[RESOLVED] Problem With user restriction for transaction history

XPS710

Hi All
I have this piece of code here, what it does it pulls out all the payment transaction from mysql to the page, I have a membership site setup and everything and every user has its own profile section, but this piece of code shows all the other users payment and records as well,

How Do I restrict each user to view their own payment based on a user? Can I do a quick hardcode?






  define("_VALID_PHP", true);
  require_once("init.php");

  if (!$user->logged_in)
      redirect_to("index.php");
?>


<?php

  $transrow = $member->getPayments($user);

?>

<p class="info">Here you can view all your payment transactions.</p>
<h2><span><a href="controller.php?exportTransactions" title="Export To Excel Format" class="tooltip"><img src="../images/xls.png" alt="" class="img-wrap2"/></a> <a href="index.php?do=transactions&amp;action=salesyear" title="View Sales Report" class="tooltip"><img src="../images/chart.png" alt="" class="img-wrap2"/></a></span>Viewing Transactions</h2>

<table cellpadding="0" cellspacing="0" class="display" border="1">
  <thead>
    <tr>
      <th width="20">#</th>
      <th class="left">Membership Title</th>
      <th class="left">&nbsp;</th>
      <th class="left">Amount</th>
      <th class="left">Payment Date</th>
      <th>Type of OS</th>
      <th>Status</th>

</tr>
  </thead>
  <tbody>
    <?php if($transrow == 0):?>
    <tr>
      <td colspan="8"><?php echo $core->msgAlert('<span>Alert!</span>You don\'t have any transactions yet...',false);?></td>
    </tr>
    <?php else:?>
    <?php foreach ($transrow as $row):?>
    <?php $image = ($row['status'] == 0) ? "pending":"completed";?>
    <?php $status = ($row['status'] == 0) ? 1:0;?>
    <tr>
      <th></th>
      <td><?php echo $row['title'];?> <em>(<?php echo $row['pp'];?>)</em></td>
      <td><?php /*?><a href="index.php?do=users&amp;action=edit&amp;userid=<?php echo $row['user_id'];?>"><?php */?><?php echo $row['username'];?></a></td>
      <td><?php echo $core->formatMoney($row['rate_amount']);?></td>
      <td><?php echo $row['created'];?></td>
      <td align="center"><img src="http://www.hhpc.ca/membership/images/<?php echo $row['pp'];?>.png"/></td>
      <td align="center"><img src="http://www.hhpc.ca/membership/images/<?php echo $image;?>.png" alt="" class="tooltip img-wrap2" title="Status: <?php echo ucfirst($image);?>"/></td>

</tr>
<?php endforeach;?>
<?php unset($row);?>
<?php if($pager->items_total >= $pager->items_per_page):?>
<tr style="background-color:transparent">
  <td colspan="8"><div class="pagination"><span class="inner"><?php echo $pager->display_pages();?></span></div></td>
</tr>
<?php endif;?>
<?php endif;?>
  </tbody>
</table>

dagon

$transrow = $member->getPayments($user);

i would assume where ever that runs it takes $user to restrict what is shown. So either its not working like that, or perhaps $user is not a valid user id. but there's to much missing code to say any more than that.

XPS710

dagon;10997111 wrote:
$transrow = $member->getPayments($user); 
i would assume where ever that runs it takes $user to restrict what is shown. So either its not working like that, or perhaps $user is not a valid user id. but there's to much missing code to say any more than that.

Thats what i have below


  public function getPayments($where = false, $from = false)
      {
		  global $db, $core, $pager, $row, $user;

	  require_once(BASEPATH . "lib/class_paginate.php");

