close ad
WARNING: Do Not Install the DREAMWEAVER CC 2017 or 2018 Update »
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

ID in URL

Thread began 5/18/2010 1:29 pm by mr hankey | Last modified 7/20/2010 11:41 am by Jason Byrnes | 2164 views | 24 replies |

mr hankey

ID in URL

Hi,

I have nearly finished off an application that i have been working on for a client.

Issue i have while i am testing is the clients_Details page is secure for logged in users.

However eash userid has their own set of clients.

If i am logged in as UserID 1 and clientID 1 assigned to UserID 2 all i need to do is in the url type clients_Detail.php?ClientID=1 and i can see this client details.

is there a way i can get around only the users being able to see their own clients details?

many thanks

Sign in to reply to this post

Jason ByrnesWebAssist

Store the client ID in a session variable and filter the record set on the session instead of URL variable.

Sign in to reply to this post

mr hankey

thanks jason, how do i store the client id in a session variable?

i tried doing this but no use can you help?


$ParamClientID_WADAclients = "-1";
if (isset($_GET['ClientID'])) {
$ParamClientID_WADAclients = (get_magic_quotes_gpc()) ? $_GET['ClientID'] : addslashes($_GET['ClientID']);
}
$ParamSessionClientID_WADAclients = "-1";
if (isset($_SESSION['WADA_Insert_clients'])) {
$ParamSessionClientID_WADAclients = (get_magic_quotes_gpc()) ? $_SESSION['WADA_Insert_clients'] : addslashes($_SESSION['WADA_Insert_clients']);
}
$ParamClientID2_WADAclients = "-1";
if (isset($_GET['ClientID'])) {
$ParamClientID2_WADAclients = (get_magic_quotes_gpc()) ? $_GET['ClientID'] : addslashes($_GET['ClientID']);
}
$colname_rsClientsUser = "-1";
if (isset($_SESSION['UserID'])) {
$colname_rsClientsUser = (get_magic_quotes_gpc()) ? $_SESSION['UserID'] : addslashes($_SESSION['UserID']);
}
mysql_select_db($database_cbank, $cbank);
$query_WADAclients = sprintf("SELECT clients.ClientID, clients.ClientUserID, clients.App1Title, clients.App1FirstName, clients.App1LastName, clients.App1DOB, clients.App1House, clients.App1Street, clients.App1City, clients.App1County, clients.App1Zip, clients.App1Country, clients.App1Email, clients.App1Phone, clients.App1Mob, clients.ReferredBy, clients.InitialEnquiry, clients.Status, clients.App2Title, clients.App2FirstName, clients.App2LastName, clients.App2DOB, clients.App2House, clients.App2Street, clients.App2City, clients.App2County, clients.App2Zip, clients.App2Country, clients.App2Email, clients.App2Phone, clients.App2Mob, DATE_FORMAT(NOW(), '%%Y') - DATE_FORMAT(App1DOB, '%%Y') - (DATE_FORMAT(NOW(), '00-%%m-%%d') < DATE_FORMAT(App1DOB, '00-%%m-%%d')) AS App1Age, DATE_FORMAT(NOW(), '%%Y') - DATE_FORMAT(App2DOB, '%%Y') - (DATE_FORMAT(NOW(), '00-%%m-%%d') < DATE_FORMAT(App2DOB, '00-%%m-%%d')) AS App2Age FROM clients WHERE ClientID = %s OR ( -1= %s AND ClientID= %s) ", GetSQLValueString($ParamClientID_WADAclients, "int"),GetSQLValueString($ParamClientID2_WADAclients, "int"),GetSQLValueString($ParamSessionClientID_WADAclients, "int") AND ClientUserID = %s", GetSQLValueString($colname_rsClientsUser, "int"));
$WADAclients = mysql_query($query_WADAclients, $cbank) or die(mysql_error());
$row_WADAclients = mysql_fetch_assoc($WADAclients);
$totalRows_WADAclients = mysql_num_rows($WADAclients);

Sign in to reply to this post

Jason ByrnesWebAssist

I don't know enough about the flow of your application to be able to tell you _how_ to do this. there are a gazillion ways it _can_ be done.


I would suspect that your user logs in, and they see a listing of clients that they can update.

I'm going to assume that this client listing page is named "clients_Results.php"

That listing of clients has links that go to the detail page:
<a href="clients_Detail.php?ClientID=<Id from recordset>"><Client name from recordset></a>

If I am wrong on any point the advice I give will be wrong, but here is one way to do it.

change the links to point to the client results page instead of the detail page:
<a href="clients_Results.php?ClientID=<Id from recordset>"><Client name from recordset></a>


Create a recordset that is filtered on the UserID session variable and the client ID Querystring variable.

this is a lookup recordset that will be used to ensure that the clientID querystring variable is client ID that belongs to the logged in user and does not belong to another user.

