How do I prevent a user to use each *.php?cat='

PHP
1

Hi Every One :slight_smile:

I got one form … each category has different ID…
Example:-
http://localhost/control/newdpppage/dpp_add_lorthbank.php?cat=3

http://localhost/control/newdpppage/dpp_add_lorthbank.php?cat=4

Each user after login they go to the page assigned for them …

-The Question…
How do i prevent User1 that can see cat=3 to see the data on cat=4 assigned for User2.

Thank you :smiley:

I use for that JavaScript


<SCRIPT language=JavaScript>
function reload(form)
{
var val=form.cat.options[form.cat.options.selectedIndex].value;
self.location='dpp_add_lorthbank.php?cat=' + val;
}
</script>
2

Hi,
you can check the database on the top of the dpp_add_lorthbank.php page and redirect to a customized page if the user do not have permission to the category.

suppose a user with uid 5 have permission to category with catid 2 and your database table structure is like:

uid catid
1 3
1 2
5 2
5 1

now you need to check if a user requesting the page matches the catid and user id or not.

example (Assuming the relationship table as usercategory and user id is in session):
assuming that you have stored userid in session.


$sql=mysql_query("select * from usercategory where uid=".$_SESSION['uid']." AND catid=".$_GET['cat']."");
if(mysql_num_rows($sql)){
  //let the user do stuffs
}else{
 //redirect to error page or die("you dont have permission to this category")
}
3

Thank you
bishwadeepkc

I tried what you told me, i might i’ve problems make it the right way…
But i tried and this is was the result … :rolleyes:
Please explain for me more.



<?php
//Connect to mysql server
$link = mysql_connect('localhost', 'root', '');
mysql_select_db("sac", $link);
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}

$sql=mysql_query
("select * from login_type, category where 
uid=".$_SESSION['uid']." AND cat_id=".$_GET['cat_id']."");
if(mysql_num_rows($sql)){
  //let the user do stuffs
echo "<a href='logout.php'>Logout</a>";
}
else
{
 //redirect to error page or die("you dont have permission to this category")
die(mysql_error());
} 
             
?>

First Error:-
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\control
ewdpppage\dpp_add_lorthbank.php on line 26

Second Error:-
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘[0] AND cat_id=’ at line 2

4 

SELECT *
FROM login_type, category
WHERE uid =2
AND cat_id =2

This Sql Statement worked for me … I’ll try how’s it gonna be with the first error which still i cant find the solution :injured:

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\control
ewdpppage\dpp_add_lorthbank.php on line 26

5

You are joining two tables without defining the join criteria, so the result would be a cross join. I’m guessing that cat_id is present in both tables? That would give you a mysql error, and the result would not be a mysql result set (hence the error you’re seeing). Try this:


$sql = "
  SELECT * 
  FROM login_type
  WHERE uid = " . $_SESSION['uid'] . " 
  AND   cat_id = " . $_GET['cat_id']
;
$result = mysql_query($sql) or die('mysql error ' . mysql_error() . ' in query ' . $sql);
if(mysql_num_rows($result) > 1){
  //let the user do stuffs
  echo "<a href='logout.php'>Logout</a>";
}
else
{
  //redirect to error page or die("you dont have permission to this category")
  die(mysql_error());
}

By the way, don’t use user input ($_GET, $_POST) in your queries without sanitizing the data first (in this case, make sure $_GET[‘cat_id’] contains a numeric value).

6

You are joining two tables without defining the join criteria, so the result would be a cross join. I’m guessing that cat_id is present in both tables?

I’ve two tables :slight_smile:
login_type:-
uid| type | username | password
1 | adminbank | admin | 123
2 | userbank | mark | 321

category:-
cat_id | category
1 | EonBank
2 | MayBank

I’ve one form shows the categories by this way dpp_add_lorthbank.php?cat=1 for user one.
cat=2 for user two.

what i’m trying to do is making each one only see his category.

user admin after login go to the link *.php?cat=1
user mark after login go to the link *.php?cat=1

both cant see the values of the category for each.

7

How do you know what category to show to what user? What is the connection between the two tables?

uid catid
1 3
1 2
5 2
5 1

You posted this. Where do you get that info from?

8

That was suggestion from bishwadeepkc :slight_smile:
I tried to do like what he suggest but couldn’t get it work …

what i post up was my original data.

Thank you
Mr.guido2004

9

I tried to do like this
just an idea
I’m asking is that would help in my case?

First page


<?php
session_start();
$key = 14;
$_SESSION['cat'] = $key;
echo "<a href=\\"second.php?cat=$key\\">link</a>";
?>

Second Page


<?php
session_start();
if($_GET['cat'] != $_SESSION['cat'])
{
	echo "You are NOT the Same Person from Login";
	exit;
}
session_destroy();
?>
10

Yes, you can store the user’s category id in a session. You don’t even have to pass the category id in the query string anymore. Just get it from the session.

11

On the login page i did this


<?php
//Start session
session_start();
$_SESSION['foo']='$_POST[username]';
$_SESSION['uid']='$usercategory';
$key = 14;
$_SESSION['cat'] = $key;
?>

Second page


if ($_GET['cat'] != $_SESSION['cat'])
//echo "You are NOT the Same Person from Login";
header('Location: error.php');
else
	echo "You are THE Same Person from Login";
session_destroy();
?>

And i added the sql statment…
All working well now …
no mistakes at all… :lol:

Thank you
guido2004 :smiley:
and
bishwadeepkc :smiley:

12

:argue:

The last code only shows the record of cat=14 because it’s $key = 14;

How i can make it
$key = 14,15,16;

I tried
$key = array (14,15,16);

also
$key14 = 14;
$key15 = 15;
$key16 = 16;

But all wrong :confused: