How would I go about this?
I am allowing users to sign in via various social websites. I get their unique identifiers and than redirect them to some other page
$id = ($profile->identifier);
$newURL = "/your-data/$id";
header('Location: '.$newURL);
, where they will be able to store some data about themselves.
I know and I will get here all data neccessary and save it to database.
I would like, on /your-data/98432048320
show them website generated from /template/header,index,footer.php
Here is what I have done so far to get this working:
on your-data/index.php
<?php
include("templates/header.htm");
// Set the default name
$action = 'index';
// Specify some disallowed paths
$disallowed_paths = array('header', 'footer');
if (!empty($_GET['action'])) {
$tmp_action = basename($_GET['action']);
// If it's not a disallowed path, and if the file exists, update $action
if (!in_array($tmp_action, $disallowed_paths) && file_exists("templates/{$tmp_action}.htm"))
$action = $tmp_action;
}
// Include $action
include("templates/$action.htm");
include("templates/footer.htm");
?>
I can not get it to run. It`s just plain PHP, no frameworks...
You should not generate dozens of templates for each unique user. It would be quite redundant.
Instead, make one php file, let's call it content.php (whatever).
Such file can contain dynamically generated data respectively to certain user. Include content.php to your main index.php.
your-data/index.php:
<?php
include("templates/header.htm");
$action = 'index'; // Set the default name
if (!empty($_GET['action'])) {
$tmp_action = basename($_GET['action']);
if (is_numeric($tmp_action)){ // check if user identifier was passed in
include("templates/content.php");
}
}
include("templates/footer.htm");
?>
Now $tmp_action variable is freely accessible within content.php.
content.php:
<?php
$userId = (int) $tmp_action;
// possible case
$query = "SELECT name, age, activity FROM social_users WHERE id = ". $userId;
// here you can get all needed data for certain user
// which can be shown in #mainContainer div
?>
<div id="mainContainer"></div>
Related
I am using PHP to create a social media platform. I have a fully sizeable page for the user you are viewing that is adjusting by who you are trying to view in the URL. If you go to profile.php?user=(USERNAME) it will display the data of that user.
But I want something extra to that. I do not want my users to have to fill in a difficult URL like that. I want them to be able to type profile/(USERNAME) and that it will show the data of the user they are viewing.
So how can I make it possible that the GET from ?user=(USERNAME) is in the /(USERNAME).
I hope my question is clear. Looking forward to questions or answers.
Kind regards,
Serge
The following should work for you.
Set up an input field and set the value to /profile -> <input value="profile/">, (see below HTML code for example), so that auto populates in the field for the users to type into. Then run your post value through php and check if set, sanitize (see https://www.php.net/manual/en/function.urlencode.php for more info), then build your url, lastly run that through a header redirect to redirect to the profile page.
Example below:
HTML:
<form method="post"><!--// No action needed as we will redirect with php `header()` if submit is pushed. //-->
View Users Profile:
<input type="text" value="profile/" name="searchUser" id="searchUser" ><br><br>
<input type="submit" name="submit" value="Submit">
<?=$url?><!--// Used simply to echo out your url string for testing purposes, if you are testing, simply comment out the header line in the php so the code does not redirect you to the url //-->
</form>
PHP:
$url = null; // Declare an empty variable to display URL for testing purposes
// * Not needed if your not displaying this url to test the output of your url string
// Make sure the $_POST globals are set using isset()
if(isset($_POST['submit']) && isset($_POST['searchUser'])){
// Remove the `profile/` string from the input value so we only have the user being searched
$post = str_replace("profile/","",$_POST['searchUser']);
// More sanitation may be needed depending on what you allow your users to use for usernames
$cleanPost = filter_var ( $post, FILTER_SANITIZE_STRING);
// Get the server host
$host = $_SERVER['HTTP_HOST'];
// Get the directory
$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
// Get the root
$root = 'myawesomesocialsite.com';
// Set the path to profile and add the field input from user
$profile = "/profile?user=".$cleanPost;
// Construct the URL using the declared variables
$url = "http://$host$uri/$root$profile";
// Redirect user using header()
// Comment the header("Location: $url"); out to test the output of your $url string if you're getting errors with redirect
header("Location: $url");
exit();
}
Using a function:
function constURL($root, $dir){
$post = str_replace("profile/","",$_POST['textInput']);
$cleanPost = filter_var ( $post, FILTER_SANITIZE_STRING);
$host = $_SERVER['HTTP_HOST'];
$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
$urlPost = "?user=".$cleanPost;
$url = "http://$host$uri/$root$dir$urlPost";
header("Location: $url");
exit();
}
// USE FUNCTION
// Make sure you set the values for root and dir
if(isset($_POST['submit']) && isset($_POST['searchUser'])){
$root = 'myawesomesocialsite.com';
$dir = "/profile";
constURL($root, $dir);
}
i want to display 5 php files content randomly but non repeating when clicked a button [NEXT] using php/javascript (that works in php desktop as well).
