Solved

PHP Sessions

Posted on 2011-09-13
7
270 Views
Last Modified: 2012-05-12
The attached code pulls data from a mysql database & then displays it in a browser. This code pulls the data for John Doe who has a username of doej The code works fine but I am having trouble with user sessions. In order for John Doe to view the report he is prompted a username & password page. After he authenticates he sees the page. That also works fine BUT while logged in as  doej I can go to the URL in the browser & change doej.php to janed.php or another username & I can see their information...I don't think my security is set up correct on this page. I have also included the lock.php code so you can view.
<html>  
<body bgcolor="#03EBA6"> 
<head>

<?php
include('lock.php');
?>

<body>
<h2>Welcome <?php echo $login_session; ?></h2> 

<b><p><h5><a href="slogout.php">LOG OUT</a> </h5></p>
This area displays employees supervised by John Doe.
</body>

<html>
<head>
<title> PETS - SUSPO</title>
</head>
</html>

<title> PETS - SUSPO</title>
<table>
      <thead>
      <tr>
	   <table border='7'>

<th>First Name</th>
<th>Last Name</th>
<th>6-Month Review Date</th>
<th>Eval Due Date</th>
<th>Eval Due to Emp</th>
<th>Eval Due to Per Spec</th>
<th>Last Increase Date</th>
<th>Current L/S</th>
<th>Step Promo Due Date</th>
<th>Next L/S</th>
<th>Last Rating</th>
<th>Last Eval Date</th>

      </tr>      
      </thead>
      <tbody>
<?php
require('connection.php');

if (isset($_GET['op']) && $_GET['op'] == "d") 
if($_GET['op'] == "d" && !empty($_GET['id']) )
{
   $query="UPDATE hr_info SET status = '0' WHERE hrid={$_GET['id']}";
   $result = mysql_query($query) or die(mysql_error());  
}

$query="SELECT hrid, f_name, l_name, eval_due_date, SUBDATE( `eval_due_date`, INTERVAL 6 MONTH) as `six_months_prior_date`, ADDDATE( `eval_due_date`, INTERVAL 7 DAY) as `due_2_emp`, ADDDATE( `eval_due_date`, INTERVAL 14 DAY) as `due_2_chf`, ADDDATE( `eval_due_date`, INTERVAL 44 DAY) as `due_2_ps`, gscl, lwlr, wgdd, rating, nls, last_eval_date FROM hr_info WHERE status ='1' AND supervisor = 'john doe' ORDER BY eval_due_date ";
$result = mysql_query($query) or die(mysql_error());  
 
while($row = mysql_fetch_array( $result )) {
?>
       <tr>
   						<td><?php echo "".$row['f_name']; ?></td>
                        <td><?php echo "".$row['l_name']; ?></td>						
                        <td><?php echo "".$row['six_months_prior_date']; ?></td>
						<td><?php echo "".$row['eval_due_date']; ?></td>
						<td><?php echo "".$row['due_2_emp']; ?></td>
						<td><?php echo "".$row['due_2_chf']; ?></td>
						<td><?php echo "".$row['due_2_ps']; ?></td>
						<td><?php echo "".$row['lwlr']; ?></td>
						<td><?php echo "".$row['gscl']; ?></td>
						<td><?php echo "".$row['wgdd']; ?></td>
						<td><?php echo "".$row['nls']; ?></td>
						<td><?php echo "".$row['rating']; ?></td>
						<td><?php echo "".$row['last_eval_date']; ?></td>
      </tr>
<?php } ?>            
      </tbody>
 
</table>

Open in new window

<?php

include('config.php');
session_start();
$user_check=$_SESSION['login_user'];

$ses_sql=mysql_query("select username from admin where username='$user_check' ");

$row=mysql_fetch_array($ses_sql);

$login_session=$row['username'];

if(!isset($login_session))
{
header("Location: login.php");
}

?>

Open in new window

0
Comment
Question by:wantabe2
7 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36532172
For starters, "include('lock.php');" must be the first thing in every file that you want to control because that's where you have session_start();.  Where you have it, the session cookie will not be set and the 'header' will not work because there is already HTML output.  Headers can Not be sent after any other output, they Must be sent first.

The second big problem is that your page formatting is very wrong.  You can not put elements just anywhere and expect them to work.  For the HTML part, <html> is the overall container, the <head> section comes next followed by the <body> section.  Attached is a code snippet showing a basic page in the correct order.

