ID in URL

Hi,

I have nearly finished off an application that i have been working on for a client.

Issue i have while i am testing is the clients_Details page is secure for logged in users.

However eash userid has their own set of clients.

If i am logged in as UserID 1 and clientID 1 assigned to UserID 2 all i need to do is in the url type clients_Detail.php?ClientID=1 and i can see this client details.

is there a way i can get around only the users being able to see their own clients details?

many thanks

Store the client ID in a session variable and filter the record set on the session instead of URL variable.

thanks jason, how do i store the client id in a session variable?

i tried doing this but no use can you help?


$ParamClientID_WADAclients = "-1";
if (isset($_GET['ClientID'])) {
$ParamClientID_WADAclients = (get_magic_quotes_gpc()) ? $_GET['ClientID'] : addslashes($_GET['ClientID']);
}
$ParamSessionClientID_WADAclients = "-1";
if (isset($_SESSION['WADA_Insert_clients'])) {
$ParamSessionClientID_WADAclients = (get_magic_quotes_gpc()) ? $_SESSION['WADA_Insert_clients'] : addslashes($_SESSION['WADA_Insert_clients']);
}
$ParamClientID2_WADAclients = "-1";
if (isset($_GET['ClientID'])) {
$ParamClientID2_WADAclients = (get_magic_quotes_gpc()) ? $_GET['ClientID'] : addslashes($_GET['ClientID']);
}
$colname_rsClientsUser = "-1";
if (isset($_SESSION['UserID'])) {
$colname_rsClientsUser = (get_magic_quotes_gpc()) ? $_SESSION['UserID'] : addslashes($_SESSION['UserID']);
}
mysql_select_db($database_cbank, $cbank);
$query_WADAclients = sprintf("SELECT clients.ClientID, clients.ClientUserID, clients.App1Title, clients.App1FirstName, clients.App1LastName, clients.App1DOB, clients.App1House, clients.App1Street, clients.App1City, clients.App1County, clients.App1Zip, clients.App1Country, clients.App1Email, clients.App1Phone, clients.App1Mob, clients.ReferredBy, clients.InitialEnquiry, clients.Status, clients.App2Title, clients.App2FirstName, clients.App2LastName, clients.App2DOB, clients.App2House, clients.App2Street, clients.App2City, clients.App2County, clients.App2Zip, clients.App2Country, clients.App2Email, clients.App2Phone, clients.App2Mob, DATE_FORMAT(NOW(), '%%Y') - DATE_FORMAT(App1DOB, '%%Y') - (DATE_FORMAT(NOW(), '00-%%m-%%d') < DATE_FORMAT(App1DOB, '00-%%m-%%d')) AS App1Age, DATE_FORMAT(NOW(), '%%Y') - DATE_FORMAT(App2DOB, '%%Y') - (DATE_FORMAT(NOW(), '00-%%m-%%d') < DATE_FORMAT(App2DOB, '00-%%m-%%d')) AS App2Age FROM clients WHERE ClientID = %s OR ( -1= %s AND ClientID= %s) ", GetSQLValueString($ParamClientID_WADAclients, "int"),GetSQLValueString($ParamClientID2_WADAclients, "int"),GetSQLValueString($ParamSessionClientID_WADAclients, "int") AND ClientUserID = %s", GetSQLValueString($colname_rsClientsUser, "int"));
$WADAclients = mysql_query($query_WADAclients, $cbank) or die(mysql_error());
$row_WADAclients = mysql_fetch_assoc($WADAclients);
$totalRows_WADAclients = mysql_num_rows($WADAclients);

I don't know enough about the flow of your application to be able to tell you _how_ to do this. there are a gazillion ways it _can_ be done.


I would suspect that your user logs in, and they see a listing of clients that they can update.

I'm going to assume that this client listing page is named "clients_Results.php"

That listing of clients has links that go to the detail page:
<a href="clients_Detail.php?ClientID=<Id from recordset>"><Client name from recordset></a>

If I am wrong on any point the advice I give will be wrong, but here is one way to do it.

change the links to point to the client results page instead of the detail page:
<a href="clients_Results.php?ClientID=<Id from recordset>"><Client name from recordset></a>


Create a recordset that is filtered on the UserID session variable and the client ID Querystring variable.

this is a lookup recordset that will be used to ensure that the clientID querystring variable is client ID that belongs to the logged in user and does not belong to another user.

