Hi there guys, not sure if anyone can help me here. I am creating a basic members site with small gallery and I wish to lockdown the URL somehow.

e.g.

http://domainname.com/memberFiles/8/gallery/gallery_config.php

At the moment all of the other pages are locked down via a session id variable, but I need to be able to only show this page if session ID matches the number 8 in this occasion, if it doesnt I want it to destroy session.

At the moment while Im logged in viewing my gallery I can just change the member number in the browser to say to nine and see someone eles's gallery, not cool.

Hope that make some sense. Thank in advance

Rich

If this is a fixed url, you can use a regular expression to get the 8 out of it. Something like this pattern:

~http://domainname.com/memberFiles/(\d+)/gallery/gallery_config.php~

See preg_match on how to use it.

Thanks for your reply, its a little different. When a new user is created they get a new storage location e.g. numbered directory as seen above. So this changes with every user, I just don't want another user to view this page by changing the URL manually. Does that make sense?

Everything else stays the same, except the number right? That is where that regex comes in, it can extract that number from the url, so you can match it against your session.

if (isset($_SESSION['id'])) {
    // Put stored session variables into local php variable
    $url = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
    $path = parse_url($url);
    $folders = explode("/", $path['path']);
    $galleryuser = ($folders[2]);
    $userid = $_SESSION['id'];
    $username = $_SESSION['username'];
    $toplinks = '<a href="../../../member_profile.php?id=' . $userid . '">' .                $username . '</a> &bull; 
    <a href="../../../member_account.php">Account</a> &bull; 
    <a href="../../../logout.php">Log Out</a>';
} 
if ( $userid == ''.$galleryuser.'' ){
    }
else {
    header('Location: ../../../login.php');
    echo 'Please <a href="login.php">log in</a> to access your account';
    session_destroy(); 
    exit(); 
}

Thanks for your help guys, but I managed to get it working with the above code

Cheers Rich