PHP Sessions

The attached code pulls data from a mysql database & then displays it in a browser. This code pulls the data for John Doe who has a username of doej The code works fine but I am having trouble with user sessions. In order for John Doe to view the report he is prompted a username & password page. After he authenticates he sees the page. That also works fine BUT while logged in as  doej I can go to the URL in the browser & change doej.php to janed.php or another username & I can see their information...I don't think my security is set up correct on this page. I have also included the lock.php code so you can view.
<html>  
<body bgcolor="#03EBA6"> 
<head>

<?php
include('lock.php');
?>

<body>
<h2>Welcome <?php echo $login_session; ?></h2> 

<b><p><h5><a href="slogout.php">LOG OUT</a> </h5></p>
This area displays employees supervised by John Doe.
</body>

<html>
<head>
<title> PETS - SUSPO</title>
</head>
</html>

<title> PETS - SUSPO</title>
<table>
      <thead>
      <tr>
	   <table border='7'>

<th>First Name</th>
<th>Last Name</th>
<th>6-Month Review Date</th>
<th>Eval Due Date</th>
<th>Eval Due to Emp</th>
<th>Eval Due to Per Spec</th>
<th>Last Increase Date</th>
<th>Current L/S</th>
<th>Step Promo Due Date</th>
<th>Next L/S</th>
<th>Last Rating</th>
<th>Last Eval Date</th>

      </tr>      
      </thead>
      <tbody>
<?php
require('connection.php');

if (isset($_GET['op']) && $_GET['op'] == "d") 
if($_GET['op'] == "d" && !empty($_GET['id']) )
{
   $query="UPDATE hr_info SET status = '0' WHERE hrid={$_GET['id']}";
   $result = mysql_query($query) or die(mysql_error());  
}

$query="SELECT hrid, f_name, l_name, eval_due_date, SUBDATE( `eval_due_date`, INTERVAL 6 MONTH) as `six_months_prior_date`, ADDDATE( `eval_due_date`, INTERVAL 7 DAY) as `due_2_emp`, ADDDATE( `eval_due_date`, INTERVAL 14 DAY) as `due_2_chf`, ADDDATE( `eval_due_date`, INTERVAL 44 DAY) as `due_2_ps`, gscl, lwlr, wgdd, rating, nls, last_eval_date FROM hr_info WHERE status ='1' AND supervisor = 'john doe' ORDER BY eval_due_date ";
$result = mysql_query($query) or die(mysql_error());  
 
while($row = mysql_fetch_array( $result )) {
?>
       <tr>
   						<td><?php echo "".$row['f_name']; ?></td>
                        <td><?php echo "".$row['l_name']; ?></td>						
                        <td><?php echo "".$row['six_months_prior_date']; ?></td>
						<td><?php echo "".$row['eval_due_date']; ?></td>
						<td><?php echo "".$row['due_2_emp']; ?></td>
						<td><?php echo "".$row['due_2_chf']; ?></td>
						<td><?php echo "".$row['due_2_ps']; ?></td>
						<td><?php echo "".$row['lwlr']; ?></td>
						<td><?php echo "".$row['gscl']; ?></td>
						<td><?php echo "".$row['wgdd']; ?></td>
						<td><?php echo "".$row['nls']; ?></td>
						<td><?php echo "".$row['rating']; ?></td>
						<td><?php echo "".$row['last_eval_date']; ?></td>
      </tr>
<?php } ?>            
      </tbody>
 
</table>

Open in new window

<?php

include('config.php');
session_start();
$user_check=$_SESSION['login_user'];

$ses_sql=mysql_query("select username from admin where username='$user_check' ");

$row=mysql_fetch_array($ses_sql);

$login_session=$row['username'];

if(!isset($login_session))
{
header("Location: login.php");
}

?>

Open in new window

LVL 15
wantabe2Asked:
Who is Participating?
 
Ray PaseurCommented:
The general design pattern for client authentication is available here:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
Note the use of the $uid variable in the part called Tools for Testing.  You can compare the $uid to the salient part of the URL string.
0
 
Dave BaldwinFixer of ProblemsCommented:
For starters, "include('lock.php');" must be the first thing in every file that you want to control because that's where you have session_start();.  Where you have it, the session cookie will not be set and the 'header' will not work because there is already HTML output.  Headers can Not be sent after any other output, they Must be sent first.

The second big problem is that your page formatting is very wrong.  You can not put elements just anywhere and expect them to work.  For the HTML part, <html> is the overall container, the <head> section comes next followed by the <body> section.  Attached is a code snippet showing a basic page in the correct order.

