Validating users

**arsenalbates** · 12-28-2010, 02:14 PM

i want to make sure that other users cant access files in directories. to do this im thinking of using some php code to validate if the current user that has logged on has the same name as their directory (named the same as the user name field). i know what i need but i cant code it.

pseudo code

user 1 enters users 2 directory
the default page needs to check if the user is in their right directory.
if the session user name (logon username) is the same as the directory name then allow them to stay
else take them to the correct directory ($filename)

below is what i have created to test and there are some errors as im new to php.

<?php

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
}
$filename = $_SESSION['username'];
if !is_dir($filename) = $filename
echo "ok"
else
echo "not ok"
?>

any help would be appreciated

Many Thanks
Sam

**fastsol1** · 12-28-2010, 02:17 PM

What error are you getting and is it telling you it's "ok" or "not ok"?

**auriaks** · 12-28-2010, 02:37 PM

when it is not OK write:

exit("You are not allowed to see others information<br/><a style='text-decoration: none;' href='javascript:history.go(-1);'>| Back |</a> ");

when it is Ok, do not write anything

**arsenalbates** · 12-28-2010, 03:22 PM

Parse error: syntax error, unexpected '=' in C:\xampp\htdocs\phpmysimplelogin\sam\index.php on line 11

**Schmoopy** · 12-28-2010, 03:37 PM

Error free version of your code:

PHP Code:


<?php

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
    header('Location: index.php');
}

$filename = $_SESSION['username'];

if(!is_dir($filename)) {
    echo "ok";
}
else {
    echo "not ok";
}
?>

Don't think this does what you want it to though. Let me know if it does, otherwise I can probably post something.

**arsenalbates** · 12-28-2010, 03:55 PM

thanks, this is working for the logged in users own directory although when you access someonelses directory from it still displays ok and it should display not ok.

**fastsol1** · 12-28-2010, 04:14 PM

Are you somehow allowing the user to select the directory? If not you really don't need to verify the directory they are accessing. you can select it for them based on their username and then it will only show the files in their directory by default. I guess we would have to see a working page or full code to understand why you are able to access other users directories.

Also this seems backwards to me -

PHP Code:


if(!is_dir($filename)) {
    echo "ok";
}
else {
    echo "not ok";
}

This seems to me to say that if the directory doesn't exist then you are ok, but I would think it should be the other way. like this by simply removing the ! in the if()

PHP Code:


if(is_dir($filename)) {
    echo "ok";
}
else {
    echo "not ok";
}

**arsenalbates** · 12-28-2010, 04:23 PM

I want to prevent users from typing in another users directory directly into the address bar and gaining access. so if they are in their own directory (folder name matches login name) then they can stay but if they access another directory that dont match their user name then i want it to divert them back to their directory.

atm i havnt got that far as redirecting but im just testing to see if it works by using "ok" and "not ok" .

if when a user goes into another directory other than their own it should be saying not ok at this point but with this code im getting "ok" no matter if the user accesses their own dir or someone else's !

**fastsol1** · 12-28-2010, 04:31 PM

Oh ok, then you need to check if the $filename equals the SESSION username

PHP Code:


if(is_dir($filename) && $filename == SESSSION['username']) {
    echo "ok";
}
else {
    echo "not ok";
}

EDIT
Wait are you trying to limit access to the directory via the URL bar? That should be done through your hosting control panel to not allow direct listing of the directories for people to see. Once you have the host setup right then you will only be able to access the directory through the script, which in turn will work great if you are selecting the directory for them based on their username that is logged in.

**arsenalbates** · 12-28-2010, 04:51 PM

thats exactly what i want although i get

Parse error: syntax error, unexpected '[' in

Thread: Validating users

Thread Tools

Search Thread

Validating users

Bookmarks

Bookmarks

Posting Permissions