the code i used did displayed random web page on page load but i did came across repeated web page
this is the code i used for index.php file:
<?php
$RandomList = array();
$RandomList[] = "/review/review-a1.php";
$RandomList[] = "/review/review-a2.php";
$RandomList[] = "/review/review-a3.php";
$RandomList[] = "/review/review-a4.php";
readfile($_SERVER['DOCUMENT_ROOT'].$RandomList[rand(0,count($RandomList)-1)]);
?>
please suggest how to get non repeated files .
Just save paths you already used in the session:
//Read visited paths from session or create a new list.
//?? works only in PHP7+. Use isset()?: instead of ?? for previous versions
$visitedPaths = $_SESSION['visitedPaths'] ?? [];
//Your list, just slightly changed syntax. Same thing
$randomList = [
"/review/review-a1.php",
"/review/review-a2.php",
"/review/review-a3.php",
"/review/review-a4.php"
];
//Remove all paths that were already visited from the randomList
$randomList = array_diff($randomList, $visitedPaths);
//You need to check now if there are paths left
if (!empty($randomList)) {
//The user did not load all files, so we can show him the next one
//Use array_rand() rather than $array[rand(0, count($array) -1)]
$randomPath = $randomList[array_rand($randomList)];
readfile($_SERVER['DOCUMENT_ROOT'] . $randomPath);
//Now we need to save, that the user loaded this file
$visitedPaths[] = $randomPath;
//And we need to save the new list in the session
$_SESSION['visitedPaths'] = $visitedPaths;
} else {
//TODO: Add some logic in case all paths have been visited
}
I have two MySQL tables. The first one is for the user's credentials i.e. username, password, business_id (system generated). The second one has the user's profile for multiple entities e.g. business name, location, profile_id and business id (system genrated - the same number for the business_id).
The user can edit the details of their business details i.e. their details in the second table. The business id would be say 'abcdef' and profile id would be say 1234567, if they have a second business profile it would be say 1235879.
In order to edit each profile I would have to have the following URL
Edit Business Profile
For the second one it would be
Edit Business Profile
In turn when the a href is clicked the url in the browser would be edit_profile.php?id=1234567 and for the second one would be edit_profile.php?id=1235879
Would it be possible that instead of having edit_profile.php?id=1234567 and edit_profile.php?id=1235879 in the URL I would have edit_profile.php?id=1234567 and for the second one would be edit_profile.php
I don't want the User to see the id i.e. have only edit_profile.php
Ideally, I would like to use a PHP solution, please.
Yes, it is possible, but not exactly what are you trying to do
Solution #1
Intoduction
First of all, it should work only on users who are currently logged in and are trying to see their profile. The final results to reach is to not display ID in URL if ID is equal to current logged user's ID. It is more common than Solution #2 but if you want to hide all IDs, skip this solution.
