How to prevent user form entering other users profile

Question

I got user login system where user page has its own id in URL. for eg. xxx/profile.php?id=1 My question is: how to prevent logged user from writing other user id in URL and entering his site ?

here is the code of file profile.php:

          session_start();
require 'config2.php'; 
require_once 'user.class.php';

if (!user::isLogged()) {
 echo '<p class="error">Przykro nam, ale ta strona jest dostepna tylko dla zalogowanych     u?ytkowników.</p>';
     }

else {
$id = $_GET['id'];


  $userExist = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM users WHERE id = '$id'"));


   if ($userExist[0] == 0) {
    die ('<p>Przykro nam, ale u?ytkownik o podanym identyfikatorze nie istnieje.</p>');
}



 $profile = user::getDataById ($id);

echo '<h1>Profil u¿ytkownika '.$profile['login'].'</h1>';
 echo '<b>ID:</b> '.$profile['id'].'<br />';
echo '<b>Nick:</b> '.$profile['login'].'<br />';
echo '<b>Email:</b> '.$profile['email'].'<br />';
echo '<b>Obiekt:</b> '.$profile['obiekt'].'<br />';

   echo '<b>Typ obiektu:</b> '.$profile['typ'].'<br />';
 echo '<b>Kod pocztowy:</b> '.$profile['kod'].'<br />';

    echo '<b>Adres:</b> '.$profile['adres'].'<br />';

echo '<b>Poczta:</b> '.$profile['poczta'].'<br />';

echo '<b>Tel. stacjonarny:</b> '.$profile['tels'].'<br />';

echo '<b>Tel. komórkowy:</b> '.$profile['telk'].'<br />';
    echo '<b>Adres strony internetowej:</b> '.$profile['www'].'<br />';




    echo  "<img src ='wyslane/$profile[photo]'";

      }

and here's user_class.php:

             <?php

         class user {

           public static $user = array();


      public function getData ($login, $pass) {
    if ($login == '') $login = $_SESSION['login'];
    if ($pass == '') $pass = $_SESSION['pass'];

     self::$user = mysql_fetch_array(mysql_query("SELECT * FROM users WHERE  login='$login' AND pass='$pass' LIMIT 1;"));
     return self::$user;
     }



    public function getDataById ($id) {
    $user = mysql_fetch_array(mysql_query("SELECT * FROM users WHERE id='$id' LIMIT 1;"));
    return $user;
    }


  public function isLogged () {
  if (empty($_SESSION['login']) || empty($_SESSION['pass'])) {
  return false;
  }

  else {
  return true;
  }
 }





   public function passSalter ($pass) {
    $pass = '$@@#$#@$'.$pass.'q2#$3$%##@';
    return md5($pass);
 }

  }
     ?>

I've got also my main page code here:

          if (user::isLogged() == $_GET['id']) {

   $user = user::getData('', '');

 echo '<p>You are logged '.$user['login'].'!</p>';
   echo '<p>You may see your <a href="profile.php?id='.$user['id'].'">profil</a> or <a              href="logout.php">wylogować</a></p>';
      }

    else {

  echo '<p>You are not logged.<br /><a href="login.php">Zaloguj</a> się lub <a  href="register.php">zarejestruj</a> jeśli jeszcze nie masz konta.</p>';
   }

I tried, what Ryan advised but it ( page) worked only when I double clicked the profile link, otherwise link sent me again to the login page.

your code is vulnerable to sql injection check this http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/14110189 — NullPoiиteя, Jan 30 '14 at 09:50

score 2 · Answer 1 · answered Jan 30 '14 at 09:49

Instead of passing the ID of the user through the URL ($_GET) try and set a $_SESSION variable with the ID of the user when he logs in.

Then you can just go to xxx/profile.php and read the $_SESSION var to find out the id of the user whose profile you want to to display.

score 0 · Answer 2 · answered Jan 30 '14 at 09:49

Now I don't know how you retrieve the current logged-in user's id, but say for example you can get it from user::loggedInID() - you would just match this against the id of the profile being accessed.

For example:

if(user::loggedInID() == $_GET['id']) {
    /* Allow profile to be edited */
} else {
    /* Unable to edit profile */
}

As a side note, your database is extremely vulnerable with queries like so:

mysql_query("SELECT COUNT(*) FROM users WHERE id = '$id'")

Seeing as $id is retrieved from the query string, without being sanitized, the query is open to injection.

I advise not only sanitizing your query input to begin with, but also using mysqli_* functions instead of mysql_* functions (due to deprecation). Even better, use prepared statements.

score 0 · Answer 3 · answered Jan 30 '14 at 10:05

0

While logging in just store the logged in user ID to a session variable like $_SESSION['Loggedusr'] and in each page at starting check this

session_start();
if($_SESSION['Loggedusr'] != $_GET['id'])
header("Location: loginpage.php");

answered Jan 30 '14 at 10:05

krishna

4,069
2
29
56

How to prevent user form entering other users profile

3 Answers3