check user log and redirect [message #174485] |
Tue, 14 June 2011 19:51 |
Co
Messages: 75 Registered: May 2011
Karma: 0
|
Member |
|
|
Hi All,
I know Jerry will have comments again but I will post my question
anyway.
I have this code that checks if the user is logged in and if not it
should direct him to the login page.
However when I am not logged in I can still go to pages which I am not
supposed to go.
I tried to understand what the code is doing but I don't follow.
Can someone have a look at my code and tell me why I can still go to
restricted pages?
<?php
session_start(); // Start Session First Thing
// Force script errors and warnings to show on page in case php.ini
file is set to not display them
error_reporting(E_ALL);
ini_set('display_errors', '1');
//------------------------------------------------------------------------- ----------------------------------------------------------
include_once "connect_to_mysql.php"; // Connect to the database
$dyn_www = $_SERVER['HTTP_HOST']; // Dynamic www.domainName available
now to you in all of your scripts that include this file
//------ CHECK IF THE USER IS LOGGED IN OR NOT AND GIVE APPROPRIATE
OUTPUT -------
$logOptions = ''; // Initialize the logOptions variable that gets
printed to the page
// If the session variable and cookie variable are not set this code
runs
if (!isset($_SESSION['idx'])) {
if (!isset($_COOKIE['idCookie'])) {
$logOptions = '<a href="http://' . $dyn_www . '/Web_Intersect/
register.php">Register Account</a>
|
<a href="http://' . $dyn_www . '/Web_Intersect/login.php">Log In</
a>';
}
}
// If session ID is set for logged in user without cookies remember me
feature set
if (isset($_SESSION['idx'])) {
$decryptedID = base64_decode($_SESSION['idx']);
$id_array = explode("p3h9xfn8sq03hs2234", $decryptedID);
$logOptions_id = $id_array[1];
$logOptions_username = $_SESSION['username'];
$logOptions_username = substr('' . $logOptions_username . '', 0,
15); // cut user name down in length if too long
// Check if this user has any new PMs and construct which envelope to
show
$sql_pm_check = mysql_query("SELECT id FROM private_messages WHERE
to_id='$logOptions_id' AND opened='0' LIMIT 1");
$num_new_pm = mysql_num_rows($sql_pm_check);
if ($num_new_pm > 0) {
$PM_envelope = '<a href="/Web_Intersect/pm_inbox.php"><img src="/
Web_Intersect/images/pm2.gif" width="18" height="11" alt="PM"
border="0"/></a>';
} else {
$PM_envelope = '<a href="/Web_Intersect/pm_inbox.php"><img src="/
Web_Intersect/images/pm1.gif" width="18" height="11" alt="PM"
border="0"/></a>';
}
// Ready the output for this logged in user
$logOptions = $PM_envelope . ' |
<a href="http://' . $dyn_www . '/Web_Intersect/">Home</a>
|
<a href="http://' . $dyn_www . '/Web_Intersect/profile.php?id=' .