Pluses:
There is not too much to change, just add a few more lines for checking current user ID
You can still use <a></a> tags for Edit Business Profile links.
Minuses:
Only current logged user's ID will be hidden in the URL
So what to do...
You probably use sessions to let users remain logged in even if they refreshed the page. You are on the right path, but you should add at least one more element to $_SESSION (Profile identification, so we can call it as profile_id for example).
Assume you are using this login formula:
function check_login($username, $password)
{
// query to find user with these inputs (encrypted password, prepared statements, etc)
if($query->num_rows > 0) // user exists
{
// fetch your query
// ...
session_start();
// set the session probably user is logged
// some return on success (probably redirect)
}
else
{
// some return on false
}
}
Now you should add one more $_SESSION element to save your current profile_id value:
session_start();
// ...
$_SESSION['profile_id'] = $result->profile_id; // <--- THIS IMPLEMENT
// some return on success (probably redirect)
1/2 is done!
Half of the problem is already finished, now all you need to do is compare $_GET input with $_SESSION.
Again, assuming your edit_profile.php file looks like this:
if(isset($_GET['id']) && !empty(trim($_GET['id'])))
{
$profile_id = intval($_GET['id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
So now instead of error profile id is not defined we can assign to $profile_id variable index profile_id of superglobal $_SESSION:
else
{
$profile_id = intval($_SESSION['profile_id']);
}
Notice that I am assuming you have condition to reject access to this script, if user is not logged (some condition at the start).
Now your code should work but maybe you are asking the question what if user knows his ID and types it into URL?
So you have two choices:
Let it be as it is
Add condition to check if $_GET['id'] equals to $_SESSION['profile_id'] then redirect to edit_profile.php
Final thoughts...
Maybe if you are generating the list of the users, where the user can edit the others' users profiles including himself's, you want to remove id parameter of the edit_profile.php URL if the user's ID is equal to current ID in fetch loop. You can inspire by this simple function:
function generate_profile_edit_url($id)
{
session_start(); // for the case, you don't have started session yet
return 'Edit Business Profile';
}
Just in every fetch iteration you will use this function, like in the example below:
// ...
echo generate_profile_edit_url($result->profile_id);
// ...
Solution #2
Introduction
This solution will reach to the editing user's profile without any ID parameter in URL. It is designed for situation where user has rights to edit someone else's profile (for example, a moderator or an admin) and you still don't want to have the users' ID in the URL.
Pluses:
No ID parameter in URL needed for all users
Minuses:
you have to change every profile link to little form using POST action without JavaScript knowledge
no more <a></a> links for profile edit, again without JavaScript knowledge
users are still able to get their id if they want to
So what to do...
Firstly, we need to change edit_profile.php file. We have to recieve $_POST data containing target's profile_id.
Like in Solution #1, assume your edit_profile.php looks like:
if(isSet($_GET['id']) && !empty(trim($_GET['id'])))
{
$profile_id = intval($_GET['id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
Most of the changes will be just replacing $_GET with $_POST:
if(isSet($_POST['profile_id']) && !empty(trim($_POST['profile_id'])))
{
$profile_id = intval($_POST['profile_id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
For this file, it is enough.
Now there is some more work to do if you have a placed profile links in different files. But we can make it easier using one simple function like this:
function get_profile_edit_button($profile_id)
{
$html = '<form action="edit_profile" method="POST">';
$html .= '<input type="hidden" name="profile_id" value="' . intval($profile_id) . '">';
$html .= '<input type="submit" value="Edit Business profile">';
$html .= '</form>';
return $html;
}
The last thing is replace current edit profile links with this function. For example you have fetch loop of users:
// ...
echo 'Edit Business Profile';
// ...
So you will replace this string with your function get_profile_edit_button():
// ...
echo get_profile_edit_button($result->profile_id);
// ...
Final thoughts...
