Help with delivering custom page to logged in user - HTML Forums

jgray805 · 08-31-2008, 05:59 PM

Hello everyone,

I am currently stuck with my website.. I have done everything i know to try and get my website the way i want it, but it still is lacking what i really want.

I created a login section for users, but i do not know how to modify it so that when users log in they go to a specific page within my website that only they can go to.

my website is http://www.mytodostuff.com

is there someone out there or someone you know of out there that i can contact that can help me complete my website.

if at all possible, i want to be able to modify what they have done if necessary..

if you know of anyone who can help, please let me know.

Thank you so much.

Jason.

Horus_Kol · 08-31-2008, 08:09 PM

Hiya Jgray,

The community would be happy to help you with creating customised content for user accounts.

Are you creating SESSION identification variables for the user after they log in, because then it is pretty simple to use that to create a user specific page.

What kind of information do you want on the page, and what kind of information do you have about the user in your database?

jgray805 · 08-31-2008, 09:11 PM

Thank you. I'd really appreciate that Horus_Ko + community.

OK, here is the information that i have about the user in my database.

user id
first name
last name
email, password
user_level
active
registration date

Here is the information that i want to be on the page

customizable links (i want to user to be able to customize the links he/she wants on their page)
able to create a background image
a notepad to write notes or reminders
for now that is all i need, i will be adding more things later

as far as what you asked about...

Quote:

Are you creating SESSION identification variables for the user after they log in, because then it is pretty simple to use that to create a user specific page.

i am not too sure if i am or not.
how do i tell if i am creating SESSION identification variables for the user after they are logged in or not?

Horus_Kol · 09-01-2008, 12:04 AM

well, post up the code of the script that logs the users in, and we can help you out...

doing customisable links, etc, this is going to get a bit more complicated, but we can still help out...

is the content on these user pages login going to be publicly visible - but only editable by the user themself?
this will also need to be considered so that we help you get what you want.

jgray805 · 09-01-2008, 01:49 AM

sure thing... here is the script that logs in users...
if u need the other files, such as login.php and mysqli_connect.php or the other ones, let me know..

Quote:

register.php

<?php
# Script 16.6 - register.php
// This is the registration page for the site.

require_once ('includes/config.inc.php');
$page_title = 'Register';
include ('includes/header.html');

if (isset($_POST['submitted'])) { // Handle the form.

require_once (MYSQL);

// Trim all the incoming data:
$trimmed = array_map('trim', $_POST);

// Assume invalid values:
$fn = $ln = $e = $p = FALSE;

// Check for a first name:
if (preg_match ('/^[A-Z \'.-]{2,20}$/i', $trimmed['first_name'])) {
$fn = mysqli_real_escape_string ($dbc, $trimmed['first_name']);
} else {
echo '<p class="error">Please enter your first name!</p>';
}

// Check for a last name:
if (preg_match ('/^[A-Z \'.-]{2,40}$/i', $trimmed['last_name'])) {
$ln = mysqli_real_escape_string ($dbc, $trimmed['last_name']);
} else {
echo '<p class="error">Please enter your last name!</p>';
}

// Check for an email address:
if (preg_match ('/^[\w.-]+@[\w.-]+\.[A-Za-z]{2,6}$/', $trimmed['email'])) {
$e = mysqli_real_escape_string ($dbc, $trimmed['email']);
} else {
echo '<p class="error">Please enter a valid email address!</p>';
}

// Check for a password and match against the confirmed password:
if (preg_match ('/^\w{4,20}$/', $trimmed['password1']) ) {
if ($trimmed['password1'] == $trimmed['password2']) {
$p = mysqli_real_escape_string ($dbc, $trimmed['password1']);
} else {
echo '<p class="error">Your password did not match the confirmed password!</p>';
}
} else {
echo '<p class="error">Please enter a valid password!</p>';
}

if ($fn && $ln && $e && $p) { // If everything's OK...

// Make sure the email address is available:
$q = "SELECT user_id FROM users WHERE email='$e'";
$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

if (mysqli_num_rows($r) == 0) { // Available.