I've put the first PHP section where it should be in your code but I'll let you clean up the rest.
<?php
include('lock.php');
?>
<html>  
<head>

</head>
<body bgcolor="#03EBA6"> 

<h2>Welcome <?php echo $login_session; ?></h2> 

<b><p><h5><a href="slogout.php">LOG OUT</a> </h5></p>
This area displays employees supervised by John Doe.
</body>

<html>
<head>
<title> PETS - SUSPO</title>
</head>
</html>

<title> PETS - SUSPO</title>
<table>
      <thead>
      <tr>
	   <table border='7'>

<th>First Name</th>
<th>Last Name</th>
<th>6-Month Review Date</th>
<th>Eval Due Date</th>
<th>Eval Due to Emp</th>
<th>Eval Due to Per Spec</th>
<th>Last Increase Date</th>
<th>Current L/S</th>
<th>Step Promo Due Date</th>
<th>Next L/S</th>
<th>Last Rating</th>
<th>Last Eval Date</th>

      </tr>      
      </thead>
      <tbody>
<?php
require('connection.php');

if (isset($_GET['op']) && $_GET['op'] == "d") 
if($_GET['op'] == "d" && !empty($_GET['id']) )
{
   $query="UPDATE hr_info SET status = '0' WHERE hrid={$_GET['id']}";
   $result = mysql_query($query) or die(mysql_error());  
}

$query="SELECT hrid, f_name, l_name, eval_due_date, SUBDATE( `eval_due_date`, INTERVAL 6 MONTH) as `six_months_prior_date`, ADDDATE( `eval_due_date`, INTERVAL 7 DAY) as `due_2_emp`, ADDDATE( `eval_due_date`, INTERVAL 14 DAY) as `due_2_chf`, ADDDATE( `eval_due_date`, INTERVAL 44 DAY) as `due_2_ps`, gscl, lwlr, wgdd, rating, nls, last_eval_date FROM hr_info WHERE status ='1' AND supervisor = 'john doe' ORDER BY eval_due_date ";
$result = mysql_query($query) or die(mysql_error());  
 
while($row = mysql_fetch_array( $result )) {
?>
       <tr>
   						<td><?php echo "".$row['f_name']; ?></td>
                        <td><?php echo "".$row['l_name']; ?></td>						
                        <td><?php echo "".$row['six_months_prior_date']; ?></td>
						<td><?php echo "".$row['eval_due_date']; ?></td>
						<td><?php echo "".$row['due_2_emp']; ?></td>
						<td><?php echo "".$row['due_2_chf']; ?></td>
						<td><?php echo "".$row['due_2_ps']; ?></td>
						<td><?php echo "".$row['lwlr']; ?></td>
						<td><?php echo "".$row['gscl']; ?></td>
						<td><?php echo "".$row['wgdd']; ?></td>
						<td><?php echo "".$row['nls']; ?></td>
						<td><?php echo "".$row['rating']; ?></td>
						<td><?php echo "".$row['last_eval_date']; ?></td>
      </tr>
<?php } ?>            
      </tbody>
 
</table>

Open in new window

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<title>Untitled</title>
</head>
<body>
Content here!
</body>
</html>

Open in new window

0
 
LVL 4

Expert Comment

by:h4hardy
ID: 36534365
you have to start the  session always at the top of the php file

<?php
session_start();
include('config.php');
$user_check=$_SESSION['login_user'];

$ses_sql=mysql_query("select username from admin where username='$user_check' ");

$row=mysql_fetch_array($ses_sql);

$login_session=$row['username'];

if(!isset($login_session))
{
header("Location: login.php");
}

?>

Open in new window

0
 
LVL 15

Author Comment

by:wantabe2
ID: 36535541
I understand that but I don't think you understand my issue...After I log in, as doej I am viewing the information for doej & the URL is

http://myserver/hr2/$12345supervisor54321$/doej.php

If someone wants to view johnsong information all they have to do is change  http://myserver/hr2/$12345supervisor54321$/doej.php    to   http://myserver/hr2/$12345supervisor54321$/johnsong.php   and it will allow them to see anyones info ...all they have to do is change the URL....Is there any way to stop this from happening?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 15

Author Comment

by:wantabe2
ID: 36536387
Is there anything I can do to the attached code to make the URL display something different? I don't want the doej.php be displayed at the end of the URL...
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 36536920
The general design pattern for client authentication is available here:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
Note the use of the $uid variable in the part called Tools for Testing.  You can compare the $uid to the salient part of the URL string.
0
 
LVL 15

Author Closing Comment

by:wantabe2
ID: 36537701
This article you wrote helped more than anything. Thanks
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 36537730
Thanks for the points - I'm glad you found the article helpful.  Best of luck with your project, ~Ray
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Because your company can’t afford for you to make SEO mistakes, you’ll want to ensure you’re taking the right steps each and every time you post a new piece of content. This list of optimization do’s and don’ts can help you become an SEO wizard.
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question