I've put the first PHP section where it should be in your code but I'll let you clean up the rest.
<?php
include('lock.php');
?>
<html>  
<head>

</head>
<body bgcolor="#03EBA6"> 

<h2>Welcome <?php echo $login_session; ?></h2> 

<b><p><h5><a href="slogout.php">LOG OUT</a> </h5></p>
This area displays employees supervised by John Doe.
</body>

<html>
<head>
<title> PETS - SUSPO</title>
</head>
</html>

<title> PETS - SUSPO</title>
<table>
      <thead>
      <tr>
	   <table border='7'>

<th>First Name</th>
<th>Last Name</th>
<th>6-Month Review Date</th>
<th>Eval Due Date</th>
<th>Eval Due to Emp</th>
<th>Eval Due to Per Spec</th>
<th>Last Increase Date</th>
<th>Current L/S</th>
<th>Step Promo Due Date</th>
<th>Next L/S</th>
<th>Last Rating</th>
<th>Last Eval Date</th>

      </tr>      
      </thead>
      <tbody>
<?php
require('connection.php');

if (isset($_GET['op']) && $_GET['op'] == "d") 
if($_GET['op'] == "d" && !empty($_GET['id']) )
{
   $query="UPDATE hr_info SET status = '0' WHERE hrid={$_GET['id']}";
   $result = mysql_query($query) or die(mysql_error());  
}

$query="SELECT hrid, f_name, l_name, eval_due_date, SUBDATE( `eval_due_date`, INTERVAL 6 MONTH) as `six_months_prior_date`, ADDDATE( `eval_due_date`, INTERVAL 7 DAY) as `due_2_emp`, ADDDATE( `eval_due_date`, INTERVAL 14 DAY) as `due_2_chf`, ADDDATE( `eval_due_date`, INTERVAL 44 DAY) as `due_2_ps`, gscl, lwlr, wgdd, rating, nls, last_eval_date FROM hr_info WHERE status ='1' AND supervisor = 'john doe' ORDER BY eval_due_date ";
$result = mysql_query($query) or die(mysql_error());  
 
while($row = mysql_fetch_array( $result )) {
?>
       <tr>
   						<td><?php echo "".$row['f_name']; ?></td>
                        <td><?php echo "".$row['l_name']; ?></td>						
                        <td><?php echo "".$row['six_months_prior_date']; ?></td>
						<td><?php echo "".$row['eval_due_date']; ?></td>
						<td><?php echo "".$row['due_2_emp']; ?></td>
						<td><?php echo "".$row['due_2_chf']; ?></td>
						<td><?php echo "".$row['due_2_ps']; ?></td>
						<td><?php echo "".$row['lwlr']; ?></td>
						<td><?php echo "".$row['gscl']; ?></td>
						<td><?php echo "".$row['wgdd']; ?></td>
						<td><?php echo "".$row['nls']; ?></td>
						<td><?php echo "".$row['rating']; ?></td>
						<td><?php echo "".$row['last_eval_date']; ?></td>
      </tr>
<?php } ?>            
      </tbody>
 
</table>

Open in new window

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<title>Untitled</title>
</head>
<body>
Content here!
</body>
</html>

Open in new window

0
 
h4hardySr. Software EnginnerCommented:
you have to start the  session always at the top of the php file

<?php
session_start();
include('config.php');
$user_check=$_SESSION['login_user'];

$ses_sql=mysql_query("select username from admin where username='$user_check' ");

$row=mysql_fetch_array($ses_sql);

$login_session=$row['username'];

if(!isset($login_session))
{
header("Location: login.php");
}

?>

Open in new window

0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
wantabe2Author Commented:
I understand that but I don't think you understand my issue...After I log in, as doej I am viewing the information for doej & the URL is

http://myserver/hr2/$12345supervisor54321$/doej.php

If someone wants to view johnsong information all they have to do is change  http://myserver/hr2/$12345supervisor54321$/doej.php    to   http://myserver/hr2/$12345supervisor54321$/johnsong.php   and it will allow them to see anyones info ...all they have to do is change the URL....Is there any way to stop this from happening?
0
 
wantabe2Author Commented:
Is there anything I can do to the attached code to make the URL display something different? I don't want the doej.php be displayed at the end of the URL...
0
 
wantabe2Author Commented:
This article you wrote helped more than anything. Thanks
0
 
Ray PaseurCommented:
Thanks for the points - I'm glad you found the article helpful.  Best of luck with your project, ~Ray
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.