// Create the activation code:
$a = md5(uniqid(rand(), true));

// Add the user to the database:
$q = "INSERT INTO users (email, pass, first_name, last_name, active, registration_date) VALUES ('$e', SHA1('$p'), '$fn', '$ln', '$a', NOW() )";
$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

if (mysqli_affected_rows($dbc) == 1) { // If it ran OK.

// Send the email:
$body = "Thank you for registering at <MyToDoStuff>. To activate your account, please click on this link:\n\n";
$body .= BASE_URL . 'activate.php?x=' . urlencode($e) . "&y=$a";
mail($trimmed['email'], 'Registration Confirmation', $body, 'From: contactus@mytodostuff.com');

// Finish the page:
echo '<h3>Thank you for registering! A confirmation email has been sent to your address. Please click on the link in that email in order to activate your account.</h3>';
include ('includes/footer.html'); // Include the HTML footer.
exit(); // Stop the page.

} else { // If it did not run OK.
echo '<p class="error">You could not be registered due to a system error. We apologize for any inconvenience.</p>';
}

} else { // The email address is not available.
echo '<p class="error">That email address has already been registered. If you have forgotten your password, use the link at right to have your password sent to you.</p>';
}

} else { // If one of the data tests failed.
echo '<p class="error">Please re-enter your passwords and try again.</p>';
}

mysqli_close($dbc);

} // End of the main Submit conditional.
?>

<h1>Register</h1>
<form action="register.php" method="post">
<fieldset>

<p><b>First Name:</b> <input type="text" name="first_name" size="20" maxlength="20" value="<?php if (isset($trimmed['first_name'])) echo $trimmed['first_name']; ?>" /></p>

<p><b>Last Name:</b> <input type="text" name="last_name" size="20" maxlength="40" value="<?php if (isset($trimmed['last_name'])) echo $trimmed['last_name']; ?>" /></p>

<p><b>Email Address:</b>
<input type="text" name="email" size="30" maxlength="80" value="<?php if (isset($trimmed['email'])) echo $trimmed['email']; ?>" /></p>

<p><b>Password:</b>
<input type="password" name="password1" size="20" maxlength="20" />
<small>Use only letters, numbers, and the underscore. Must be between 4 and 20 characters long.</small></p>
<p><b>Confirm Password:</b> <input type="password" name="password2" size="20" maxlength="20" /></p>
</fieldset>

<div align="center"><input type="submit" name="submit" value="Register" /></div>
<input type="hidden" name="submitted" value="TRUE" />

</form>

<?php // Include the HTML footer.
include ('includes/footer.html'); ?>

as far as the content on these pages...

yes, i want it to only be editable by the one user whose page it is
yes and no, for the page being publically visible or private...if possible, i want there to be a button that the user can make it visible to the public, or private so only he or she can view it and nobody else.

jgray805 · 09-01-2008, 02:43 AM

here are all the files for logging a user into my website..
i attached the files to this post.

paul_norman_81 · 09-01-2008, 07:54 AM

Sorry, I posted this to an old thread - sorry, not used to fora of this size! So I will post it again here (if this is bad, please delete one!).

I could be wrong, but it sounds like all you want to do is re-direct people to different pages when they log in... This isn't really necessary. Presumably you check your database and set a session variable when they log in anyway, so you might have something like this:

PHP Code:


			
<?php



# Login script here....



# Set your session (whatever you set)

$_SESSION['id'] = 42;



# Redirect the user

header('Location: http://www.mytodostuff.com/profile.php');

exit;

You then use the session id variable in the profile.php page to query the database and load the users profile (i.e. their own profile).

When a user views someone elses profile have them pass in a $_GET variable (profile.php?user=42) to override the session id (if one exists). You can neaten this up however you like (read up on apache rewrite rules for ideas).

If someone loads profile.php without being logged in, and without passing a user variable you could then redirect them to the registration page (or wherever you like). The same is true for none registrered users trying to view someone.

Hope this puts you on the right track.

