Need help with Member Profiles

**DoubleDee** · May 2, 2012 15:35

I could use some help understanding how websites like SitePoint work with Member Profiles.

When I look at people's Profiles on here I get URL's like...

Code:

http://www.sitepoint.com/forums/member.php?25195-Paul-O-B

http://www.sitepoint.com/forums/member.php?323222-ralph-m

http://www.sitepoint.com/forums/member.php?130187-oddz

Since everyone's Profiles are "public", I guess all you need to do is pass a Username in the Query String and you are good to go, right?

But how/why is it that if I am logged in as "me" (DoubleDee), that when I go into my profile all I see is the same URL...

Code:

http://www.sitepoint.com/forums/member.php?399760-DoubleDee

From what I see on the surface, I should be able to go into Ralph's profile and post those wild "party pictures" I took of him when he was drunk last weekend...

Why do all of these people have the smae URL structure, but only "I" can edit my profile and others cannot?

Thanks,

Debbie

**spufi** · May 2, 2012 16:21

You can't because you aren't logged in as them. Profiles are public to view, private to edit.

**Mandes** · May 3, 2012 01:04

Hi DD

When you log into sitepoint you'll set a cookie, or a session variable in PHP, that identifies you to the system, most probably with your unique userID in the database (along with other info that may be required).

When you visit your profile the value of the userID your logged in as will be checked to the userid of the profile your viewing, if they match then the script will enable the editing functions for that page and you can change your profile, if they dont match then you can only view the profile.

The URL stays the same regardless, is just a means of viewing a page after all, its the php behind the page that decides if have editing rights or not for that page.

Hope that makes it clear for you !!

**DoubleDee** · May 3, 2012 09:12

Originally Posted by Mandes

Hi DD

When you log into sitepoint you'll set a cookie, or a session variable in PHP, that identifies you to the system, most probably with your unique userID in the database (along with other info that may be required).

When you visit your profile the value of the userID your logged in as will be checked to the userid of the profile your viewing, if they match then the script will enable the editing functions for that page and you can change your profile, if they dont match then you can only view the profile.

The URL stays the same regardless, is just a means of viewing a page after all, its the php behind the page that decides if have editing rights or not for that page.

Hope that makes it clear for you !!

Bingo! That is what I was trying to figure out.

So, just to clarify, everyone gets to Member Profiles the same way, right?

And whether I am viewing my own Profile (i.e. DoubleDee) or someone else's, doesn't matter as far as the URL is concerned, right?

But in order to do things to a Profile, I need to be authenticated, and that is done server-side using PHP and making sure that I am "logged in", right?

Currently, I have just been using something like this to see if someone is logged in...

PHP Code:


    // **********************

    // Check if Logged In.    *

    // **********************



    // User must be logged-in to change email.

    if (empty($_SESSION['loggedIn']) || $_SESSION['loggedIn']===FALSE){

        // Not Logged In.

        $_SESSION['resultsCode'] = 'EMAIL_USER_NOT_LOGGED_IN_2127';



        // Set Error Source.

        $_SESSION['errorPage'] = $_SERVER['SCRIPT_NAME'];



        // Redirect to Outcome Page.

        header("Location: " . BASE_URL . "/account/results.php");



        // End script.

        exit();

    }

Is that sufficiently secure for things like we are talking about?

Debbie

P.S. Why does SitePoint use prepend a # in front of my Username in the URL...

http://www.sitepoint.com/forums/member.php?399760-DoubleDee

**r937** · May 3, 2012 10:23

Originally Posted by DoubleDee

P.S. Why does SitePoint use prepend a # in front of my Username in the URL...

that's your member number, used for the database lookup

the name appended to it is just for seo purposes

check this out -- http://www.sitepoint.com/forums/memb...0-JeromeHoward

**Mandes** · May 3, 2012 11:02

As Rudy said, its your membership no, what i refered to in my reply as your UserID.

Your script seems ok on the surface, not sure why you'd want to log details of everyone that wasnt logged in.... depends what youre doing with it in results.php . Youre better off just shoving people back to a login page if they aint got the credentials, unless youve a good reason not to, ie like they shouldnt have found this script in the first place and your trying to find and plug a hole in your code.

**DoubleDee** · May 3, 2012 13:02

Originally Posted by Mandes

As Rudy said, its your membership no, what i refered to in my reply as your UserID.

On my website, "Username" must be unique - even though its not the PK. (I just assumed SitePoint would follow the same logic and thus not need to prepend a number.)

Your script seems ok on the surface, not sure why you'd want to log details of everyone that wasnt logged in.... depends what youre doing with it in results.php . Youre better off just shoving people back to a login page if they aint got the credentials, unless youve a good reason not to, ie like they shouldnt have found this script in the first place and your trying to find and plug a hole in your code.

Well, two things...

1.) That is my standard code to handle Errors. I figured logging everything that happens is a good way for me to know where problems are occurring. (I still need to learn how to do this for Fatal Errors, but for Logical Errors I think this will be helpful.)

2.) On most Errors, I route people to "results.php" and have code like this...

PHP Code:


    // Not Logged In.

    case 'EMAIL_USER_NOT_LOGGED_IN_2127':

        // Set Redirect Path.

        $_SESSION['returnToPage'] = '/account/change_email.php';



        echo '<h1>Not Logged In</h1>';

        echo '<p>You must be logged in to change your e-mail. (2127)</p>';

        echo '<a class="button" href="' . BASE_URL . '/account/log_in.php">Log In</a>';

        break;

So I believe that addresses your suggestions above, right?

Debbie

**Mandes** · May 3, 2012 13:29

Debbie

Wasnt saying that theres anything wrong with that, if thats your normal routine more power to you.

As for unique names instead of numbers .. again personal preference, most sites will check if a username is already in use anyway, but still use a userID for the code to identify someone, I guess its just easier to give someone a number.

I tend to keep my userIDs hidden on my site, as you say Sitepoint decided to show theirs not sure what the benefit on that would be.

Yes Maam, suggestions addressed ;-)

**DoubleDee** · May 3, 2012 13:39

Originally Posted by Mandes

Debbie

Wasnt saying that theres anything wrong with that, if thats your normal routine more power to you.

Okay, good.

As for unique names instead of numbers .. again personal preference, most sites will check if a username is already in use anyway, but still use a userID for the code to identify someone, I guess its just easier to give someone a number.

In my Member table I have...

Code:

- id (pk)(cannot change)
- email (uk)
- username (uk)(cannot change)

I tend to keep my userIDs hidden on my site, as you say Sitepoint decided to show theirs not sure what the benefit on that would be.

I agree with you...

Yes Maam, suggestions addressed ;-)

Cool!

Thanks for the help!!

Debbie

User Tag List

Thread: Need help with Member Profiles

Thread Tools

Display

Need help with Member Profiles

Bookmarks

Bookmarks

Posting Permissions