Ok, this is 2/5 tables from my my database, (no relationships between them):
USERS PAPERS
user_id p_id
username p_name
e-mail p_authors
password p_coauthor
p_jname
p_date
p_url
which is suppose to be populated from a PHP script.
After registration, user folder is created, and then user can upload files to his folder. Users can see, access, and download other users upload, which I am trying to prevent.
Im not sure which scripts are relevant to c/p them here, so ill try to display important parts of code from scripts:
register script: (rest of the script just creates userfolder)
$uname = mysql_real_escape_string($_POST['uname']);
$email = mysql_real_escape_string($_POST['email']);
$upass = mysql_real_escape_string($_POST['pass']);
$sql = mysql_query ("SELECT username FROM users WHERE username='".$uname."'");
$num = mysql_num_rows($sql);
if ($num > 0) { ?>
<script>alert('Duplicate username');</script>
<?php } else {
if(mysql_query("INSERT INTO users(username,email,password) VALUES('$uname','$email','$upass')")) { ?>
<script>alert('Successfully registered');</script>
<?php }
login script:
$email = mysql_real_escape_string($_POST['email']);
$upass = mysql_real_escape_string($_POST['pass']);
$sql = mysql_query("SELECT * FROM users WHERE email='".$email."'");
$num = mysql_fetch_assoc($sql);
if ($num['password'] == $upass) {
$_SESSION['user'] = $num['username'];
} else { ?>
<script>alert('wrong details');</script>
<?php }
and addfile script where file and data upload occurs:
$sql = mysql_query("INSERT INTO papers (p_name, p_authors, p_cauthor, p_jname, p_date, p_url) VALUES ('$name', '$authors', '$cauthor', '$jname', '$date', '$filename')");
if($sql) { ?>
<script>alert('Data uploaded to database !');
window.location.href = "home.php";</script>
<?php } else { ?>
<script>alert('Data NOT uploaded to database !');
window.location.href = "home.php";</script>
<?php }
Now, when i do this on users homepage:
$result = mysql_query("SELECT username, p_url FROM users, papers WHERE username='".$_SESSION['user']."'");
$output = mysql_fetch_array($result);
foreach ($output as $key => $val) {
$search = substr($val, 0, strpos($val, '.'));
$trim = str_replace($val, '', $search);
echo <<<HERE
<a href="http://localhost:8080/testfolder/users/{$_SESSION['user']}/{$val}" target="_blank">{$trim}</a><br />
HERE;
}
I can access and download all data and uploaded files from other user folder. How can i prevent this, and make script to display and download only logged user things from database? Is my users and papers table construction completely wrong, or maybe thing is in aforementioned query ?
To prevent this happening, you have to have a relationship between your tables and link them via this.
Your query is retrieving EVERY record in users mapped across to EVERY record in papers
Your tables must have a common field to prevent this. I would suggest adding user_id from the users table into the papers table and rewriting your query as
SELECT
u.username,
p.p_url
FROM
users as u
INNER JOIN
papers as p
ON
p.user_id=u.user_id
WHERE
u.username='{$_SESSION['user']}'