i want to make sure that other users cant access files in directories. to do this im thinking of using some php code to validate if the current user that has logged on has the same name as their directory (named the same as the user name field). i know what i need but i cant code it.

pseudo code

user 1 enters users 2 directory
the default page needs to check if the user is in their right directory.
if the session user name (logon username) is the same as the directory name then allow them to stay
else take them to the correct directory ($filename)


below is what i have created to test and there are some errors as im new to php.

<?php

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
}
$filename = $_SESSION['username'];
if !is_dir($filename) = $filename
echo "ok"
else
echo "not ok"
?>



any help would be appreciated

Many Thanks
Sam

What error are you getting and is it telling you it's "ok" or "not ok"?

when it is not OK write:

exit("You are not allowed to see others information<br/><a style='text-decoration: none;' href='javascript:history.go(-1);'>| Back |</a> ");

when it is Ok, do not write anything

Parse error: syntax error, unexpected '=' in C:\xampp\htdocs\phpmysimplelogin\sam\index.php on line 11

Error free version of your code:



<?php

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
}

$filename = $_SESSION['username'];

if(!is_dir($filename)) {
echo "ok";
}
else {
echo "not ok";
}
?>


Don't think this does what you want it to though. Let me know if it does, otherwise I can probably post something.

thanks, this is working for the logged in users own directory although when you access someonelses directory from it still displays ok and it should display not ok.

:)

Are you somehow allowing the user to select the directory? If not you really don't need to verify the directory they are accessing. you can select it for them based on their username and then it will only show the files in their directory by default. I guess we would have to see a working page or full code to understand why you are able to access other users directories.

Also this seems backwards to me -
if(!is_dir($filename)) {
echo "ok";
}
else {
echo "not ok";
}
This seems to me to say that if the directory doesn't exist then you are ok, but I would think it should be the other way. like this by simply removing the ! in the if()

if(is_dir($filename)) {
echo "ok";
}
else {
echo "not ok";
}

I want to prevent users from typing in another users directory directly into the address bar and gaining access. so if they are in their own directory (folder name matches login name) then they can stay but if they access another directory that dont match their user name then i want it to divert them back to their directory.

atm i havnt got that far as redirecting but im just testing to see if it works by using "ok" and "not ok" .

if when a user goes into another directory other than their own it should be saying not ok at this point but with this code im getting "ok" no matter if the user accesses their own dir or someone else's !

Oh ok, then you need to check if the $filename equals the SESSION username


if(is_dir($filename) && $filename == SESSSION['username']) {
echo "ok";
}
else {
echo "not ok";
}

EDIT
Wait are you trying to limit access to the directory via the URL bar? That should be done through your hosting control panel to not allow direct listing of the directories for people to see. Once you have the host setup right then you will only be able to access the directory through the script, which in turn will work great if you are selecting the directory for them based on their username that is logged in.

thats exactly what i want although i get

Parse error: syntax error, unexpected '[' in

Yeah, I usually assign variables to everything so I don't have to concatenate. Try this or some variation of, or assign another variable to the username too like $u_name = SESSION['username'], then use $u_name to compare against the $filename in the if()

if(is_dir($filename) && $filename == . SESSSION['username'] . ) {

Honestly I think you are still going about this the wrong way, but without knowing the full purpose and exactly how you are allowing users to get access to the files I can't say for sure. The code I gave you will always work for the logged in user but from what I know of your purpose it won't stop the issue you are asking about, simply cause the $filename will always equal the username cause you are setting that in the script.

If you need to limit access to the directory directly then you need to use you hosting panel to disallow that. Basically you wold then get a 403 Forbidden error when you tried to got directly to a directory that does not contain a index page.

<?php

if(is_dir($filename) && $filename == $_SESSION['username']) {
echo "ok";
}
else {
echo "not ok";
}

?>

Thanks for the replies, the webstite im creating is just for testing and learning purposes. its nothing major. im using apache, so by changing the permissions in windows to ??? will stop it being accessed by others unless its requested by the code.

As i say its nothing big, im just messing around with the code to try and learn php and create users and logins.

I will try the code above in a sec and let you know how i get on.

the code runs but dont change to not ok when accessing another users area.

