Hi all, I have sql database that I use for posting reviews it has a number of prefix tables for each user - user1_reviews, user2_reviews, user3_reviews ....

Each user has their own directory with a login page to ok or delete reviews.

http://www.myweb.com/user1/login.php
http://www.myweb.com/user2/login.php
http://www.myweb.com/user3/login.php

This is where I encounter my problem. When either user logs in they can easily have access to the other users info simply by changeing the directory name in the url with the other users directory name. :confused:

Example:
User1 logs in successfully at: http://www.myweb.com/user1/login.php and is
forwarded to: http://www.myweb.com/user1/index.php

If user1 desides to change this in the url
http://www.myweb.com/user1/index.php
to this
http://www.myweb.com/user2/index.php
and press enter he or she has access to user2s info.

What can I do to stop this? :confused:

try encrypting something (names or so) with $name = md5(trim($name));
or a bit more lamely, have the index of everything be a frame so it doesn't show the url.

or use both. encrypt and frames.

-Insane

Ok how would I do this to the directory?

try encrypting something (names or so) with $name = md5(trim($name));
or a bit more lamely, have the index of everything be a frame so it doesn't show the url.

or use both. encrypt and frames.

-InsaneI disagree! Security by obscurity is no security at all.

All you need to do is start a session on login. Keep the username in the session. At the top of each page have the username of the allowed person and check against the session. If it is not the right person send a 404.

<?php
session_start();
if(!isset($_SESSION['logged_in'])) header('Location: login_page.php');
if(isset($_SESSION['logged_in']) and $_SESSION['username'] != 'user1') send_404();

function send_404()
{
header('HTTP/1.x 404 Not Found');
print '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">'."\n".
'<html><head>'."\n".
'<title>404 Not Found</title>'."\n".
'</head><body>'."\n".
'<h1>Not Found</h1>'."\n".
'<p>The requested URL '.
str_replace(strstr($_SERVER['REQUEST_URI'], '?'), '', $_SERVER['REQUEST_URI']).
' was not found on this server.</p>'."\n".
'</body></html>'."\n";
exit;
}

// continue with your script here
//....................................
?>

when creating a new directory, give it the user's name (encrypted)
for instance a user called php=freedom would have a folder called 4d836dc0b2f94ce58db5ce559f66135f and so on. get it?

-Insane

Can the encryption to the url take place after the user clicks submit?

If so, can you help me with the code?

I aggree with bokeh.
I'm going to try your code.

when creating a new directory, give it the user's name (encrypted)
for instance a user called php=freedom would have a folder called 4d836dc0b2f94ce58db5ce559f66135f and so on. get it?And then later on when you realise your URLs look aterrible mess you can use mod_rewrite to make them look normal again. Joking aside Insane, I think your suggestion is... well... just insane.

Ok now the page will not load i'm sure it is something I am doing wrong please take a look at my code


session_start();
if(!isset($_SESSION['logged_in'])) header('Location: login.php');
if(isset($_SESSION['logged_in']) and $_SESSION['username'] != '$username') send_404();

function send_404()
{
header('HTTP/1.x 404 Not Found');
print '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">'."\n".
'<html><head>'."\n".
'<title>404 Not Found</title>'."\n".
'</head><body>'."\n".
'<h1>Not Found</h1>'."\n".
'<p>The requested URL '.
str_replace(strstr($_SERVER['REQUEST_URI'], '?'), '', $_SERVER['REQUEST_URI']).
' was not found on this server.</p>'."\n".
'</body></html>'."\n";
exit;
}
/////////////////////////////
define('root_path', '../');
include ("../inc/global.php");

///////////////////////////////
if (isset($submitlogin))
{
$connection = mysql_connect ($dbhost,$dbuser,$dbpass) or die ("Unable to connect to database");
mysql_select_db ($dbname) or die ("Unable to select database");
$result = mysql_query ("SELECT * FROM ".$tableprefix."_users WHERE username = '$username'");
$row = mysql_fetch_array($result);
$numrows = mysql_num_rows($result);
mysql_close($connection);
if (encrypt($password)==$row[password])
{
$valid_user=1;
setcookie("zztop", "$username",time()+10800,"/");
header ("location: index.php");
}
else
{
$valid_user = 0;
$bad_login=1;
}
}



?>

I am assuming the user is already logged in. If they are not they should be redirected to the login page so they can log in. If they are the wrong user they will get a 404.

Fatal error: session_start(): Failed to initialize storage module: user (path: /tmp) in /home/myweb/public_html/theuser/login.php on line 2

1 session_start();
2 if(!isset($_SESSION['logged_in'])) header('Location: login.php');
3 if(isset($_SESSION['logged_in']) and $_SESSION['username'] != '$username') send_404();



Any suggestions? What am I missing.

session start must be at the top of every page, it must be the fisrt ting with no spaces before the <?php session_start();