Cheers,

Paul

Horus_Kol · 09-01-2008, 08:08 AM

I'd be very wary of just dumping the database record into a SESSION variable like your script does on successful login:

PHP Code:


			
$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC);

You'd be better off with a unique identifier that is randomly generated on each page load and stored in the database and session and checked against - this makes for a more secure application.

anyway, just for simple sakes at the moment...

you're going to need to setup another database table for the user generated content - something on the order of:

Code:

CREATE TABLE userpages (
  user_id INT PRIMARY KEY,
  quicklinks TEXT,
  backgroundimage VARCHAR(255),
  notepad TEXT,
  isPrivate TINYINT(1)
);

so, if they open a particular user page, say http://www.example.com/user.php?uid=1138 then you do the following:

PHP Code:


			
<?php



  require_once ('includes/config.inc.php'); 

  include ('includes/header.html');



  // 1. load the content



  if (isset($_GET['uid'])) {



    $user_id = (int) $_GET['uid']; // expecting an integer



    require_once (MYSQL);



    $sql['user_id'] = mysqli_real_escape_string($dbc, $user_id); // make doubly sure that the user_id is safe



    $query = "SELECT userpages .*, user.username FROM userpages INNER JOIN user ON user.user_id = userpages.user_id WHERE userpages.user_id = '" . $sql['user_id'] . '"';

    $query_result = mysqli_query($dbc, $q);



    if ($query_result && $query_result->num_rows == 1) {



      $page_content = mysqli_fetch_assoc($query_result);



      $page_title = "User - " . $page_content['username'];



      if ($page_content['isPrivate'] == 1 && $_SESSION['user_id'] != $user_id) {



        // the page is private and NOT being viewed by the page owner

        // do not display the page content



      } else {



        if ($_SESSION['user_id'] == $user_id && isset($_GET['edit']) {



          // show the form inputs          



        } else {



          // just show the page content now



          // at some point, you're gonna want to have an edit link - use this code:

          if ($_SESSION['user_id'] == $user_id && !isset($_GET['edit']) {



            echo '<a href="/user.php?uid=' . $user_id . '&amp;edit=edit">Edit</a>';



          }



        }



      }



    } else {



      // user id not found - ERROR



    }



  } else {



    // no user name specified - ERROR



  }



?>

I leave most of the details as an exercise for the original poster

I will explain the query:

Code:

$query = "SELECT userpages .*, user.username FROM userpages INNER JOIN user ON user.user_id = userpages.user_id WHERE userpages.user_id = '" . $sql['user_id'] . '"';

This is a JOIN - and one of the methods of getting data which is related but in different tables out of the database in one query.

This is a simple example - since there are only two tables, and there should be a 1-to-1 relationship between users and userpages - some get quite complex (I've had to join 6 tables, with some of the joins having many-to-many relationships, in one query once to get a useful output in one query).

Horus_Kol · 09-01-2008, 08:09 AM

Quote:

Originally Posted by paul_norman_81

Sorry, I posted this to an old thread - sorry, not used to fora of this size! So I will post it again here (if this is bad, please delete one!)

not a problem, Paul - thanks for reposting, in the new thread

jgray805 · 09-01-2008, 06:07 PM

in regards to pauls reply about:

Quote:

I could be wrong, but it sounds like all you want to do is re-direct people to different pages when they log in... This isn't really necessary. Presumably you check your database and set a session variable when they log in anyway, so you might have something like this:

yes paul that is pretty much exactly what i want to do... your theory makes sense to me but actually implementing the code and creating the correct files so everything links together correctly and i do not get any errors is what i am having problems with.
... my php skills arent very good, but i am trying to learn...
i am understanding where i need to put the code that u wrote. i dont think that code goes in the new file that i create called profile.php... does it?

then when i create my file profile.php i need to somehow check what user is trying to login, and redirect the person to his or her own page...
for example... if its user id 42, then he will be redirected to page 42 and if its user id 1 he would be redirected to page 1.... is that right?

if thats right, now how do i actually type in all the code and stuff to make it work?

jgray805 · 09-01-2008, 06:40 PM

Horus_Kol, in regards to ur reply about:

Quote:

You'd be better off with a unique identifier that is randomly generated on each page load and stored in the database and session and checked against - this makes for a more secure application.

