From what I see on the surface, I should be able to go into Ralph’s profile and post those wild “party pictures” I took of him when he was drunk last weekend…
Why do all of these people have the smae URL structure, but only “I” can edit my profile and others cannot?
When you log into sitepoint you’ll set a cookie, or a session variable in PHP, that identifies you to the system, most probably with your unique userID in the database (along with other info that may be required).
When you visit your profile the value of the userID your logged in as will be checked to the userid of the profile your viewing, if they match then the script will enable the editing functions for that page and you can change your profile, if they dont match then you can only view the profile.
The URL stays the same regardless, is just a means of viewing a page after all, its the php behind the page that decides if have editing rights or not for that page.
So, just to clarify, everyone gets to Member Profiles the same way, right?
And whether I am viewing my own Profile (i.e. DoubleDee) or someone else’s, doesn’t matter as far as the URL is concerned, right?
But in order to do things to a Profile, I need to be authenticated, and that is done server-side using PHP and making sure that I am “logged in”, right?
Currently, I have just been using something like this to see if someone is logged in…
// **********************
// Check if Logged In. *
// **********************
// User must be logged-in to change email.
if (empty($_SESSION['loggedIn']) || $_SESSION['loggedIn']===FALSE){
// Not Logged In.
$_SESSION['resultsCode'] = 'EMAIL_USER_NOT_LOGGED_IN_2127';
// Set Error Source.
$_SESSION['errorPage'] = $_SERVER['SCRIPT_NAME'];
// Redirect to Outcome Page.
header("Location: " . BASE_URL . "/account/results.php");
// End script.
exit();
}
Is that sufficiently secure for things like we are talking about?
Debbie
P.S. Why does SitePoint use prepend a # in front of my Username in the URL…
As Rudy said, its your membership no, what i refered to in my reply as your UserID.
Your script seems ok on the surface, not sure why you’d want to log details of everyone that wasnt logged in… depends what youre doing with it in results.php . Youre better off just shoving people back to a login page if they aint got the credentials, unless youve a good reason not to, ie like they shouldnt have found this script in the first place and your trying to find and plug a hole in your code.
On my website, “Username” must be unique - even though its not the PK. (I just assumed SitePoint would follow the same logic and thus not need to prepend a number.)
Your script seems ok on the surface, not sure why you’d want to log details of everyone that wasnt logged in… depends what youre doing with it in results.php . Youre better off just shoving people back to a login page if they aint got the credentials, unless youve a good reason not to, ie like they shouldnt have found this script in the first place and your trying to find and plug a hole in your code.
Well, two things…
1.) That is my standard code to handle Errors. I figured logging everything that happens is a good way for me to know where problems are occurring. (I still need to learn how to do this for Fatal Errors, but for Logical Errors I think this will be helpful.)
2.) On most Errors, I route people to “results.php” and have code like this…
// Not Logged In.
case 'EMAIL_USER_NOT_LOGGED_IN_2127':
// Set Redirect Path.
$_SESSION['returnToPage'] = '/account/change_email.php';
echo '<h1>Not Logged In</h1>';
echo '<p>You must be logged in to change your e-mail. (2127)</p>';
echo '<a class="button" href="' . BASE_URL . '/account/log_in.php">Log In</a>';
break;
So I believe that addresses your suggestions above, right?
Wasnt saying that theres anything wrong with that, if thats your normal routine more power to you.
As for unique names instead of numbers … again personal preference, most sites will check if a username is already in use anyway, but still use a userID for the code to identify someone, I guess its just easier to give someone a number.
I tend to keep my userIDs hidden on my site, as you say Sitepoint decided to show theirs not sure what the benefit on that would be.
As for unique names instead of numbers … again personal preference, most sites will check if a username is already in use anyway, but still use a userID for the code to identify someone, I guess its just easier to give someone a number.
