <> "")
{
//do something
}
else{
//form or something else
?>
<form>form goes here</form>
<p> or something else you want</p>
<?php
}
}
?>
Start your PHP with session_start(); then when the user logs in make a session value for the ID:
$_SESSION['profile-id'] = 1235879; //Select it from database
after in your edit_profile.php do that:
if (!isset($id)) {
$id = $_SESSION['profile-id'];
}
And then edit the $id.
Store the id in session on the first page:
$_SESSION['id'] = 12345;
And on edit_profile.php you can get the value by:
$id = $_SESSION['id'];
And start the session on every page by session_start();
Easiest and simplest way to handle your situation if you want to use Id or any information in URL and pass it through URL
then you can have a scret combination with your values like below
Firt you have to encode the value with your secret stuff for example
$sshhh="ITSMY_SECRET_VALUECODE";
$encrypted_id = base64_encode($your_value . $sshhh);
Then pass it (encrpyted_id) in URL
for example href="all-jvouchers.php?id=<?= $encrypted_id; ?>
and while getting value use below code to get back your value
$sshhh="ITSMY_SECRET_VALUECODE";
$decrypted_id_raw = base64_decode($_GET['id']);
$decrypted_id = preg_replace(sprintf('/%s/', $sshhh), '', $decrypted_id_raw);
Use $decrypted_id wherever and however you want to securely
Please tell me a way on how to make that if the user has not logged-in the site, he cannot see specific text, instead he will see something like "This content is only for registered users. To register click here." Or something around that way...
Thanks!
set SESSION['user_id'] value for the logged user
and u apply the logic on that specific div
if(!isset(SESSION['user_id']) || empty(SESSION['user_id']))
{
echo "Please <a href='register.php'>login/register</a> to view this content";
}
else
{
<div>
// your content and whatever
</div>
}
Pass your text from some conditions and check before echoing it. For an example
Check if the user is logged in though session variable directly or you can create method/function for this
if (is_user_logged_in() === TRUE)
{
echo $content;
}
else
{
echo "This content is only for registered users. To register click here."
}
This is just a simple example.