      $pager = new Paginator();
      $counter = countEntries($this->pTable);
      $pager->items_total = $counter;
      $pager->default_ipp = $core->perpage;
      $pager->paginate();

      if ($counter == 0) {
          $pager->limit = null;
      }

      $clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";

	  if (isset($_GET['sort'])) {
		  list($sort, $order) = explode("-", $_GET['sort']);
		  $sort = sanitize($sort);
		  $order = sanitize($order);
		  if (in_array($sort, array("user_id", "rate_amount", "pp", "date"))) {
			  $ord = ($order == 'DESC') ? " DESC" : " ASC";
			  $sorting = " p." . $sort . $ord;
		  } else {
			  $sorting = " p.date DESC";
		  }
	  } else {
		  $sorting = " p.date DESC";
	  }

      if (isset($_POST['fromdate']) && $_POST['fromdate'] <> "" || isset($from) && $from != '') {
          $enddate = date("Y-m-d");
          $fromdate = (empty($from)) ? $_POST['fromdate'] : $from;
          if (isset($_POST['enddate']) && $_POST['enddate'] <> "") {
              $enddate = $_POST['enddate'];
          }
          $clause .= " WHERE p.date BETWEEN '" . trim($fromdate) . "' AND '" . trim($enddate) . " 23:59:59'";
      } 

      $sql = "SELECT p.*, p.id as id, u.username, m.title,"
	  . "\n DATE_FORMAT(p.date, '%d. %b. %Y.') as created"
	  . "\n FROM ".$this->pTable." as p"
	  . "\n LEFT JOIN users as u ON u.id = p.user_id" 
	  . "\n LEFT JOIN ".$this->mTable." as m ON m.id = p.membership_id" 
	  . "\n " . $clause . " ORDER BY " . $sorting . $pager->limit;

      $row = $db->fetch_all($sql);

	  return ($row) ? $row : 0;
  }

dagon

$clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : "";

$where is $user, so does that make sense? unless you strangely call your user id "rate_amount"

XPS710

dagon;10997114 wrote:
$clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : ""; 
$where is $user, so does that make sense? unless you strangely call your user id "rate_amount"

Hey,

Thanks for your reply, but do you happen to know how to restrict users from seeing others records?

Thanks!

dagon

XPS710;10997118 wrote:
Hey,

Thanks for your reply, but do you happen to know how to restrict users from seeing others records?

Thanks!

well that's the question I have been answering from the beginning!

XPS710

dagon;10997119 wrote:
well that's the question I have been answering from the beginning!

I appreciate that!, here is my user class below:


<?php
  /**
   * User Class
   *
   * @copyright 2010
   * @version $Id: class_user.php, v2.00 2011-07-10 10:12:05 gewa Exp $
   */

  if (!defined("_VALID_PHP"))
      die('Direct access to this location is not allowed.');

  class Users
  {
	  private $uTable = "users";
	  public $logged_in = null;
	  public $uid = 0;
	  public $userid = 0;
      public $username;
	  public $email;
	  public $name;
	  public $membership_id = 0;
      public $userlevel;
	  private $lastlogin = "NOW()";


  /**
   * Users::__construct()
   * 
   * @return
   */
  function __construct()
  {
	  $this->getUserId();
	  $this->startSession();
  }

  /**
   * Users::getUserId()
   * 
   * @return
   */
  private function getUserId()
  {
  	  global $core;
	  if (isset($_GET['userid'])) {
		  $userid = (is_numeric($_GET['userid']) && $_GET['userid'] > -1) ? intval($_GET['userid']) : false;
		  $userid = sanitize($userid);

		  if ($userid == false) {
			  $core->error("You have selected an Invalid Userid","Users::getUserId()");
		  } else
			  return $this->userid = $userid;
	  }
  }  

  /**
   * Users::startSession()
   * 
   * @return
   */
  private function startSession()
  {
	session_start();
	$this->logged_in = $this->loginCheck();

	if (!$this->logged_in) {
		$this->username = $_SESSION['username'] = "Guest";
		$this->userlevel = 0;
	}
  }

  /**
   * Users::loginCheck()
   * 
   * @return
   */
  private function loginCheck()
  {
      if (isset($_SESSION['username']) && $_SESSION['username'] != "Guest") {

          $row = $this->getUserInfo($_SESSION['username']);
		  $this->uid = $row['id'];
          $this->username = $row['username'];
		  $this->email = $row['email'];
		  $this->name = $row['fname'].' '.$row['lname'];
          $this->userlevel = $row['userlevel'];
		  $this->membership_id = $row['membership_id'];
          return true;
      } else {
          return false;
      }  
  }

