How to enable 2 logged in users to my app? - php

I'm developing a basic ERP in PHP for a small firm, they need to maintain accounts of 2 separate companies within it. Working in Code Igniter as I am most familiar with that framework.
I need to allow the user to be logged in on both companies at the same time accross tabs, how can I ensure that while saving data from one form it only posts to that company's records? I'm using only one db, with 2 users - hence user_id will be the foreign key in all tables.
I need to ensure that when saving an invoice of one company it doesnt take the other company's user_id, which may happen if i use sessions.
Would the best approach be to use hidden user_id fields on all forms? Or is there any other method I can use for this?
Thanks :)

You can store the company id in the url, so in the one tab you have
/edit/company/1
and in the ohter
/edit/company/2
Then you can let them choose either one of the companies, and make sure that id is at every url. Make sure that the correct permissions are set though, if you maintain a lot of users/companies.

i think that you can use a global variable, bool i guess and always check after session_start() whether is company 1 or 2

Related

How to confing a database for multiple users with different data

I'm developing a web page where students, after registering, can introduce their school schedule, mark test and calculate averages. My problem is:
how do I do for each user to have their own schedule, calendar etc. I could be simple for you but I'm having difficulties solving this.
This is how I want schedules menu to look
all the data introduced for the schedule will show up on the table
You have to look at how a relational database works.
Everything you're trying to do is use a foreign key.
IMHO best way to achieve this is to register user ID+name in $_SESSION then, when he reaches the page, retrieve schedule from where it's stored. Depends also on the schedule/calendar format

Can i use username instead of user id in wordpress, ignoring wp_users table?

I am aware that wordpress maps the data of posts and comments in the database, with the user id.
For example, in wp_posts table, the column post_author corresponds to the user id who has written the post, and in wp_comments table, the column user_id corresponds to the user id who has commented on a post.
But what i am trying to achieve is to have a username value, instead of user id, to identify a user. Because i am developing a functionality such that the users will be authenticated outside of wordpress, so their details are not inserted in the wordpress database (wp_users table). I am using custom sessions to store the user's session inside wordpress, storing the user's username that i receive from a third party site, after successful authentication.
Having said the above, i am considering few options like:
Using hooks to alter the functionality of mapping/identifying a user by username, instead of user id.
Creating a new plugin that achieves this functionality
Create new tables inside wordpress and use them to store usernames along with the posts/comments.
Can anyone guide me in the right path?
Note that:
I just want to forget wp_users table. I don't want to touch it. I will neither fetch anything from it, nor insert anything into it. So i just want to insert user login name into other related tables like wp_posts, and wp_comments, may be by adding new columns to them.
I also don't want to change the core files of wordpress, as i am worried that i cannot update the wordpress later. But i believe that the database can be altered though.
You don't want to. Usernames are modifiable, they are not perfectly unique and come with a host of other related issues.
Split up your application. If you want to have another authentication method then make it authenticate to a user using whatever method you like. Once you know which user it is you can get the user ID from the database and properly generate a Wordpress login.
Your modifications should avoid massive sweeping changes to the internals of a system that you aren't very familiar with. That way lies madness. Instead, focus on building an add-on that does what you need and then hands control back to the primary system as quickly as possible. You avoid duplicating a lot of effort by doing it this way.
I guess you are referring the user login name by saying username, right??
If so then Yes you can achieve that because userlogin is unique like the userid and you can simply query your wp_users table to get the userid .
If not then there's no way to guarantee that you get the correct user's info by username as mentioned by #mrdoombringer in previous answer

Should I delete MySQL entries using a PHP script which users can run?