Add a set session value server behavior. On the Server Behaviors panel, click the plus button and select eCart -> Genera; -> Set Session Value

Set the name to ClentID

set the trigger to Recordset <Recordset we just created name> Not empty

For the value, click the lightning bolt and select the Client ID from the recordset we just created.


next add a server redirect to the client details page. On the Server Behaviors panel, click the plus button and select WA Utilities - > Server Redirect or webassist -> Utilities -> Server Redirect

Set the trigger to Recordset <Recordset we just created name> Not empty and select the clients_Detail.php page.

Sign in to reply to this post

mr hankey

thanks jason i will give this a go.

you are right how the site will work, there is 2 users groups.

Admin and PowerUsers

Admin can see all the clients and PowerUsers only their own.

Is the above the best way to do it or leave the clients_Results.php as is for Admins and then create a further page called clients_Results_Users.php for PowerUsers and follow your guide lines?

I though i could maybe add in an AND in the Recordset created by Data Assist and set it to ClientUserID = Session(UserID) ??

Would that work?

Many thanks

Sign in to reply to this post

mr hankey

I tried what i suggested with adding in an AND ClientUserID = ParamSessionUserID but this did not work.

Should it have Jason?

Many thanks

Sign in to reply to this post

mr hankey

Originally Said By: Jason Byrnes
  I'm going to assume that this client listing page is named "clients_Results.php"

That listing of clients has links that go to the detail page:
<a href="clients_Detail.php?ClientID=<Id from recordset>"><Client name from recordset></a>

If I am wrong on any point the advice I give will be wrong, but here is one way to do it.

change the links to point to the client results page instead of the detail page:
<a href="clients_Results.php?ClientID=<Id from recordset>"><Client name from recordset></a>


Create a recordset that is filtered on the UserID session variable and the client ID Querystring variable.

this is a lookup recordset that will be used to ensure that the clientID querystring variable is client ID that belongs to the logged in user and does not belong to another user.  



thanks jason, before i start to impliment, when you say create a recordset that is filterent on the UserID session variable and the clientid querystring variable, is this on the clients_Results.php page or the clients_Detail.php page?

Also i know how to create a filtered recordset based on the session variable UserID however i am not sure how to create a querystring variable can you help with this and with regards to what page it goes on so i can try get this completed?

thanks again for your help jason

Sign in to reply to this post

mr hankey

i am just thinking jason, this is going to be the same for the clients_Delete.php page and the product pages where it shows the ProductID in the URL.

can you encrypt the URL so it makes no sense to people or is there a way when going through the wizard not to do it via URL ID's?

As i am worried that this will be the case for most of these pages in this site.

thanks again

Sign in to reply to this post

Jason ByrnesWebAssist

here is another method that may be less complicated to implement.

On each of the pages, create a recordset that queries the client table and filters it on the the client ID passed in the query string and the user ID session variable


you will create this recordset on the detail, update and delete pages.

Then add the server redirect behavior to the page and set the trigger to If Recordset is empty.

This way if they change the url parameter to one that does not belong to the loged in user, they will b redirected.

to filter on a querystring, enter the following for the run time variable:
$_GET['ClientID']

Sign in to reply to this post

mr hankey

Thanks Jason, appreciate your help. That seems easier how i add to the existing WA Data Assist code:

SELECT clients.ClientID, clients.ClientUserID, clients.App1Title, clients.App1FirstName, clients.App1LastName, clients.App1DOB, clients.App1House, clients.App1Street, clients.App1City, clients.App1County, clients.App1Zip, clients.App1Country, clients.App1Email, clients.App1Phone, clients.App1Mob, clients.ReferredBy, clients.InitialEnquiry, clients.Status, clients.App2Title, clients.App2FirstName, clients.App2LastName, clients.App2DOB, clients.App2House, clients.App2Street, clients.App2City, clients.App2County, clients.App2Zip, clients.App2Country, clients.App2Email, clients.App2Phone, clients.App2Mob, DATE_FORMAT(NOW(), '%Y') - DATE_FORMAT(App1DOB, '%Y') - (DATE_FORMAT(NOW(), '00-%m-%d') < DATE_FORMAT(App1DOB, '00-%m-%d')) AS App1Age, DATE_FORMAT(NOW(), '%Y') - DATE_FORMAT(App2DOB, '%Y') - (DATE_FORMAT(NOW(), '00-%m-%d') < DATE_FORMAT(App2DOB, '00-%m-%d')) AS App2Age
FROM clients
WHERE ClientID = ParamClientID OR ( -1= ParamClientID2 AND ClientID= ParamSessionClientID)

that is what the wizard created for my variables i have just added in the age so i can calculate the age from date of birth on my page.

could you tell me would i delete an existing variable or add a new one and how would i add this to my existing WA code?

thank you jason for your help on this one.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...