  /**
   * Users::is_Admin()
   * 
   * @return
   */
  public function is_Admin()
  {
	  return($this->userlevel == 9);

  }	

  /**
   * Users::login()
   * 
   * @param mixed $username
   * @param mixed $pass
   * @return
   */
  public function login($username, $pass)
  {
	  global $db, $core;

	  if ($username == "" && $pass == "") {
		  $core->msgs['username'] = 'Please enter valid username and password.';
	  } else {
		  $status = $this->checkStatus($username, $pass);

		  switch ($status) {
			  case 0:
				  $core->msgs['username'] = 'Login and/or password did not match to the database.';
				  break;

			  case 1:
				  $core->msgs['username'] = 'Your account has been banned.';
				  break;

			  case 2:
				  $core->msgs['username'] = 'Your account it\'s not activated.';
				  break;

			  case 3:
				  $core->msgs['username'] = 'You need to verify your email address.';
				  break;
		  }
	  }
	  if (empty($core->msgs) && $status == 5) {
		  $row = $this->getUserInfo($username);
		  $this->uid = $_SESSION['userid'] = $row['id'];
		  $this->username = $_SESSION['username'] = $row['username'];
		  $this->email = $_SESSION['email'] = $row['email'];
		  $this->name = $_SESSION['userlevel'] = $row['userlevel'];
		  $this->userlevel = $_SESSION['userlevel'] = $row['userlevel'];
		  $this->membership_id = $_SESSION['membership_id'] = $row['membership_id'];

		  $data = array(
				'lastlogin' => $this->lastlogin, 
				'lastip' => sanitize($_SERVER['REMOTE_ADDR'])
		  );
		  $db->update($this->uTable, $data, "username='" . $this->username . "'");
		  if(!$this->validateMembership()) {
			$data = array(
				  'membership_id' => 0, 
				  'mem_expire' => "0000-00-00 00:00:00"
			);
			$db->update($this->uTable, $data, "username='" . $this->username . "'");
		  }

		  return true;
	  } else
		  $core->msgStatus();
  }

  /**
   * Users::logout()
   * 
   * @return
   */
  public function logout()
  {
      unset($_SESSION['username']);
	  unset($_SESSION['email']);
	  unset($_SESSION['name']);
	  unset($_SESSION['membership_id']);
      unset($_SESSION['userid']);
      session_destroy();
	  session_regenerate_id();

      $this->logged_in = false;
      $this->username = "Guest";
      $this->userlevel = 0;
  }

  /**
   * Users::getUserInfo()
   * 
   * @param mixed $username
   * @return
   */
  private function getUserInfo($username)
  {
	  global $db;
	  $username = sanitize($username);
	  $username = $db->escape($username);

	  $sql = "SELECT * FROM " . $this->uTable . " WHERE username = '" . $username . "'";
	  $row = $db->first($sql);
	  if (!$username)
		  return false;

	  return ($row) ? $row : 0;
  }

  /**
   * Users::checkStatus()
   * 
   * @param mixed $username
   * @param mixed $pass
   * @return
   */
  public function checkStatus($username, $pass)
  {
	  global $db;

	  $username = sanitize($username);
	  $username = $db->escape($username);
	  $pass = sanitize($pass);

      $sql = "SELECT password, active FROM " . $this->uTable
	  . "\n WHERE username = '".$username."'";
      $result = $db->query($sql);

	  if ($db->numrows($result) == 0)
		  return 0;

	  $row = $db->fetch($result);
	  $entered_pass = sha1($pass);

	  switch ($row['active']) {
		  case "b":
			  return 1;
			  break;

		  case "n":
			  return 2;
			  break;

		  case "t":
			  return 3;
			  break;

		  case "y" && $entered_pass == $row['password']:
			  return 5;
			  break;
	  }
  }

  /**
   * Users::getUsers()
   * 
   * @param bool $from
   * @return
   */
  public function getUsers($from = false)
  {
	  global $db, $pager, $core;

	  require_once(BASEPATH . "lib/class_paginate.php");
      $pager = new Paginator();

