Solved

PHP Sessions

Posted on 2011-09-13
7
269 Views
Last Modified: 2012-05-12
The attached code pulls data from a mysql database & then displays it in a browser. This code pulls the data for John Doe who has a username of doej The code works fine but I am having trouble with user sessions. In order for John Doe to view the report he is prompted a username & password page. After he authenticates he sees the page. That also works fine BUT while logged in as  doej I can go to the URL in the browser & change doej.php to janed.php or another username & I can see their information...I don't think my security is set up correct on this page. I have also included the lock.php code so you can view.
<html>  
<body bgcolor="#03EBA6"> 
<head>

<?php
include('lock.php');
?>

<body>
<h2>Welcome <?php echo $login_session; ?></h2> 

<b><p><h5><a href="slogout.php">LOG OUT</a> </h5></p>
This area displays employees supervised by John Doe.
</body>

<html>
<head>
<title> PETS - SUSPO</title>
</head>
</html>

<title> PETS - SUSPO</title>
<table>
      <thead>
      <tr>
	   <table border='7'>

<th>First Name</th>
<th>Last Name</th>
<th>6-Month Review Date</th>
<th>Eval Due Date</th>
<th>Eval Due to Emp</th>
<th>Eval Due to Per Spec</th>
<th>Last Increase Date</th>
<th>Current L/S</th>
<th>Step Promo Due Date</th>
<th>Next L/S</th>
<th>Last Rating</th>
<th>Last Eval Date</th>

      </tr>      
      </thead>
      <tbody>
<?php
require('connection.php');

if (isset($_GET['op']) && $_GET['op'] == "d") 
if($_GET['op'] == "d" && !empty($_GET['id']) )
{
   $query="UPDATE hr_info SET status = '0' WHERE hrid={$_GET['id']}";
   $result = mysql_query($query) or die(mysql_error());  
}

$query="SELECT hrid, f_name, l_name, eval_due_date, SUBDATE( `eval_due_date`, INTERVAL 6 MONTH) as `six_months_prior_date`, ADDDATE( `eval_due_date`, INTERVAL 7 DAY) as `due_2_emp`, ADDDATE( `eval_due_date`, INTERVAL 14 DAY) as `due_2_chf`, ADDDATE( `eval_due_date`, INTERVAL 44 DAY) as `due_2_ps`, gscl, lwlr, wgdd, rating, nls, last_eval_date FROM hr_info WHERE status ='1' AND supervisor = 'john doe' ORDER BY eval_due_date ";
$result = mysql_query($query) or die(mysql_error());  
 
while($row = mysql_fetch_array( $result )) {
?>
       <tr>
   						<td><?php echo "".$row['f_name']; ?></td>
                        <td><?php echo "".$row['l_name']; ?></td>						
                        <td><?php echo "".$row['six_months_prior_date']; ?></td>
						<td><?php echo "".$row['eval_due_date']; ?></td>
						<td><?php echo "".$row['due_2_emp']; ?></td>
						<td><?php echo "".$row['due_2_chf']; ?></td>
						<td><?php echo "".$row['due_2_ps']; ?></td>
						<td><?php echo "".$row['lwlr']; ?></td>
						<td><?php echo "".$row['gscl']; ?></td>
						<td><?php echo "".$row['wgdd']; ?></td>
						<td><?php echo "".$row['nls']; ?></td>
						<td><?php echo "".$row['rating']; ?></td>
						<td><?php echo "".$row['last_eval_date']; ?></td>
      </tr>
<?php } ?>            
      </tbody>
 
</table>

Open in new window

<?php

include('config.php');
session_start();
$user_check=$_SESSION['login_user'];

$ses_sql=mysql_query("select username from admin where username='$user_check' ");

$row=mysql_fetch_array($ses_sql);

$login_session=$row['username'];

if(!isset($login_session))
{
header("Location: login.php");
}

?>

Open in new window

0
Comment
Question by:wantabe2
7 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36532172
For starters, "include('lock.php');" must be the first thing in every file that you want to control because that's where you have session_start();.  Where you have it, the session cookie will not be set and the 'header' will not work because there is already HTML output.  Headers can Not be sent after any other output, they Must be sent first.

The second big problem is that your page formatting is very wrong.  You can not put elements just anywhere and expect them to work.  For the HTML part, <html> is the overall container, the <head> section comes next followed by the <body> section.  Attached is a code snippet showing a basic page in the correct order.