As I mentioned in minuses, profiles' ids cannot be totally hidden. If someone opened Source code of your page, he can see profile_id in hidden form type:
<input type="hidden" name="profile_id" value="1234567">
It is only on you what solution you prefer, but I can recommend you Solution #1. There is nothing bad about having IDs in URL. Stack Overflow has it too as you can see it on questions, answers, comments and users.
Useful resources:
PHP Session Security
PHP form token usage and handling
When logging in, try saving the user ID and business ID inside session.
As for example..
$logged_in = some_logic_stuffs();
if($logged_in){
session_start();
$_SESSION['user_id'] = SOME_ID_FETCHED_FROM_LOGIN_LOGIC;
$_SESSION['business_id'] = SOME_ID_FETCHED_FROM_LOGIN_LOGIC;
}
Now, when user goes to edit_profile.php, do
session_start();
$business_id = $_SESSION['business_id'];
$user_id = $_SESSION['business_id'];
For the login logic, try reading this tutorial:
http://www.formget.com/login-form-in-php/
If the user can edit multiple business profiles, the $_SESSION solutions would not work. You would need to disguise what gets sent to the address bar:
You would need to change your code to POST the data rather than sending it as a GET request.
To do this you could either use JavaScript to fake a form post on the link click, or wrap your link in a form tag and set method="POST".
POST sends the data "behind the scenes" rather than exposing it in the browser. I should add that this would still be visible to anyone wanting to discover your IDs, but it would hide it from the casual user at least.
If you really wanted security, #BobBrown's suggestion to tokenise would be a great way forward. You may find, however, that just hiding the ID from display on-screen is enough. Just make sure your user management system will restrict who can edit a particular business.
Try this
<?php
session_start();
include('dbconnect.php');
if(isset($_SESSION['username']))
{
$username = $_SESSION['username'];
$userid = $_SESSION['id'];
}
else
{
$_SESSION['id'] = "";
$_SESSION['username'] = "";
}
if($username <> "")
{
$username = 'username';
$userid = 'id';
}
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 900))
{
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
?>
then
<?php
#if the form is set (meaning that the information was submitted then define what the parameters are for each
if(isset($_REQUEST['username']) == TRUE)
{
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
#make sure there are no blank fields
if($username == "" OR $password == "")
{
echo '<p class="text-danger">Please enter a Username and Password</p>';
}
else
{
$userid = finduser($username, $password);
if($userid > 0)
{
loginuser($userid);
}
else
{
echo '<p class="lead text-danger">The Username and/or Password enter is incorrect</p><br />';
}
}
}
?>
after that then this
<?php
if(isset($_SESSION['username']))
{
if($_SESSION['username'] <> "")
{
//do something
}
else{
//form or something else
?>
<form>form goes here</form>
<p> or something else you want</p>
<?php
}
}
?>
Start your PHP with session_start(); then when the user logs in make a session value for the ID:
$_SESSION['profile-id'] = 1235879; //Select it from database
after in your edit_profile.php do that:
if (!isset($id)) {
$id = $_SESSION['profile-id'];
}
And then edit the $id.
Store the id in session on the first page:
$_SESSION['id'] = 12345;
And on edit_profile.php you can get the value by:
$id = $_SESSION['id'];
And start the session on every page by session_start();
Easiest and simplest way to handle your situation if you want to use Id or any information in URL and pass it through URL
then you can have a scret combination with your values like below
Firt you have to encode the value with your secret stuff for example
$sshhh="ITSMY_SECRET_VALUECODE";
$encrypted_id = base64_encode($your_value . $sshhh);
Then pass it (encrpyted_id) in URL
for example href="all-jvouchers.php?id=<?= $encrypted_id; ?>
and while getting value use below code to get back your value
$sshhh="ITSMY_SECRET_VALUECODE";
$decrypted_id_raw = base64_decode($_GET['id']);
$decrypted_id = preg_replace(sprintf('/%s/', $sshhh), '', $decrypted_id_raw);
Use $decrypted_id wherever and however you want to securely
I have a php file where I am using it to setup dynamically generated pages based on the input variables. It starts on and index.html page where the variables are gathered some of which are not simple strings but complex Google Earth objects. On the submit of that page it is posted to another page and you are redirected to the created file. The trouble is coming when I try to use that variable within the php include file that is used to generate the pages.How do i properly get a variable from this form and then pass it through to be able to use it on the new generated page. Here is what I am trying currently.