Add a set session value server behavior. On the Server Behaviors panel, click the plus button and select eCart -> Genera; -> Set Session Value

Set the name to ClentID

set the trigger to Recordset <Recordset we just created name> Not empty

For the value, click the lightning bolt and select the Client ID from the recordset we just created.


next add a server redirect to the client details page. On the Server Behaviors panel, click the plus button and select WA Utilities - > Server Redirect or webassist -> Utilities -> Server Redirect

Set the trigger to Recordset <Recordset we just created name> Not empty and select the clients_Detail.php page.

thanks jason i will give this a go.

you are right how the site will work, there is 2 users groups.

Admin and PowerUsers

Admin can see all the clients and PowerUsers only their own.

Is the above the best way to do it or leave the clients_Results.php as is for Admins and then create a further page called clients_Results_Users.php for PowerUsers and follow your guide lines?

I though i could maybe add in an AND in the Recordset created by Data Assist and set it to ClientUserID = Session(UserID) ??

Would that work?

Many thanks

I tried what i suggested with adding in an AND ClientUserID = ParamSessionUserID but this did not work.

Should it have Jason?

Many thanks

Originally Said By: Jason Byrnes

  I'm going to assume that this client listing page is named "clients_Results.php"

That listing of clients has links that go to the detail page:
<a href="clients_Detail.php?ClientID=<Id from recordset>"><Client name from recordset></a>

If I am wrong on any point the advice I give will be wrong, but here is one way to do it.

change the links to point to the client results page instead of the detail page:
<a href="clients_Results.php?ClientID=<Id from recordset>"><Client name from recordset></a>


Create a recordset that is filtered on the UserID session variable and the client ID Querystring variable.

this is a lookup recordset that will be used to ensure that the clientID querystring variable is client ID that belongs to the logged in user and does not belong to another user.  

thanks jason, before i start to impliment, when you say create a recordset that is filterent on the UserID session variable and the clientid querystring variable, is this on the clients_Results.php page or the clients_Detail.php page?

Also i know how to create a filtered recordset based on the session variable UserID however i am not sure how to create a querystring variable can you help with this and with regards to what page it goes on so i can try get this completed?

thanks again for your help jason

i am just thinking jason, this is going to be the same for the clients_Delete.php page and the product pages where it shows the ProductID in the URL.

can you encrypt the URL so it makes no sense to people or is there a way when going through the wizard not to do it via URL ID's?

As i am worried that this will be the case for most of these pages in this site.

thanks again

here is another method that may be less complicated to implement.

On each of the pages, create a recordset that queries the client table and filters it on the the client ID passed in the query string and the user ID session variable


you will create this recordset on the detail, update and delete pages.

Then add the server redirect behavior to the page and set the trigger to If Recordset is empty.

This way if they change the url parameter to one that does not belong to the loged in user, they will b redirected.

to filter on a querystring, enter the following for the run time variable:
$_GET['ClientID']

Thanks Jason, appreciate your help. That seems easier how i add to the existing WA Data Assist code:

SELECT clients.ClientID, clients.ClientUserID, clients.App1Title, clients.App1FirstName, clients.App1LastName, clients.App1DOB, clients.App1House, clients.App1Street, clients.App1City, clients.App1County, clients.App1Zip, clients.App1Country, clients.App1Email, clients.App1Phone, clients.App1Mob, clients.ReferredBy, clients.InitialEnquiry, clients.Status, clients.App2Title, clients.App2FirstName, clients.App2LastName, clients.App2DOB, clients.App2House, clients.App2Street, clients.App2City, clients.App2County, clients.App2Zip, clients.App2Country, clients.App2Email, clients.App2Phone, clients.App2Mob, DATE_FORMAT(NOW(), '%Y') - DATE_FORMAT(App1DOB, '%Y') - (DATE_FORMAT(NOW(), '00-%m-%d') < DATE_FORMAT(App1DOB, '00-%m-%d')) AS App1Age, DATE_FORMAT(NOW(), '%Y') - DATE_FORMAT(App2DOB, '%Y') - (DATE_FORMAT(NOW(), '00-%m-%d') < DATE_FORMAT(App2DOB, '00-%m-%d')) AS App2Age
FROM clients
WHERE ClientID = ParamClientID OR ( -1= ParamClientID2 AND ClientID= ParamSessionClientID)

that is what the wizard created for my variables i have just added in the age so i can calculate the age from date of birth on my page.

could you tell me would i delete an existing variable or add a new one and how would i add this to my existing WA code?

thank you jason for your help on this one.