[Sayid Ahmed]

Hello,

I realise you can retrieve data from the $_GET function, so that user A can view user B's personalised page by going on page.php?a=userb and all of user B's stored data can be retrieved. but is there an alternative method to this, so that user A has to click on a link for user B's page and not just through URL, as this page may or may not be restricted to him? Can you set a link to send something across, such as a username or a mysql query? would $_POST work for this situation?

[maniacalsounds]

Well, if you were wanting to protect it to certain users, it might be better to check session variables to get the page viewer's username. Aftwerwards, redirect them if they aren't an allowed user?

[macosxnerd101]

While Session variables are good for storing user-specific data that shouldn't be public, you can use the urlencode function to pass parameters to the URL that you can view with the $_GET variable. This will allow you to use single PHP pages to parse the variables. For example, you can have a profiles.php page parse the URL with the $_GET superglobal to display the specified profile in the URL. Of course, always sanitize and vaidate the values in the URL, as the user has access to them.

[Sayid Ahmed]

maniacalsounds, on 15 May 2011 - 12:46 AM, said:

Well, if you were wanting to protect it to certain users, it might be better to check session variables to get the page viewer's username. Aftwerwards, redirect them if they aren't an allowed user?

I've already set that to my restricted to pages. If a user is not logged in, they get redirected away. With the problem I'm referring to, if a link to user B's page is a available to user A, then they can visit that page, otherwise they're not allowed to visit. This way, user A has to open up a list/table of users, and find user B's page through there (why I need this is too long to explain). User A might cheat and simply type in his browser URL with userpage.php?a=userb to jump straight there without bringing up the list of users i've provided.

macosxnerd101, on 15 May 2011 - 02:53 AM, said:

For example, you can have a profiles.php page parse the URL with the $_GET superglobal to display the specified profile in the URL. Of course, always sanitize and vaidate the values in the URL, as the user has access to them.

The user will still be able to see the URL and then use it again, wouldn't they?

[codeprada]

A dirty solution is you set a SESSION and cookie variable on one page like a random key or something which is needed on the 2nd page. That way you'll need the credentials from one page to visit the other.

Example

<?php
//page1
session_start();
$key = createRandomKey(); //of course you gotta make this function
setcookie('pagecred', $key);
$_SESSION['key'] = $key;
?>

<?php
//page2
session_start();
if($_SESSION['key'] != $_COOKIE['pagecred'])
	header("location: otherpage.php");
//rest of page
?>

//all other pages should have this
session_start();
if(isset($_SESSION['key']))
	unset($_SESSION['key']);
//if the user goes to any other page then they can't access page2 without going back to page1

It's a small solution I just thought up which will need some tuning up but it's something to build on.

[macosxnerd101]

Quote

I've already set that to my restricted to pages. If a user is not logged in, they get redirected away. With the problem I'm referring to, if a link to user B's page is a available to user A, then they can visit that page, otherwise they're not allowed to visit. This way, user A has to open up a list/table of users, and find user B's page through there (why I need this is too long to explain). User A might cheat and simply type in his browser URL with userpage.php?a=userb to jump straight there without bringing up the list of users i've provided.

Clicking a link vs. typing the data into the URL doesn't really make a difference if you validate that the user has permission. So the PHP page should do validation first. If the user has permission, dispaly the page. Otherwise, don't.

[Sayid Ahmed]

codeprada, on 15 May 2011 - 06:47 PM, said:

It's a small solution I just thought up which will need some tuning up but it's something to build on.

I see what you're doing here, I'll try to work round that. Thanks a lot