I've put the first PHP section where it should be in your code but I'll let you clean up the rest.
<?php
include('lock.php');
?>
<html>  
<head>

</head>
<body bgcolor="#03EBA6"> 

<h2>Welcome <?php echo $login_session; ?></h2> 

<b><p><h5><a href="slogout.php">LOG OUT</a> </h5></p>
This area displays employees supervised by John Doe.
</body>

<html>
<head>
<title> PETS - SUSPO</title>
</head>
</html>

<title> PETS - SUSPO</title>
<table>
      <thead>
      <tr>
	   <table border='7'>

<th>First Name</th>
<th>Last Name</th>
<th>6-Month Review Date</th>
<th>Eval Due Date</th>
<th>Eval Due to Emp</th>
<th>Eval Due to Per Spec</th>
<th>Last Increase Date</th>
<th>Current L/S</th>
<th>Step Promo Due Date</th>
<th>Next L/S</th>
<th>Last Rating</th>
<th>Last Eval Date</th>

      </tr>      
      </thead>
      <tbody>
<?php
require('connection.php');

if (isset($_GET['op']) && $_GET['op'] == "d") 
if($_GET['op'] == "d" && !empty($_GET['id']) )
{
   $query="UPDATE hr_info SET status = '0' WHERE hrid={$_GET['id']}";
   $result = mysql_query($query) or die(mysql_error());  
}

$query="SELECT hrid, f_name, l_name, eval_due_date, SUBDATE( `eval_due_date`, INTERVAL 6 MONTH) as `six_months_prior_date`, ADDDATE( `eval_due_date`, INTERVAL 7 DAY) as `due_2_emp`, ADDDATE( `eval_due_date`, INTERVAL 14 DAY) as `due_2_chf`, ADDDATE( `eval_due_date`, INTERVAL 44 DAY) as `due_2_ps`, gscl, lwlr, wgdd, rating, nls, last_eval_date FROM hr_info WHERE status ='1' AND supervisor = 'john doe' ORDER BY eval_due_date ";
$result = mysql_query($query) or die(mysql_error());  
 
while($row = mysql_fetch_array( $result )) {
?>
       <tr>
   						<td><?php echo "".$row['f_name']; ?></td>
                        <td><?php echo "".$row['l_name']; ?></td>						
                        <td><?php echo "".$row['six_months_prior_date']; ?></td>
						<td><?php echo "".$row['eval_due_date']; ?></td>
						<td><?php echo "".$row['due_2_emp']; ?></td>
						<td><?php echo "".$row['due_2_chf']; ?></td>
						<td><?php echo "".$row['due_2_ps']; ?></td>
						<td><?php echo "".$row['lwlr']; ?></td>
						<td><?php echo "".$row['gscl']; ?></td>
						<td><?php echo "".$row['wgdd']; ?></td>
						<td><?php echo "".$row['nls']; ?></td>
						<td><?php echo "".$row['rating']; ?></td>
						<td><?php echo "".$row['last_eval_date']; ?></td>
      </tr>
<?php } ?>            
      </tbody>
 
</table>

Open in new window

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<title>Untitled</title>
</head>
<body>
Content here!
</body>
</html>

Open in new window

0
 
LVL 4

Expert Comment

by:h4hardy
ID: 36534365
you have to start the  session always at the top of the php file

<?php
session_start();
include('config.php');
$user_check=$_SESSION['login_user'];

$ses_sql=mysql_query("select username from admin where username='$user_check' ");

$row=mysql_fetch_array($ses_sql);

$login_session=$row['username'];

if(!isset($login_session))
{
header("Location: login.php");
}

?>

Open in new window

0
 
LVL 15

Author Comment

by:wantabe2
ID: 36535541
I understand that but I don't think you understand my issue...After I log in, as doej I am viewing the information for doej & the URL is

http://myserver/hr2/$12345supervisor54321$/doej.php

If someone wants to view johnsong information all they have to do is change  http://myserver/hr2/$12345supervisor54321$/doej.php    to   http://myserver/hr2/$12345supervisor54321$/johnsong.php   and it will allow them to see anyones info ...all they have to do is change the URL....Is there any way to stop this from happening?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 15

Author Comment

by:wantabe2
ID: 36536387
Is there anything I can do to the attached code to make the URL display something different? I don't want the doej.php be displayed at the end of the URL...
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 36536920
The general design pattern for client authentication is available here:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
Note the use of the $uid variable in the part called Tools for Testing.  You can compare the $uid to the salient part of the URL string.
0
 
LVL 15

Author Closing Comment

by:wantabe2
ID: 36537701
This article you wrote helped more than anything. Thanks
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 36537730
Thanks for the points - I'm glad you found the article helpful.  Best of luck with your project, ~Ray
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
Because your company can’t afford for you to make SEO mistakes, you’ll want to ensure you’re taking the right steps each and every time you post a new piece of content. This list of optimization do’s and don’ts can help you become an SEO wizard.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question