$logOptions_id . '">Profile</a>
|
<div class="dc"><a href="#" onclick="return false"><img src="/
Web_Intersect/images/darr.gif" width="10" height="5" alt="Account
Options" border="0"/></a>
<ul>
<li><a href="http://' . $dyn_www . '/Web_Intersect/
edit_profile.php">Account Options</a></li>
<li><a href="http://' . $dyn_www . '/Web_Intersect/pm_inbox.php">Inbox
Messages</a></li>
<li><a href="http://' . $dyn_www . '/Web_Intersect/
pm_sentbox.php">Sent Messages</a></li>
<li><a href="http://' . $dyn_www . '/Web_Intersect/logout.php">Log
Out</a></li>
</ul>
</div>
';
} else if (isset($_COOKIE['idCookie'])) {// If id cookie is set, but
no session ID is set yet, we set it below and update stuff
$decryptedID = base64_decode($_COOKIE['idCookie']);
$id_array = explode("nm2c0c4y3dn3727553", $decryptedID);
$userID = $id_array[1];
$userPass = $_COOKIE['passCookie'];
// Get their user first name to set into session var
$sql_uname = mysql_query("SELECT username, email FROM myMembers
WHERE id='$userID' AND password='$userPass' LIMIT 1");
$numRows = mysql_num_rows($sql_uname);
if ($numRows == 0) {
// Kill their cookies and send them back to homepage if they have
cookie set but are not a member any longer
setcookie("idCookie", '', time()-42000, '/');
setcookie("passCookie", '', time()-42000, '/');
header("location: index.php"); // << makes the script send them to
any page we set
exit();
}
while($row = mysql_fetch_array($sql_uname)){
$username = $row["username"];
$useremail = $row["email"];
}
$_SESSION['id'] = $userID; // now add the value we need to the
session variable
$_SESSION['idx'] = base64_encode("g4p3h9xfn8sq03hs2234$userID");
$_SESSION['username'] = $username;
$_SESSION['useremail'] = $useremail;
$_SESSION['userpass'] = $userPass;
$logOptions_id = $userID;
$logOptions_uname = $username;
$logOptions_uname = substr('' . $logOptions_uname . '', 0, 15);
/////////// Update Last Login Date
Field /////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////
mysql_query("UPDATE myMembers SET last_log_date=now(), logged='1'
WHERE id='$logOptions_id'");
// Ready the output for this logged in user
// Check if this user has any new PMs and construct which envelope
to show
$sql_pm_check = mysql_query("SELECT id FROM private_messages WHERE
to_id='$logOptions_id' AND opened='0' LIMIT 1");
$num_new_pm = mysql_num_rows($sql_pm_check);
if ($num_new_pm > 0) {
$PM_envelope = '<a href="pm_inbox.php"><img src="images/pm2.gif"
width="18" height="11" alt="PM" border="0"/></a>';
} else {
$PM_envelope = '<a href="pm_inbox.php"><img src="images/pm1.gif"
width="18" height="11" alt="PM" border="0"/></a>';
}
// Ready the output for this logged in user
$logOptions = $PM_envelope . '
<!--<a href="http://' . $dyn_www . '/Web_Intersect">Home</a>
| -->
<a href="http://' . $dyn_www . '/Web_Intersect/profile.php?id=' .
$logOptions_id . '">Profile</a>
|
<div class="dc">
<a href="#" onclick="return false">Account <img src="' .
$dyn_www . '/Web_Intersect/images/darr.gif" width="10" height="5"
alt="Account Options" border="0"/></a>
<ul>
<li><a href="http://' . $dyn_www . '/Web_Intersect/
edit_profile.php">Account Options</a></li>
<li><a href="http://' . $dyn_www . '/Web_Intersect/pm_inbox.php">Inbox
Messages</a></li>
<li><a href="http://' . $dyn_www . '/Web_Intersect/
pm_sentbox.php">Sent Messages</a></li>
<li><a href="http://' . $dyn_www . '/Web_Intersect/logout.php">Log
Out</a></li>
</ul>
</div>';
}
?>
Regards
Marco
|
|
|
Re: check user log and redirect [message #174494 is a reply to message #174485] |
Tue, 14 June 2011 23:08 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/14/2011 3:51 PM, Co wrote:
> Hi All,
>
> I know Jerry will have comments again but I will post my question
> anyway.
> I have this code that checks if the user is logged in and if not it
> should direct him to the login page.
> However when I am not logged in I can still go to pages which I am not
> supposed to go.
> I tried to understand what the code is doing but I don't follow.
> Can someone have a look at my code and tell me why I can still go to
> restricted pages?
>
<About 150 lines of code snipped>
First of all, NEVER depend on cookies for anything important, like
whether the user is logged in or not. EVERYTHING from the user should
be suspect, as it can very easily be faked.
As for the rest - cut it down to the minimum needed to show the problem.
I'm not going to spend time going through 150+ lines of cryptic code,
trying to figure out what you're doing.
Looks like (another) script you just copied from the web without
understanding what it does.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: check user log and redirect [message #174504 is a reply to message #174494] |
Wed, 15 June 2011 05:05 |
Co
Messages: 75 Registered: May 2011
Karma: 0
|
Member |
|
|
On 15 jun, 01:08, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> On 6/14/2011 3:51 PM, Co wrote:> Hi All,
>
>> I know Jerry will have comments again but I will post my question
>> anyway.
>> I have this code that checks if the user is logged in and if not it
>> should direct him to the login page.
