I have two tables Account and User.
Account table contains account_id, username, password
while User table contains user_id, account_id, first_name, last_name.
What I want is for yii to display the contents of the user table of the one logged in so I used this code
$user= Yii::app()->user->id; //to get the account_id of user logged in
$userModel = User::model()->find(array('condition'=>'account_id' == $user));
//to find data in the user table with the account_id similar to the
//account_id of the one logged in
print_r($userModel); //to check if I got the correct data
but for some reason, no matter who logs in, the print_r($userModel) is returning data with the account_id == 1
please help :/
If you are using Yii 1 you can try with findByAttribute
$userModel = User::model()->findByAttributes(array('account_id'=>$user));
Related
I made a login function with bruteforce protection, different bot protection functions like honeypot.., input filtering, Argon2 encrypted password.
But in the end to identify the user i save the id inside a session after a successful login.
With this id until now i checked if the column "admin" has the value 1 or 0.
If this value is 1 the user can do everything.
How i could improve the security ?
How else i could check if a user is an admin ?
You should do as I will direct you
As long as you have user id in act so it's half of the way
I will assume that you have function.php which have all the functions you use in website
Also you have login function that check user account details and give access
You now need to improve that to restrict user access
First:
Create table in MySQL call it group this table will have two records or as you like so. Admin will have id 1 and members id 2 then you can make much modifications like make another column in that table called upload and set admin to yes while members to no
Second in your login function use the following
$res = mysql_query("SELECT * FROM users INNER JOIN group ON users.class=group.group_id WHERE users.enabled='yes' AND users.status = 'confirmed'") or die(mysql_error());
$row = mysql_fetch_array($res);
Users.class is the group id and users is the table users
Now you can check group credits as example if on upload page you do the following
if($row["can_upload"]=="no")
echo("admin only can upload ");
You can check credentials on group as you need also you can make much classes like admin , members, uploders, reviewers,authors and give every class special permissions as website content is viewed
On admin.php you can use
if($row["admin"]=="no")
ech("admin only can view this page ");
In both examples above Admin and can_upload is colum in group table and it's changed by user class .
I am fairly new to PHP and am not sure how to do this.
I have two tables:
owner (ownerid(PK), username, password)
venue (venueid(PK), owenerid(FK), venuename, location, number)
owner stores the details of the current logged in user. Once the user is logged in they enter details into a form that gets inserted into venue table.
How do I take the ownerid of the current logged in user and insert it into ownerid (in venue table) so that at a later stage I can select all venues that a particular user has added, and only that logged in user can view them.
I am pretty new to PHP so would appreciate as much explanation / code as possible :)
Thanks!
If you have a logged in user you will be able to identify them either through a cookie or a session. If you store their ownerid in the session variable, then you will be able to access it whenever you require
$ownerid = $_SESSION['user']
You can then use that variable in association with the selected venues, and relate them together so only this user can view them when logged in, matching their ownerid
I have two tables (blog_members and blog_posts) which are related 1 to many, 1 member to many posts. Therefore, in order to be able to relate the two I had to make one field in blog_posts named memberID and set up the relation between this field and the one from blog_members.
Now, I'm trying to make a script to add posts into the database. The thing is, now I have the field memberID in blog_posts which needs to be the same with the one from blog_members in order to be related. So, I'm trying to get the current logged in memberID from the blog_members so I can introduce it into the blog_posts.
I know this can be done with an input where you can type your ID but it doesn't feel right, I want this to be in the back, not to be seen.
Short story:
$memberID = get current logged in memberID from blog_members;
//insert into database
$sql="INSERT INTO blog_posts (memberID, postTitle,postDesc,postCont,postDate) VALUES('$memberID',$postTitle','$postDesc','$postCont','$postDate')";
$result=mysqli_query($link,$sql);
if($result){
echo '<p>Added successfully!</p>';
}else {
echo "Error: ".$sql."<br>".mysqli_error($link);
}
Normally you would store the ID of the logged in user in a session:
$_SESSION['login_userid'] = // THE USER ID OBTAINED FROM LOGIN
Now it will be stored in the browser as $_SESSION['login_userid'] and you can just put this to the top of your code:
$memberID = $_SESSION['login_userid'];
On every page where you use sessions you must run session_start() before the first line of HTML code. If you are not sure how to create your own login system, have a look at this tutorial.
Note: memberID is not unique in the blog_posts table, as one user can create many posts. You should probably create a primary key blogpostID as well.
When a user hits log in button on a page in order to verify heres what i need to do:
1st check if they exist and their login info is valid in the members table.
2nd using the entered username now check if they have access to this speficif page by checking the access table with their username.
i have to tables members and access.
Members has the following: id, username, password
Access has the following: userid, companyid
So say my username= ASH and password= 14ash
I'm trying to login to view a specific restricted page for the company called TARGET.
I first login with my account info with username ASH & password 14ash
in php i check the database table called members with mysql to see if i exist
and at the sometime i check the ACCESS table using
access.userid = ASH & access.companyid= TARGET
once all is check if i exist in both tables then i let the user login.
I tried this but doesn't work.
$sql="SELECT * FROM access,members
WHERE members.username='$myusername'
AND members.password='".md5($mypassword)."')
OR (access.userid=members.username
AND access.companyid='$username')";
It should be
sql="SELECT * FROM access,members WHERE members.username='$myusername'AND members.password='".md5($mypassword)."' AND access.userid=members.id";
I'v got a registeration code which inserts user details into the table that I chose.
The problem is that I added a "confirm code" to the user, so every account is needed to verify his user through his mail. After the confirmation is done, the Column "confirmation" changes to "confirmed". If the user does not verify his account, the confirm code will stay in the "confirmation" Column.
The problem is that I made a table in html, which uses the DB in order to show the active users.
I don't want that the not-confirmed users will appear in the tbale, so I tried to add some conditions:
$cu = mysql_query("SELECT * FROM `users` where uname='$uname' && confirmation='confirmed'");
$cu = mysql_fetch_array($cu);
and another one :
$select2 = mysql_query("SELECT * FROM `users` WHERE uname='$uname' && confirmation='confirmed'");
It's working.. but only half way. I mean, when the not-confirmed user tries to log in, it shows him a blank page. It's ok, cuz I don't want the non-confirmed users will log in.
But... the confirmed users still see the not-cofirmed users in the active users table..
It's like the table doesn't even checks if the user is confirmed or not, it's just shows him either way.
So I thought about a way in which users will move to another table, called "hold", which will consist of all the non-confirmed users. Then, every user who will verify his account, the sql will recognize it and when the confirmation columm is changed to "confirmed", it's going to move the user to the "users" table, so his name will appear in the active user table.
How can I do it? How can I "make" the sql table to auto recongize if the user is confirmed or not, and move him to another table..
or.. if is there any way to "hide" the not-confirmed users from the active users table, it's also fine.
Thanks alot :)
Basically either you need to setup a cron which check if the user is not confirmed then move to hold tabe or write a trigger in mysql whenever any user got confirmed.
You can get the last result and insert after the last result.
See this example:
$sql = mysql_query("
INSERT INTO tabel_name(col1, col2,col3) values('foo','bar','some');
INSERT INTO table_name2(col,col2) SELECT col2,col3 FROM tabel_name
ORDER BY id DESC LIMIT 1;
");