Sessions question
Hi,
How can I use sessions to stop users from reading other members messages by typing different messageid's in the url?
I already have the following at the top of pages that require the user to be logged, how can I modify it to stop the logged in user from reading other users messages?
<?php
if(!isset($_SESSION['userid'])){
echo "<center><font face='Verdana' size='2' color=red>Sorry, Please login and use this page </font></center>";
exit;
}
?>
teammatt3 posted this at 15:32 — 28th March 2008.
He has: 2,102 posts
Joined: Sep 2003
I don't think this really has to do with sessions much. It has to do with how you structure your queries and how your tables are setup.
You need a query that SELECTs the messages based on the user's ID (because they don't have the ability to change that). This might work if a message can only be sent to one person.
"SELECT * FROM Message WHERE To = $userID AND MessageID = $messageID"
So if Hannah Hacker goes in his address bar and changes the MessageID, if that message ID exists *BUT* it wasn't addressed to her (the To field), no rows are returned.
Do you have two tables to handle messages? Something like Message and User2Message? You'd use an INNER JOIN to connect them and do the same type of thing.
drew22299 posted this at 15:43 — 28th March 2008.
They have: 105 posts
Joined: Mar 2006
Thanks, that was very well explained. I have a user table and a messages table with the following fields
messageid, userto, userfrom, date, subject, message
I'll try the query you suggested
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.