>> However when I am not logged in I can still go to pages which I am not
>> supposed to go.
>> I tried to understand what the code is doing but I don't follow.
>> Can someone have a look at my code and tell me why I can still go to
>> restricted pages?
>
> <About 150 lines of code snipped>
>
> First of all, NEVER depend on cookies for anything important, like
> whether the user is logged in or not. EVERYTHING from the user should
> be suspect, as it can very easily be faked.
>
> As for the rest - cut it down to the minimum needed to show the problem.
> I'm not going to spend time going through 150+ lines of cryptic code,
> trying to figure out what you're doing.
>
> Looks like (another) script you just copied from the web without
> understanding what it does.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================
That's right. But still it doesn't seem to do what it was written for.
I added some more code to the pages which are restricted:
//////////////////////////////////////////////// Member log in
double check ///////////////////////////////////////////////////
if (!isset($_SESSION['idx'])) {
$msgToUser = '<br /><br /><font color="#FF0000">Only site members
can do that</font><p><a href="register.php">Join Here</a></p>';
include_once 'msgToUser.php';
exit();
} else if ($logOptions_id != $_SESSION['id']) {
$msgToUser = '<br /><br /><font color="#FF0000">Only site members can
do that</font><p><a href="register.php">Join Here</a></p>';
include_once 'msgToUser.php';
exit();
}
//////////////////////////////////////////////// End Member log
in double check
Marco
|
|
|
Re: check user log and redirect [message #174510 is a reply to message #174504] |
Wed, 15 June 2011 10:33 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/15/2011 1:05 AM, Co wrote:
> On 15 jun, 01:08, Jerry Stuckle<jstuck...@attglobal.net> wrote:
>> On 6/14/2011 3:51 PM, Co wrote:> Hi All,
>>
>>> I know Jerry will have comments again but I will post my question
>>> anyway.
>>> I have this code that checks if the user is logged in and if not it
>>> should direct him to the login page.
>>> However when I am not logged in I can still go to pages which I am not
>>> supposed to go.
>>> I tried to understand what the code is doing but I don't follow.
>>> Can someone have a look at my code and tell me why I can still go to
>>> restricted pages?
>>
>> <About 150 lines of code snipped>
>>
>> First of all, NEVER depend on cookies for anything important, like
>> whether the user is logged in or not. EVERYTHING from the user should
>> be suspect, as it can very easily be faked.
>>
>> As for the rest - cut it down to the minimum needed to show the problem.
>> I'm not going to spend time going through 150+ lines of cryptic code,
>> trying to figure out what you're doing.
>>
>> Looks like (another) script you just copied from the web without
>> understanding what it does.
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================
>
> That's right. But still it doesn't seem to do what it was written for.
>
> I added some more code to the pages which are restricted:
> //////////////////////////////////////////////// Member log in
> double check ///////////////////////////////////////////////////
> if (!isset($_SESSION['idx'])) {
> $msgToUser = '<br /><br /><font color="#FF0000">Only site members
> can do that</font><p><a href="register.php">Join Here</a></p>';
> include_once 'msgToUser.php';
> exit();
> } else if ($logOptions_id != $_SESSION['id']) {
> $msgToUser = '<br /><br /><font color="#FF0000">Only site members can
> do that</font><p><a href="register.php">Join Here</a></p>';
> include_once 'msgToUser.php';
> exit();
> }
> //////////////////////////////////////////////// End Member log
> in double check
>
>
> Marco
The first thing you need to do is learn to understand what the code you
copied does. PHP isn't HTML - you can't just download scripts and
expect them to just work. There are differences in PHP versions that
mean many older scripts won't run on more current versions of PHP
without modification. Plus there are all kinds of poorly written
scripts out there I wouldn't put on ANY web site. And generally scripts
from different sites do not run well together.
But again, it's impossible to figure out what you're doing here because
you don't have the minimum code needed to find the problem. For
instance, how does $_SESSION['idx'] get set? What's in it? What's the
difference between that and $_SESSION['id']? How does $logOptions_id
get set? What's in $msgToUser (and how was that set)?
You really need learn to understand the code. Of course, the best way
to do that is to write it yourself, although it takes longer. With
practice, you'll end up with much better code.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|