| Re: check user log and redirect [message #174510 is a reply to message #174504] |
Wed, 15 June 2011 10:33  |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/15/2011 1:05 AM, Co wrote:
> On 15 jun, 01:08, Jerry Stuckle<jstuck...@attglobal.net> wrote:
>> On 6/14/2011 3:51 PM, Co wrote:> Hi All,
>>
>>> I know Jerry will have comments again but I will post my question
>>> anyway.
>>> I have this code that checks if the user is logged in and if not it
>>> should direct him to the login page.
>>> However when I am not logged in I can still go to pages which I am not
>>> supposed to go.
>>> I tried to understand what the code is doing but I don't follow.
>>> Can someone have a look at my code and tell me why I can still go to
>>> restricted pages?
>>
>> <About 150 lines of code snipped>
>>
>> First of all, NEVER depend on cookies for anything important, like
>> whether the user is logged in or not. EVERYTHING from the user should
>> be suspect, as it can very easily be faked.
>>
>> As for the rest - cut it down to the minimum needed to show the problem.
>> I'm not going to spend time going through 150+ lines of cryptic code,
>> trying to figure out what you're doing.
>>
>> Looks like (another) script you just copied from the web without
>> understanding what it does.
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================
>
> That's right. But still it doesn't seem to do what it was written for.
>
> I added some more code to the pages which are restricted:
> //////////////////////////////////////////////// Member log in
> double check ///////////////////////////////////////////////////
> if (!isset($_SESSION['idx'])) {
> $msgToUser = '<br /><br /><font color="#FF0000">Only site members
> can do that</font><p><a href="register.php">Join Here</a></p>';
> include_once 'msgToUser.php';
> exit();
> } else if ($logOptions_id != $_SESSION['id']) {
> $msgToUser = '<br /><br /><font color="#FF0000">Only site members can
> do that</font><p><a href="register.php">Join Here</a></p>';
> include_once 'msgToUser.php';
> exit();
> }
> //////////////////////////////////////////////// End Member log
> in double check
>
>
> Marco
The first thing you need to do is learn to understand what the code you
copied does. PHP isn't HTML - you can't just download scripts and
expect them to just work. There are differences in PHP versions that
mean many older scripts won't run on more current versions of PHP
without modification. Plus there are all kinds of poorly written
scripts out there I wouldn't put on ANY web site. And generally scripts
from different sites do not run well together.
But again, it's impossible to figure out what you're doing here because
you don't have the minimum code needed to find the problem. For
instance, how does $_SESSION['idx'] get set? What's in it? What's the
difference between that and $_SESSION['id']? How does $logOptions_id
get set? What's in $msgToUser (and how was that set)?
You really need learn to understand the code. Of course, the best way
to do that is to write it yourself, although it takes longer. With
practice, you'll end up with much better code.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]