On the click of this button the variable flyto1view is set.
$("#flyto1").click(function(){
if (!flyto1view){
flyto1view = ge.getView().copyAsLookAt(ge.ALTITUDE_RELATIVE_TO_GROUND);
$("#flyto1view1").val(flyto1view)
}
else {
ge.getView().setAbstractView(flyto1view);
}
});
Then from here I have tried setting the value to an hidden field but Im not sure if that kinda of variable has a value that can be set like that. Whats the best way to get this variable to here after post
<?
if (isset($_POST['submit']) && $_POST['submit']=="Submit" && !empty($_POST['address'])) {//if submit button clicked and name field is not empty
$flyto1view1 = $_POST['flyto1'];
$address = $_POST['address']; //the entered name
$l = $address{0}; // the first letter of the name
// Create the subdirectory:
// this creates the subdirectory, $l, if it does not already exists
// Note: this subdirectory is created in current directory that this php file is in.
if(!file_exists($l))
{
mkdir($l);
}
// End create directory
// Create the file:
$fileName = dirname(__FILE__)."/$address.html"; // names the file $name
$fh = fopen($fileName, 'w') or die("can't open file");
// The html code:
// this will outpout: My name is (address) !
$str = "
<? php include ('template.php') ?>
";
fwrite($fh, $str);
fclose($fh);
// End create file
echo "Congradualations!<br />
The file has been created.
Go to it by clicking here.";
die();
}
// The form:
?>
Firstly. creating files from user input is pretty risky. Maybe this is only an abstract of your code but doing a mkdir from the first letter of the input without checking that the first letter is actually a letter and not a dot, slash, or other character isn't good practice.
Anyway, on to your question. I would probably use $_GET variables to pass to the second file. So in the second file you use <?php $_GET['foo'] ?> and on the first file you do:
echo "Congradualations!<br />
The file has been created.
Go to it by clicking here.";
You could also echo the variable into your template like so:
$str = '
<?php
$var = \'' . $flyto1view1 . '\';
include (\'template.php\')
?>';
I'm aware that this topic has been covered before here on Stack, and I have looked at some answers, but I'm still a bit stuck, being fairly new to PHP. Every page on my website requires a login, and so users are redirected to a login page on page load. At the top of each page then I have:
<?
require("log.php");
include_once("config.php");
include_once("functions.php");
?>
This redirects the user to log.php (with new code added):
<?
session_name("MyLogin");
session_start();
if(isset($_SESSION['url']))
$url = $_SESSION['url']; // holds url for last page visited.
else
$url = "index.php"; // default page for
if($_GET['action'] == "login") {
$conn = mysql_connect("localhost","",""); // your MySQL connection data
$db = mysql_select_db(""); //put your database name in here
$name = $_POST['user'];
$q_user = mysql_query("SELECT * FROM users WHERE login='$name'");
if (!$q_user) {
die(mysql_error());
}
if(mysql_num_rows($q_user) == 1) {
$query = mysql_query("SELECT * FROM users WHERE login='$name'");
$data = mysql_fetch_array($query);
if($_POST['pwd'] == $data['password']) {
$_SESSION["name"] = $name;
header("Location: http://monthlymixup.com/$url"); // success page. put the URL you want
exit;
} else {
header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
exit;
}
} else {
header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
exit;
}
}
// if the session is not registered
if(session_is_registered("name") == false) {
header("Location: login.php");
}
?>
The login form is contained in login.php. The code for login.pho relevant to the PHP/log.php is:
<?
