?
Solved

How do I restrict a user's access to content?

Posted on 2009-04-26
12
Medium Priority
?
336 Views
Last Modified: 2013-12-12
Hi,

I'm building a small PHP/MySQL application that simply allows our staff to upload PDF documents for our customers. Our customers (schools in the UK) then log in and download their own PDF.  I have completed the following tasks:
1) Application for our staff to login and upload the PDFs
2) Application for customers to login and download the documents they have ordered

BUT:

I am struggling to get the list of documents to be restricted to the relevant customer. Basically as it is at the minute each customer will be able to download other customer's documents!

In the MySQL database I have two tables: 'members' and 'uploads'.  In the 'uploads' table I have the field 'uploads.member_link' that holds the members user name (unique school number) and links the record in the table to the correct user in the members table using the field 'members.login'.

The PHP script (view_files.php) lists the documents to download, I have pasted the code below.
I think this is the code where I need to make the changes but I may be wrong. I have tried a few things in the '$query' to limit the content to the user but am not getting it right. Any help on fixing this would be much appreciated.

Cheers,

Tom
<?php 
// This page displays the files uploaded to the server.
 
// Set the page title and include the HTML header.
$page_title = 'View Files';
 
require_once ('../mysql_connect.php'); // Connect to the database.
 
$first = TRUE; // Initialize the variable.			
			
// Query the database.
$query = "SELECT upload_id, file_name, ROUND( file_size /1024 ) AS fs, description, DATE_FORMAT( date_entered, '%M %e, %Y' ) AS d
FROM uploads";
$result = mysql_query ($query);
 
// Display all the URLs.
while ($row = mysql_fetch_array ($result, MYSQL_ASSOC)) {
 
	// If this is the first record, create the table header.
	if ($first) {
		echo '<table border="0" width="100%" cellspacing="3" cellpadding="3" align="center">
	<tr>
		<td align="left" width="20%"><font size="+1">File Name</font></td>
		<td align="center" width="20%"><font size="+1">File Size</font></td>
	</tr>';
 
		$first = FALSE; // One record has been returned.
 
	} // End of $first IF.
	
	// Display each record.
	echo "	<tr>
		<td align=\"left\"><a href=\"download_file.php?uid={$row['upload_id']}\">{$row['file_name']}</a></td>
		<td align=\"center\">{$row['fs']}kb</td>
	</tr>\n";
	} // End of while loop.
 
// If no records were displayed...
if ($first) {
	echo '<div align="center">There are currently no files to be viewed.</div>';
} else {
	echo '</table>'; // Close the table.
}
 
mysql_close(); // Close the database connection.
?>

Open in new window

0
Comment
Question by:optimumreports
12 Comments
 
LVL 20

Accepted Solution

by:
NerdsOfTech earned 2000 total points
ID: 24235311
Use the member id to filter out 'their' downloads ONLY.

replace $memberid with the variable you use to reference the users 'memberid'

=NerdsOfTech
$query = "SELECT upload_id, file_name, ROUND( file_size /1024 ) AS fs, description, DATE_FORMAT( date_entered, '%M %e, %Y' ) AS d FROM uploads WHERE member_link = ". $memberid .";";

Open in new window

0
 
LVL 1

Author Comment

by:optimumreports
ID: 24236141
Hi,

Thanks for the reply. I've tried this and got a little closer. However when I printed the result of the $memberid it returns all of the IDs for all members in one log word. So the update you suggested will work but the $memberid is now causing an issue.

How do I get this to be one based on the user who is logged in? Do I need to use somthing within the session. I am new to this and just started looking at sessions yesterday for the first time so I may need my hand holding with this! The code I have used to print member IDs is:

$memberid = mysql_query ("SELECT member_link FROM uploads");
while ($memberid_result = mysql_fetch_array ($memberid)) {
echo $memberid_result[0];
}

Any ideas?

Thanks,

Tom
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24236487
I think you want to use member_link or member_id in your WHERE clause to cause the DB to only return information for one particular member.