      $counter = countEntries($this->uTable);
      $pager->items_total = $counter;
      $pager->default_ipp = $core->perpage;
      $pager->paginate();

      if ($counter == 0) {
          $pager->limit = null;
      }

	  if (isset($_GET['sort'])) {
		  list($sort, $order) = explode("-", $_GET['sort']);
		  $sort = sanitize($sort);
		  $order = sanitize($order);
		  if (in_array($sort, array("username", "fname", "lname", "email", "created"))) {
			  $ord = ($order == 'DESC') ? " DESC" : " ASC";
			  $sorting = " u." . $sort . $ord;
		  } else {
			  $sorting = " u.created DESC";
		  }
	  } else {
		  $sorting = " u.created DESC";
	  }

	  $clause = (isset($clause)) ? $clause : null;

      if (isset($_POST['fromdate']) && $_POST['fromdate'] <> "" || isset($from) && $from != '') {
          $enddate = date("Y-m-d");
          $fromdate = (empty($from)) ? $_POST['fromdate'] : $from;
          if (isset($_POST['enddate']) && $_POST['enddate'] <> "") {
              $enddate = $_POST['enddate'];
          }
          $clause .= " WHERE u.created BETWEEN '" . trim($fromdate) . "' AND '" . trim($enddate) . " 23:59:59'";
      } 

      $sql = "SELECT u.*, CONCAT(u.fname,' ',u.lname) as name, m.title, m.id as mid,"
	  . "\n DATE_FORMAT(u.created, '%d. %b. %Y.') as cdate,"
	  . "\n DATE_FORMAT(u.lastlogin, '%d. %b. %Y.') as adate"
	  . "\n FROM " . $this->uTable . " as u"
	  . "\n LEFT JOIN memberships as m ON m.id = u.membership_id" 
	  . "\n " . $clause
	  . "\n ORDER BY " . $sorting . $pager->limit;
      $row = $db->fetch_all($sql);

	  return ($row) ? $row : 0;
  }

XPS710

and Sorry I ran out of ideas

dagon

You're clearly not bothering to even read my replies, so I'll go back to my job now, good luck.

XPS710

dagon;10997122 wrote:
You're clearly not bothering to even read my replies, so I'll go back to my job now, good luck.

Hey I did read your replies, I know you mentioned $where is $user but, I dont know how to restrict that

bradgrafelman

The problem as I see it is that the getPayments() method wasn't designed to get payments for a single user, thus it doesn't expect to receive any parameters relating to a specific user ID. That's why this:

$member->getPayments($user);

makes no sense at all, since it's being used here:

$clause = ($where) ? " WHERE p.rate_amount LIKE '&#37;" . intval($where) . "%'" : "";

as dagon pointed out above.

Instead, you'd probably want to add a new parameter that was designed for the purpose of accepting a user ID to modify the behavior of the method. Inside the method, you would then check to see if this parameter was specified and, if so, add a condition to your WHERE clause such that only records matching that user ID are SELECT'ed.

XPS710

bradgrafelman;10997124 wrote:
The problem as I see it is that the getPayments() method wasn't designed to get payments for a single user, thus it doesn't expect to receive any parameters relating to a specific user ID. That's why this:
$member->getPayments($user); 
makes no sense at all, since it's being used here:
$clause = ($where) ? " WHERE p.rate_amount LIKE '%" . intval($where) . "%'" : ""; 
as dagon pointed out above.

Instead, you'd probably want to add a new parameter that was designed for the purpose of accepting a user ID to modify the behavior of the method. Inside the method, you would then check to see if this parameter was specified and, if so, add a condition to your WHERE clause such that only records matching that user ID are SELECT'ed.

Thanks for explaining it, do you know any example i can find to implement this parameter?

bradgrafelman

Well the function itself already accepts two parameters, so I'd say two examples of function parameters can be found by simply looking at the code you've already got. There's also the PHP manual: [man]functions.arguments[/man].

XPS710

bradgrafelman;10997127 wrote:
Well the function itself already accepts two parameters, so I'd say two examples of function parameters can be found by simply looking at the code you've already got. There's also the PHP manual: [man]functions.arguments[/man].

Thanks I probably wont be able to do it myself, my php skill is not as good.