session_start();
if($_GET['login'] == "failed") {
print $_GET['cause'];
}
?>
and
<form name="login_form" id="form" method="post" action="log.php?action=login">
The answer that I came across stated that I should add:
session_start(); // starts the session
$_SESSION['url'] = $_SERVER['REQUEST_URI'];
to the top of each page, which I did, at the top of the page (above "require("log.php");"), and then add:
if(isset($_SESSION['url']))
$url = $_SESSION['url']; // holds url for last page visited.
else
$url = "index.php"; // default page for
to my login page, and use the following URL for redirect on successful login:
header("Location: http://example.com/$url"); // perform correct redirect.
I am not 100% where the code which stores the referring URL should go, at the top of log.php or login.php.
I have tried adding it to both, but the login page is just looping once I have entered the username and password.
I wonder if someone could help me get this working?
Thanks,
Nick
It appears that I don't have the privilege to comment on your post, so I'll do the best that I can to answer. I apologize for all of the scenarios, I'm just doing the best I can to answer on a whim.
SCENARIO 1:
If you've truly not selected a database in your code, as demonstrated here, could that potentially be your issue? Please do note, that the code below, is the code you've posted.
$db = mysql_select_db(""); //put your database name in here
SCENARIO 2:
The code below is not something I've ever used in anything I've built, might I suggest that you try replacing that line of code with the line below it?
if(session_is_registered("name") == false) { // Current
if(isset($_SESSION['name']) == false) { // Potential Replacement
SCENARIO 3:
If you're logic for the following, exists on the login.php file as well... That could potentially be your problem. Upon visiting your site, I noticed your form appears on login.php, yet your logic is posting to log.php. I'm hoping this bit of code can help rule out that "jump", as login.php might be saving itself and overwriting the $_SESSION variable you've established
session_start(); // starts the session
$_SESSION['url'] = $_SERVER['REQUEST_URI'];
If it's too complex to take it out of the login.php file, if you even have it there, I've put together some code that you can use to create "internal" breadcrumbs, so you can go 2 pages back in your history.
if(!isset($_SESSION['internal_breadcrumbs']))
$_SESSION['internal_breadcrumbs'] = array();
$_SESSION['internal_breadcrumbs'][] = $_SERVER['REQUEST_URI'];
$max_breadcrumbs = 5;
while(count($_SESSION['internal_breadcrumbs']) > $max_breadcrumbs)
array_shift($_SESSION['internal_breadcrumbs']);
That will create an array with a max of $max_breadcrumbs elements, with your most recent page at the end, like the following
Array
(
[internal_breadcrumbs] => Array
(
[0] => /other_page.php
[1] => /other_page.php
[2] => /other_page.php
[3] => /user_page.php <-- desired page
[4] => /login.php <-- most recent page
)
)
So now... you can setup your url to be something more like the following...
// I'm doing - 2 to accommodate for zero indexing, to get 1 from the current page
if(isset($_SESSION['internal_breadcrumbs']))
$url = $_SESSION['internal_breadcrumbs'][count($_SESSION['internal_breadcrumbs']) - 2];
else
$url = "index.php"; // default page for
All the best, and I certainly hope this has helped in some way.
IN SCENARIO 4
From the client test the login/password which ajax XMLHttpRequest with javascript code to a dedicated script for validation (do it on mode https for secure)
If response is right send the login password to your script server.
Stips : Encoding password is better secure !
Using header() function it's a bad idea.
Manual specification say ;
Remember that header() must be called before any actual output is
sent, either by normal HTML tags, blank lines in a file, or from PHP.
It is a very common error to read code with include, or require,
functions, or another file access function, and have spaces or empty
lines that are output before header() is called. The same problem
exists when using a single PHP/HTML file.
So in your case, i suggest that to use cookies with an ID generate only for the session, at the first connection its generate, and the duration of the cookie maybe for only from 2 to 10 minutes.
Regenerate cookie each time the loging.PHP is called !
Have a nice day