I'm currently working on a website which will have many users on it. These users are stored in a table with each having a unique id. The website will contain projects that the users can complete and these projects are stored in a separate table with unique id's as well.
I need to make the users have a page they can view which will display a list of all the projects they are currently working on.
To do this, I am going to set up another table in which each row will have the user's id as well as the project's id that they are working on. All of that will work alright but I would like to allow users to cancel their projects if they please. I am aware of how to do this, but I have read that deleting rows directly from a php script is insecure so the user used to access the database from PHP does not have 'DELETE' permissions. I am wondering if I should just delete rows at will when a user specifies which project to delete or if I should just have another field and simply mark each user-project row as being 'cancelled' in another field so I can work with them myself.
What you should do is, for maximum security is, have a parameter in the database table called "isActive", or something of that nature, that is a BIT data type to represent a boolean. If that boolean is false, then do not delete the project from the database, simply hide that tables data (do not display it on the site, but keep the data stored in the databse). That way, not only is your database secure from malicious users who would like to destroy data, but projects can also be "re-instated" if they wish to re-instate it. If the project sits around for a certain period of time, say, 14 days, just have the server delete it, not the user, if you wish. This worked for me in the past.
Hope This Helps!
The most common approach to this problem is to have a field in the table that can be used to mark a record as deleted. This would be the only access the general user would have to the table as far as deletion goes. Some people also have a full delete, which states clearly that it will never be accessible again after the operation is completed.
Personally, I prefer to retain full delete permission to administrators allow the user to only mark records as deleted. If you're concerned about space, add a last accessed field as well, and schedule at set intervals a call to perform a full delete on any records that are marked as deleted and have not been active for a certain amount of time.

select users who currently view same page

I find several partial solutions in answers on this question, but common answer seems to be absent.
So, I have a table users with columns user_id, user_name. On each static page of website I want to display all user names of users who currently view this page.
Should I have a table views with columns user_id, webpage_link?
If yes, when I shall update data in column webpage_link? How to connect code from following answer with mysql database Is there a way to detect if a browser window is not currently active? ? (If it is ok for this purpose.)
To make updates very often is not very good. So, the user can view several pages (for example, in 2 or more tabs). What type of webpage_link column shall be in this case?
With every http request, you get a $path variable. if you also have a logged in user, you can store which page this user requested last (e.g. in a table like you described, but only storing the relative path).
You update this information on a per-request-basis in some sort of front-controller. (just make sure you put it where it is called for every authenticated page). When the users session times out, you remove the row of that user from the table.
this case is a little more difficult. you could store the last n pages/paths the user has requested and leave the rest as above. You don't have to change the table structure for that, just allow for multiple rows per user. (the combination user_id+path should be unique, though)
Hope that helps to get you started

Block User From Profile

I am wanting to create a user block I have the button
<a type="button" value="1" name="block" Cursor="pointer" href="blockuser.php?uid='. $data['id'].'">Block</a>
But I'm wanting to know how best to do this with PHP, Ajax and either the users table or a separate blockuser table. So when I click on block I cansend the value 1 to the database with the users id and stop them from veiwing my whole profile with a switch and visa versa.
I will then go on to creating a block list with the ability to unblock this user at any given point, if users so wish.
Privacy is a must! Thanks for any help given.
The only real question in your question is whether to create a new table for this or not, as the rest is a group of very straight-forward tasks for the technologies you mentioned.
Personally, I would opt for simply adding a column to the current users table and filling it with a comma delimited list of User IDs which you could simply search for a user ID within. This has the advantage that you'll only need to run one query vs. the two which would be required to check the block list and then get the viewed user's info in the two-table scheme.
Adding users to the blocklist is trivial (append a user id and perhaps a comma), and dropping the user from the blocklist would simply require splitting the blocklist, removing the proper user ID, then rebuilding the list by joining with a comma.
Also, this is only useful to implement if you require authentication to view a profile, and even then one could circumvent such a system by simply creating a new account.
On each row in the database where you store the profile information (perhaps the members table?) you can add a row called "blocked" which stores the ID numbers of the members that are blocked. I would separate these numbers using semi-colons personally and $blocked_ids = explode(";",$blocked) to get each blocked ID. From there you can check if the person is to be blocked from the profile by using: if(in_array($user_id,$blocked_ids)), if that value is in the array, prevent the profile view.
Hope this helps you, any questions just comment below
As far as the database goes, I would probably do it like this - create a table specific for blocks. Two essential fields would be the id of the blocker and the id of the person being blocked. This means that if one person blocks two users, he'll have two entries in the table - don't try creating one SQL field to act like an array.
Currently, you're setting up to use a standard request to a PHP stage with a $_GET parameter. There's nothing majorly wrong with that, but if you want the whole operation to happen without your page refreshing, you can use Ajax. With jQuery:
$.get("remove.php", { uid: "someID" } );

Categories