I'm having a probelm with my profile code

Brand_Hill

My friends and I recently created a directory for clubs. Recently we found that after logging in, a user can jump onto another club's profile by changing the id number in the address box. While we did develop code designed to block a member from doing that, the code does not seem to work. I've also noticed that when I log in to Yahoo! or any one of the forums I've registered to, my user id does not appear. I know that this is the answer I'm looking for, but I don't know the code to do it.

Does anyone know the code to hide the users id from the address box?

HalfaBee

Try using sessions or cookies.

HalfaBee

helz

my old login script was using cookies, but it only worked for one user and not the rest... wierd i know, didnt manage to fix it, so someone said to me to try sessions, still not got it up and running yet, but here is my profile.php file that gets the username from the cookie that is set

heres the code:

<?php
require ("".$DOCUMENT_ROOT."/cgi-bin/connect.php");
$username = $_COOKIE['membername'];
global $username;

if (isSet($_POST['id'])) { 
  # setup SQL statement 
  $SQL = " UPDATE ".$membertable." SET";  

  $SQL = $SQL . " email = '".$_POST['email']."', ";
  $SQL = $SQL . " hg = '".$_POST['hg']."', ";
  $SQL = $SQL . " hs = '".$_POST['hs']."', ";
  $SQL = $SQL . " yob = '".$_POST['yob']."', "; 
  $SQL = $SQL . " www = '".$_POST['www']."' ";
  $SQL = $SQL . " WHERE id = '".$_POST['id']."' ";  

  # execute SQL statement 
  $result = mysql_db_query($db,$SQL,$cid);  

  # check for errors 
  if (mysql_error()) {  

   echo("ERROR: " . mysql_error() . "\n$SQL\n");  

  }else{ 
      echo ("<B>Profile Updated</B><br><br><a href='javascript:window.close();'>Close This Window</a>\n");  

  }  

} else {
		$sql = "SELECT * FROM ".$membertable." WHERE username = '".$username."' ";
        $result = mysql_query($sql);

if(mysql_num_rows($result)) {
   while ($row = mysql_fetch_array($result)) {
	  $yob = $row["yob"];
      $id = $row["id"];
	  $email = $row["email"];
      $hg = $row["hg"];
	  $hs = $row["hs"];
	  $www = $row["www"];

   } // while
} // if
echo "<form name='profile' method='post' action='profile.php'>
<table border=1 bordercolor='#CCCCCC'>
	<tr><td colspan=2><input name='id' type='hidden' value='".$id."'>Your Member ID is ".$id."</td></tr>
	<tr><td>Username</td><td><input name='username' type='hidden' value=".$username.">".$username."</td></tr>
    <tr><td>Email Address</td><td><input name='email' type='text' value=".$email."></td></tr>
    <tr><td>Website URL</td><td><input name='www' type='text' value=".$[url]www.[/url]"></td></tr>
    <tr><td>Highest Game</td><td><input name='hg' type='text' maxlength=3 value=".$hg."></td></tr>
    <tr><td>Highest Series</td><td><input name='hs' type='text' maxlength=3 value=".$hs."></td></tr>
	<tr><td>Year of Birth: yyyy</td><td><input name='yob' type='text' maxlength=4 value=".$yob."></td></tr>
	<tr><td colspan=2><input type='submit' name='submit' value='Edit Info'></td></tr>
</table>
</form>";
}
}
mysql_close($cid);
?>