Can we talk about this first....i want my website to be as secure as possible. i don't want hackers getting into, or at least not very easily.

Where in my code am i just dumping the database record into a SESSION variable like my script does on successful login?
is it this code in my register.php file?:

Quote:

// Create the activation code:
$a = md5(uniqid(rand(), true));

and then the code u wrote for that:

Quote:

$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC);

is that the way i should be doing it to make it more secure?

and then for the other part of your reply:

Quote:

you're going to need to setup another database table for the user generated content - something on the order of:

in my phpMyAdmin of my website, i will need to create a new database called userpages
what do i put for the new table on database mytodost_userpages when it asks me for the Name: and the Number of fields: ??

and then for the big chunk of code you provided, where does that go?

I am so sorry that i do not know more to be able to do more on my own.
I am trying to learn though.
thanks for the explanation on the query.

paul_norman_81 · 09-01-2008, 07:20 PM

Quote:

Originally Posted by jgray805

then when i create my file profile.php i need to somehow check what user is trying to login, and redirect the person to his or her own page...
for example... if its user id 42, then he will be redirected to page 42 and if its user id 1 he would be redirected to page 1.... is that right?
work?

It's late in the UK so i'll be brief I'm afraid. You redriect everyone to profile.php after logging them in. On this page you then dynamically create the content from their session. So conceptually:

PHP Code:


			
<?php



# Load the information you need for this page from the database using the session id 



# Display the data



?>

This can then be extended for the scenario of viewing a different user, i.e. profile.php?id=42

PHP Code:


			
<?php



# Set a local $id variable to be the user's session id



# Check if we are viewing someone else (i.e. we have a numerical ID passed via a $_GET variable). If so override the existing local $id variable with this one



# Load the information you need for this page from the database using the local $id var 



# Display the data



?>

and you can add more logicl for non-registered users, or private accounts etc, but i'll leave that to you to work on.

Once you have got the concept you can then concentrate on making the path neater using rewite rules.

Hope this helps,

Paul

jgray805 · 09-01-2008, 10:15 PM

i guess im confused because i dont even understand what u mean when u say:

Quote:

You redriect everyone to profile.php after logging them in. On this page you then dynamically create the content from their session. So conceptually:

what do u mean dynamically create the content form their session..
wuts the session?

DaiWelsh · 09-02-2008, 03:29 AM

The session is effectively an array variable that is stored on the server and associated with a specific user using (generally) a cookie. The reason this exists and that we use it is to do with the fundamental statelessness of the web:

User makes request 1
Server replies to request 1
User makes request 2
Server replies to request 2
User makes request 3
Server replies to request 3
etc.

Because the server responds to each request seperately with a seperate program execution (simplifying), by default nothing is "remembered" between the three requests, unlike a windows application for example where often everything that the user has done in step one is still true for step two.

For example if on request 1 you set a variable $user = 'jonny' then when the user clicks a link and makes request 2 the server has "forgotten" the value of $user (it was only set for as long as the server was responding to request 1).

This statelessness is fine for the original intent of the web but is very impractical for application building so the concept of cookies was introduced (by netscape originally IIRC). A cookie is just a piece of information that can be passed back by the server, is then stored on the client machine and passed back with each subsequent request. This gives a limited form of "state" (i.e. memory if you like) as you can set a cookie called user with value jonny on request 1 and then this will continue to exist during request 2, 3 etc.

Don't want to go ito too much detail but cookies can either have fixed duration (1 hour, 1 day, 1 year) or be "session" cookies which mean they last until browser is closed.

Building on this, most server side languages have the concept of "session", where a cookie is placed by e.g. PHP itself which uniquely identifies the user as long as they remain connected (strictly there is a timeout, but again simplifying). PHP then uses that unique ID to save an array variable called the session which is automagically reloaded every time the user makes a request and made available to your script. Because it is an array variabe you can create as many keys in it as you like and hence it is effectively a whole namespace that you can use to store persistent data relating to the current user.

