0

Hello there,
I have a big big problem in my project, I have a login page , so everyone log in, the session will be his id

 $_SESSION['userid'] = $id; 

till now there is no problems, I put a header file to check the user is logged in or not

<?php
    if (isset($_SESSION['loggedin']) && isset($_SESSION['userid']) && $_SESSION['loggedin'] == true && !empty($_SESSION['userid'])) {
    $SID = $_SESSION['userid'];
    $userpro = getusername($SID); // this just to get the username of user
?>

I've also created a** profile.php** to see other users profiles and see there files pictures and other things
Here Is my problem : when user lets say "A" enter on userprofile "B" by url profile.php?user=B its ok,
BUT when he goes to main page or any other page , the user "A" become user "B" and has all previlege of user "B" include commenting, favoriting, delete files for user "B", then imagin what happened if user "A" get previlege of "ADMIN" ? , anything wanted am here, just tell me what to do ?

2
Contributors
3
Replies
5
Views
4 Years
Discussion Span
Last Post by phorce
1

You sure you're not setting the SESSION['user_id'] from a $_GET['id']?

e.g.

<?php

   $id = $_GET['id'];

   $_SESSION['user_id'] = $id;

Edited by phorce

Votes + Comments
great advice
0

Before I post this I've checked my profile file , and saw there is an <iframe> that takes data from another file, and that file have a variable name as the same as $SID userpro, means every time I visit user profile I got his id and put it inside the $_SESSION['user_id'], what a stupid from me, now its all done thanks phorce for this advice.
I must always use echo to see what is the output of variables .

Edited by OsaMasw

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.