Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

advice on best solution to use

Posted on 2006-11-09
5
248 Views
Last Modified: 2006-11-18
some background information:

i have a PHP page, that when viewed, is customised to the user viewing it.  how i detect which user is viewing the page is by using an Java applet that i built to POST the username that windows stores after you login to our network.  in my PHP page i get that username like: $username = trim($_GET['username']);

the issue im facing and needing advice on is this:

when i get the username, i query MS SQL to get the users details stored in our system and i register a session.  (after i register my session, i can then customise the PHP page for that user)

now if the username is blank - i want to redirect to an error page as either the user has tired to edit the username in URL or the username didnt get posted correctly to the PHP page from the Java Applet (HTML page).

now i also want to check if the session is set or not (empty).  if its already set, skip the process of setting the session the second time around if user refreshes the PHP page.  if the session isnt set, the obviously set the session and show the PHP page customised to that user.  

But regardless of whether the session is set or not, my users are always redirected to error page...

my current code:

<?php
session_start();

$username = trim($_GET['username']);

if(!isset( $_SESSION['user_info']))
{
      $_SESSION['user_info'] = array();

      // DB connection string here
      // DB query string that uses $username and the result string of that query here

      while ($row = mssql_fetch_array($results))
      {
            $_SESSION['user_info']['persid'] = trim($row['PersID']);
            $_SESSION['user_info']['surname'] = trim($row['Surname']);
            $_SESSION['user_info']['firstname'] = trim($row['Firstname']);
      }
            
      // Close DB connection here
}

// Rest of HTML tags here that is used to customise the page for the user
?>
0
Comment
Question by:ellandrd
  • 3
  • 2
5 Comments
 
LVL 14

Accepted Solution

by:
huji earned 500 total points
ID: 17908577
>> now if the username is blank - i want to redirect to an error page as either the user has tired to edit the username in URL or the username didnt get posted correctly to the PHP page from the Java Applet (HTML page). <<
This is not a good practice. A user may change the username to something else (other than blank) and you may get into troubles. The only case that you should handle is not when the username is empty.

And about your code, I didn't see any part of it that should do the redirect (which you say is happening all the time) but eventually it should be changed to something like:

<?php
session_start();

if(isset($_GET['username'])){
    $username = trim($_GET['username']);
} else {
    //redirect to the login page.
    header("Location: login.php");
}

if(!isset( $_SESSION['user_info']))
{
     $_SESSION['user_info'] = array();

     // DB connection string here
     // DB query string that uses $username and the result string of that query here

     while ($row = mssql_fetch_array($results))
     {
          $_SESSION['user_info']['persid'] = trim($row['PersID']);
          $_SESSION['user_info']['surname'] = trim($row['Surname']);
          $_SESSION['user_info']['firstname'] = trim($row['Firstname']);
     }
         
     // Close DB connection here
}

// Rest of HTML tags here that is used to customise the page for the user
?>
0
 
LVL 16

Author Comment

by:ellandrd
ID: 17908656
hi huji

i removed the redirect code.  sorry i should have stated this was the only code i had working to an extent.

since opening the Question and you posted, this is now my latest code:

<?php
session_start();

if(empty($_SESSION['user_info']) && isset($_SESSION['user_info']))
{
        // session has been set already but empty so probably timed out
      header('Location:timeout.html');
      exit;
}
else if(empty($_SESSION['user_info']))
{
        // session not even set yet so set it now
      $_SESSION['user_info'] = array();

      $username = trim($_GET['username']);

      if (strtolower(trim($username)) == 'administrator')
      {
            $_SESSION['user_info']['firstname'] = 'Administrator';
            $_SESSION['user_info']['surname'] = '';
            $_SESSION['user_info']['username'] = 'administrator';
      }
      else
      {
            $Personnel_Connect = @mssql_connect("file04abzpi", "sa", "");
            $db = @mssql_select_db("Personnel",$Personnel_Connect);
            $query = "SELECT tblPersonnel.PersID,tblPersonnel.FirstName,tblPersonnel.Surname,tblPersonnel.NetworkLogin FROM tblPersonnel WHERE tblPersonnel.NetworkLogin = '".$username."'";
            $results = mssql_query($query) or die(mssql_error());

            while ($row = mssql_fetch_array($results))
            {
                  $FirstName = trim($row['FirstName']);
                  $Surname = trim($row['Surname']);

                  if($FirstName == 'William' && $Surname == 'Neilson')
                  {
                        $_SESSION['user_info']['firstname'] = 'Bill';
                  }
                  else
                  {
                        $_SESSION['user_info']['firstname'] = $FirstName;
                  }

                  $_SESSION['user_info']['persid'] = trim($row['PersID']);
                  $_SESSION['user_info']['surname'] = trim($row['Surname']);
                  $_SESSION['user_info']['username'] = trim($row['NetworkLogin']);
            }
            mssql_close($Personnel_Connect);
      }

        // refresh page so username isnt show in URL
      header('Location: index.php');
      exit;
}

// show page here
?>
0
 
LVL 16

Author Comment

by:ellandrd
ID: 17908825
ok, ive managed to it working.

i'll accept your first comment as you've pointed out that if username is blank, problems can occur... so thank you for this.

ellandrd
0
 
LVL 16

Author Comment

by:ellandrd
ID: 17908855
looks like ive just giving you your web development master cert too - well done!

ellandrd
0
 
LVL 14

Expert Comment

by:huji
ID: 17909196
ellandrd,

Thanks for the points! I didn't even notice the new certificate, before you informed me!! Thanks again.

Huji
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Easy responsive table out of existing table 28 60
Fulfillment API php code sample 1 58
CSS: Making responsive table look nicer 7 31
Adding items to a C# list incrementally 5 33
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo‚Ķ
FAQ pages provide a simple way for you to supply and for customers to find answers to the most common questions about your company. Here are six reasons why your company website should have a FAQ page
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question