So if I log in and you give me $_SESSION['user'] = 'dai' on my first request then on every subsequent request you can check $_SESSION['user'] to see who I am and for example output a message saying "hello dai". If you logged in you would get $_SESSION['user'] = 'jgray' and hence a different message displayed.

While the mechanism varies between platforms this concept of session is pretty much universal and whenever you perform a login and then get treated as an individual on a site you can pretty much guarantee it is using sessions (or a cookie based equivalent).

Hopefully all that waffle makes things a bit clearer in previous posts. The basic idea is to store a unique identifier in session when the user logs in, then when they go to the profile page use that unique identifier to load the data you need about them from the database. A slight variation would be to save everyhting you need into the session when they first log in but this is not as flexible.

HTH,

Dai

paul_norman_81 · 09-02-2008, 05:21 AM

Okay, I've read a little bit of your code - I assume that this is a 3rd party system that you are using? My initial comments are to move the session_start(); function out of the includes/header.html file and into the includes/config.inc.php - basically to allow you to work with the session variable before the header file is included - this will enable you to include that file later on in other files and stop you having to use output buffering all the time (I will leave this for the login.php page though as it works).

First up a disclaimer: I've not tested this, I've just written it quickly - there may well be mistakes! Right, I'm going to change as little else as necessary to illustrate the point. In your login.php page change the lines:

PHP Code:


			
<?php

    if (@mysqli_num_rows($r) == 1) { // A match was made.



        // Register the values & redirect:

        $_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); 

        mysqli_free_result($r);

        mysqli_close($dbc);

                        

        $url = BASE_URL . 'index.php'; // Define the URL:

        ob_end_clean(); // Delete the buffer.

        header("Location: $url");

        exit(); // Quit the script.

            

    }

?>

To be:

PHP Code:


			
<?php



    if(@mysqli_num_rows($r) == 1)

    {

        # Do not store a MySQL resource in as the whole $_SESSION variable

        while($row = mysqli_fetch_assoc($r))

        {

            # Just store what you need (you may want more than this!)

            $_SESSION['user_id'] = $row['user_id'];

        }



        mysqli_free_result($r);

        mysqli_close($dbc);



        ob_end_clean(); // Fix for output already being sent...

        header('Location: '.BASE_URL.'profile.php');

        exit;

            

    }

?>

This sets a session variable $_SESSION['user_id'] for later use on any page (persistant) and redirects users to the profile.php page. Then create a new page called profile.php in your root folder (where login.php is found). Put the code below into that file to get you started:

PHP Code:


			
<?php

    # The session must now start in here as the header has been moved down!

    require_once('includes/config.inc.php');



    # Initialise the local $user_id variable as null

    $user_id = null;



    # If we have a session use that as our $user_id

    if(isset($_SESSION['user_id']))

    {

        $user_id = (int)$_SESSION['user_id'];

    }



    # If we are viewing someone else use that as our $user_id

    if(isset($_GET['user_id']))

    {

        $user_id = (int)$_GET['user_id'];

    }



    # We potentially have a user and need to check the database

    if(!is_null($user_id))

    {

        require_once(MYSQL);



        $sql = "SELECT        first_name, 

                            last_name 

                

                FROM        user 

                

                WHERE        user_id = ".$user_id;

        $result = mysqli_query($dbc, $q);



        if($result)

        {

            while($row = mysqli_fetch_assoc($result))

            {

                $page_title        = $row['first_name'].' '.$row['last_name'].'\'s Profile';

                $page_content    = '<pre>'.print_r($row, true).'</pre>';

            }

        }

        else

        {

            # User id not found - ERROR

            $page_title        = 'User Not Found';

            $page_content    = '<p>Sorry, that user could not be found!</p>';

        }



        mysqli_free_result($result);

        mysqli_close($dbc);

    }

    else

    {

        # No user id specified - ERROR

        $page_title        = 'User ID Required';

        $page_content    = '<p>Sorry, that you must pass a user id to this script!</p>';

    }



    include('includes/header.html');



    echo $page_content;



    include('includes/footer.html');



?>