Does that make sense? ~Ray
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:optimumreports
ID: 24237097
Hi Ray,

Thanks for your post. I dont need it to return information for one particular member; I need to return different information for different members.

So the where clause that NerdsOfTech suggested above will work I think but I now have the problem that my $memberid variable is returning the IDs of all members and not just the one logged in.

Does that help?

Thanks,

Tom
0
 
LVL 20

Expert Comment

by:NerdsOfTech
ID: 24237438
optimum thanks for the response. As I suggested. I would like you to REPLACE $memberid FOR THE ACTUAL VARIABLE that YOU USE for the indentification of the CUREENT MEMBER LOGGED IN.

Once you do that you should get a correct output. Thanks.
0
 
LVL 20

Expert Comment

by:NerdsOfTech
ID: 24237443
identification OF THE CURRENT MEMBER LOGGED IN, I mean :)
0
 
LVL 1

Author Comment

by:optimumreports
ID: 24237726
Hi NerdsOfTech,

I dont have an actual variable that gives me the member id that I need so I created one using the code I pasted above. I named it $memberid as it seemed to make sense as that is what you suggested.

Once I created the $memberid  I brought in the code you suggested and the result was that none of the document links where showing for any member. So to check the output of $memberid I simply echo'd it and noticed that it was printing everyones member id. Therefore the WHERE clause in your code is working but the member_link doesn't match the $memberid output and therefore no document links are listed...

Does that make sense?

Thanks,

Tom
0
 
LVL 20

Expert Comment

by:NerdsOfTech
ID: 24237866
Sure does.

I am not sure why memberid should have more than one value.
When someone logs on are they logging on as one user or a group of users?

I presume you have them log in individually;
if this is the case, how are you setting the memberid variable? Using session? cookie?

Thanks

0
 
LVL 1

Expert Comment

by:mccs-webmaster
ID: 24237960
"I am not sure why memberid should have more than one value.
When someone logs on are they logging on as one user or a group of users?"
I am confused by this as well. When a user logs in to your application, you should create a session with either the logged in user's UserID or UserName. With one, you will be able to query for the other, so I usually just throw both into the session. Once you have that user's information inside the session, you will be able to query whether they should have access for any given page on your entire site by simply doing:
'select * from whatever where userID = ' . $userID;
This is the answer. If you want to know if they should have access to specific PDF files, then your PDF authentication query should be something like:
'select * from PDFDocumentArchive where userID = ' . $userID;
However, the limitation to the above is that this will only work if it is based on a user having access to a PDF file that they upload. For instance, in simplified form, if the database table looks like this:
ID
PDFDocument
UserID
However, in most cases, things are not this simple. You will likely want to give multiple users access to the same files on occasion. In that case, you will have tables more like this:
PDF Table:
PDFID:
PDFDocument:
PDFUserAccess Table:
UserID
PDFID
User Table:
UserID
Username
etc
In that case, you would want to query the PDFUserAccess table based on the session like so:
'select * from PDFUserAccess where UserID = ' . $userID;
or if you want to check specifically for access to a single PDF, you could do:
'select * from PDFUserAccess where PDFID = ' . $pdfID . ' and UserID = ' . $userID;
There are a ton of ways you could do this, but they all require that your session store exactly one userID for any logged in user.

0
 
LVL 20

Expert Comment

by:NerdsOfTech
ID: 24238090
I concur, once you find the individual member id the SQL statement I suggested previously should work as planned.
0
 
LVL 1

Author Comment

by:optimumreports
ID: 24239617
Hi NerdsOfTech and mccs-webmaster...

You were both right! My $memberid was wrong and it was bringing in my username (which is also a number) and not the actual member ID.

My database table links were also wrong therefore the WHERE clause was never going to work because I was trying to match two different sets of data! Anyway, once I sorted the database issue the WHERE clause that NerdsOfTech suggested works perfectly. Sorry for the confusion. Your help is much appreciated.

Thanks again,

Tom
0
 
LVL 1

Author Closing Comment

by:optimumreports
ID: 31574620
This worked perfectly once I had sorted out my database link issue which was my fault.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to implement server side field validation and display customized error messages to the client.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question