It's not working because at the moment, you're assigning $filename to whatever the $_SESSION['username'] value is - so they're always going to be the same.

The $filename should be set by the actual directory, and not the session.

So you need to use:



<?php

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
}

// Get the directory we're currently in
$fulldir = dirname(__FILE__);

// Get the deepest directory
$dir = substr(strrchr($fulldir, '\\'), 1);

if(is_dir($dir) && $dir == $_SESSION['username']) {
echo "ok";
}
else {
echo "not ok";
}
?>


Depending on whether you're using windows or not, you may need to change this line:



$dir = substr(strrchr($fulldir, '\\'), 1);


to



$dir = substr(strrchr($fulldir, '/'), 1);


I'm using WAMP, so paths come out like: C:\wamp\www\DIR\DIR\file.php

still no change in the text :confused:

Is there an alternate way altogether to stop the typed in url from being shown unless requested by the php code?

or another code i could use ?

it seems simple , "if the session name is the same as the dir then do nothing else redirect to the correct dir"

This code will work, you've just got to figure out where it's going wrong.

Try outputting the $_SESSION['username'] variable and the $dir variable on screen.

See what it outputs and post it on here.

if(is_dir($filename) && $filename == $_SESSION['username']) {
echo "ok";
}
else {
echo "not ok";
}
Oh duh, my bad

Right,

$_SESSION['username']) comes out as the username :)

$dir displays nothing :confused:

Ok, the next test to do then is to echo $fulldir. Then we can see what the path looks like:



<?php
$fulldir = dirname(__FILE__);

echo $fulldir;
?>

C:\xampp\htdocs\phpmysimplelogin\sam

<?php

$fulldir = 'C:\xampp\htdocs\phpmysimplelogin\sam';

// Get the deepest directory
$dir = substr(strrchr($fulldir, '\\'), 1);

echo $dir;

?>


That should output 'sam', are you sure it's not working?

yes that works now although when i put the two together it seems to now work and only displays one "sam"

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
}

// Get the directory we're currently in
$fulldir = dirname(__FILE__);

// Get the deepest directory
$dir = substr(strrchr($fulldir, '\\'), 1);

echo $_SESSION['username'];
echo $dir;

?>


this works ! it shows sam sam . but when i put this code into it


if(is_dir($dir) && $dir == $_SESSION['username']) {
echo "ok";
}
else {
echo "not ok";
}
it only displays not ok either looking at the same dir or not ?

Ok, looks like there may be a space in one of the variables, try trimming the variables:



<?php

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
}

// Get the directory we're currently in
$fulldir = dirname(__FILE__);

// Get the deepest directory
$dir = substr(strrchr($fulldir, '\\'), 1);

// Trim off any excess whitespace
$username = trim($_SESSION['username']);
$dir = trim($dir);

if(is_dir($dir) && $dir == $username) {
echo "ok";
}
else {
echo "not ok";
}

?>


That should work. Let me know how it goes.

Nope still im getting "not ok".

this is what im doing :
updating code
saving it and copying it to the two different directories
logging on using one username and being diverted to the first index.php file in their own directory
then im going to the address bar and changing the name of the current dir to another users, im my case tom
http://localhost:8000/phpmysimplelogin/sam/ the sam changes to tom
the pages load but both still have "not ok" displayed in both ?

Ahh just realised the mistake, it's looking at the wrong thing, try:



<?php

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
}

// Get the directory we're currently in
$fulldir = dirname(__FILE__);

// Get the deepest directory
$dir = substr(strrchr($fulldir, '\\'), 1);

// Trim off any excess whitespace
$username = trim($_SESSION['username']);
$dir = trim($dir);

if(is_dir($fulldir) && $dir == $username) {
echo "ok";
}
else {
echo "not ok";
}

?>


It's checking for "sam" relative to the current directory, instead of the full directory. Try the above and see what happens.

WOOOOO , finally lol.

that seems to have done the trick although its saying that its ok to be in the wrong directory and not ok to be in the right one .

Thanks for your time and effort

:):):)

Hmm, strange, that should do the trick, double check the variables / path is all I can suggest.

Yes it has. It's working fine now. Thanks for your help

Glad it's working for you. Good luck with your project!