SitePoint Sponsor

User Tag List

Results 1 to 1 of 1
  1. #1
    SitePoint Zealot
    Join Date
    Sep 2005
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Session coding...Did I do something wrong?

    Hello
    My customer has many clients of his own and has to send them their daily report.
    I have three pages, reports, monthly report page and daily report page.
    In reports page, it shows all clients' call number for all months, and if I click the number it takes me to the specific monthly report page.
    In monthly report page, it shows all clients' monthly call total number, and if I click the number it takes me to the daily report of the specific client. And in daily report page,
    there is a hyper link saying "Back to Monthly report" which you can go back to monthly report.

    Previously(without using session), I passed all arguments through link from reports page to monthly report page and from monthly report page to daily report page.
    something like this,

    <reports.php>
    echo "<tr><td>$date&nbsp&nbsp</td><td><a href=\"monthlyReport.php?date=$date&fromTime=$fromTime&toTime=$toTime\">$numOfCalls</a></td></tr>";

    <monthlyReport.php>
    printf("<tr><td>total calls &nbsp&nbsp</td><td align=\"center\"><a href=\"dailyReport.php?date=$date&fromTime=$fromTime&toTime=$toTime&clientId=$clientId&name=$name\">%s</td></tr>", $totalCallsForClient['totalCallsForClient']);

    and from daily report page to monthly report page,

    <dailyReport.php>
    echo "<p><a href = \"monthlyReport.php?date=$date&fromTime=$fromTime&toTime=$toTime\">Back to Monthly Reports Page</a></p>";

    My customer complained if he send a daily report to a client just using html page capturing, this client can eaily get in this daily report page by typing the same url, and from this daily report page, he can easily go back to monthly report(from hyper link) and can see all the other competitor's call record, which shouldn't be allowed.

    I thought maybe it was because I passed the parameter directly, so I decided to use session.
    So I changed my code like this,

    <reports.php>
    <?php
    session_start();
    header("Cache-control: private");
    }
    ?>
    <?php
    for ($i = 0; $i <= $numOfMonths; $i++) {

    $date = ...
    $fromTime = ...
    $toTime = ...

    $date = date("F Y", $fromTime);
    $_SESSION['month'] = $i;
    $_SESSION['date'.$i] = $date;
    $_SESSION['fromTime'.$i] = $fromTime;
    $_SESSION['toTime'.$i] = $toTime;
    echo "<tr><td>$date&nbsp&nbsp</td><td><a href=\"monthlyReport.php?numMonth=$i\">$numOfCalls</a></td></tr>";
    }
    ?>

    <monthlyReport.php>
    <?php
    session_start();
    header("Cache-control: private");
    }
    ?>
    <?php
    $numMonth = $_GET['numMonth'];
    $date = $_SESSION['date'.$numMonth];
    $fromTime = $_SESSION['fromTime'.$numMonth];
    $toTime = $_SESSION['toTime'.$numMonth];

    $client = 0;
    do {

    $clientId = ...
    $name = ...
    $_SESSION['clientId'.$numMonth .$client] = $clientId;
    $_SESSION['name'.$numMonth .$client] = $name;

    printf("<tr><td>total calls &nbsp&nbsp</td><td align=\"center\"><a href=\"dailyReport.php?numMonth=$numMonth&client=$client\">%s</td></tr>", $totalCallsForClient['totalCallsForClient']);
    $client++;
    } while (...);


    <dailyReport.php>
    <?php
    session_start();
    header("Cache-control: private");
    }
    ?>
    <?php
    $numMonth = $_GET['numMonth'];
    $client = $_GET['client'];
    $date = $_SESSION['date'.$numMonth];
    $fromTime = $_SESSION['fromTime'.$numMonth];
    $toTime = $_SESSION['toTime'.$numMonth];
    $clientId = $_SESSION['clientId'.$numMonth.$client];
    $name = $_SESSION['name'.$numMonth.$client];

    echo "<p><a href = \"monthlyReport.php?numMonth=$numMonth\">Back to Monthly Reports Page</a></p>";

    O.K it still works (showing correct call number) which is good.
    BUT still has the same problem.
    If I open the new web site, and type the daily report url, it takes me the daily report page, and it still takes me back to monthly report when I click the "Back to Monthly Report" hyper link.
    Maybe I am misunderstanding the whole session concept?
    (I thought session can prevent this kind of security hole)
    Or is there something wrong with my revised codes?

    Thanks,
    Last edited by lmsook; Oct 20, 2005 at 15:32.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •