|
PHP - Only Allow Members Who Have Paid W/ Tokens To Download
Im creating a token system where if a user uploads notes they get tokens and can download other peoples notes. My problem is I am not sure where to store the information for who has bought the note for future download. Should I store the information in the database under the table that looks after the notes, in its own table, or in a file that has arrays of the Note names and the users who are allowed to download it.
I figured the best way would to have it in the db table that looks after the users but im not sure how I would get about making it so that every time the user bought another note I didnt have to add a new field. Similar TutorialsI have mysql table titled fee_payment.
details of the table:
fee_payment Table
payment_id student_id name class term year date amount
1 6 john JHS2 2nd_term 2013 23-04-2013 56 67
2 6 john JHS2 2nd_term 2013 23-04-2013 56 34
3 5 peter JHS3 3rd_term 2014 23-04-2014 56 85
4 6 john JHS2 2nd_term 2014 23-04-2014 56 76
5 6 john JHS2 3rd_term 2014 23-04-2014 56 34
6 6 john JHS2 2nd_term 2014 23-04-2014 56 23
7 5 peter JHS2 3rd_term 2014 23-04-2014 56 43
what i need to do now is to sum total amount paid by each student so that i can view payment records based on term and year.
what i have tried:
Controller:
/******MANAGE FEE PAYMENTS / INVOICES WITH STATUS*****/ function payfees($param1 = '', $param2 = '', $param3 = '') { if ($this->session->userdata('admin_login') != 1) redirect(base_url(), 'refresh'); if ($param1 == 'create') { $data['student_id'] = $this->input->post('student_id'); $data['name'] = $this->input->post('name'); $data['class_id'] = $this->input->post('class'); $data['term'] = $this->input->post('term'); $data['year'] = $this->input->post('year'); $data['amount'] = $this->input->post('amount'); $data['creation_timestamp'] = strtotime($this->input->post('date')); $this->db->insert('fee_payment', $data); redirect(base_url() . 'index.php?admin/payfees', 'refresh'); } if ($param1 == 'do_update') { $data['student_id'] = $this->input->post('student_id'); $data['class_id'] = $this->input->post('class'); $data['term'] = $this->input->post('term'); $data['year'] = $this->input->post('year'); $data['amount'] = $this->input->post('amount'); $data['creation_timestamp'] = strtotime($this->input->post('date')); $this->db->where('payment_id', $param2); $this->db->update('fee_payment', $data); redirect(base_url() . 'index.php?admin/payfees', 'refresh'); } else if ($param1 == 'edit') { $page_data['edit_data'] = $this->db->get_where('fee_payment', array( 'payment_id' => $param2 ))->result_array(); } if ($param1 == 'delete') { $this->db->where('payment_id', $param2); $this->db->delete('fee_payment'); redirect(base_url() . 'index.php?admin/payfees', 'refresh'); } $page_data['page_name'] = 'payfees'; $page_data['page_title'] = get_phrase('fee_payment'); $this->db->order_by('creation_timestamp', 'term'); $page_data['payments'] = $this->db->get('fee_payment')->result_array(); $this->load->view('index', $page_data); } The Invoice: <div class="box-content"> <?php foreach($edit_data as $row):?> <div class="pull-left"> <span style="font-size:20px;font-weight:100;"> <?php echo get_phrase('payment_to');?> <img width="50" height="30" src="<?php echo base_url();?>uploads/logo.png" style="max-height:100px;margin:20px 0px;" /> </span> <br /> <?php echo $system_name;?> <br /> <?php echo $this->db->get_where('settings' , array('type'=>'address'))->row()->description;?> </div> <div class="pull-right"> <span style="font-size:20px;font-weight:100;"> <?php echo get_phrase('credited_account:');?> </span> <br /> <?php echo $this->db->get_where('student' , array('student_id'=>$row['student_id']))->row()->name;?> <br /> <?php echo get_phrase('student_id');?> : <?php echo "FAVECSID0000", $this->db->get_where('student' , array('student_id'=>$row['student_id']))->row()->student_id;?> <br /> <?php echo get_phrase('class');?> : <?php $class_id = $this->db->get_where('student' , array('student_id'=>$row['student_id']))->row()->class_id; echo $this->db->get_where('class' , array('class_id'=>$class_id))->row()->name; ?> </div> <div style="clear:both;"></div> <hr /> <table width="100%" background="http://localhost/sch...backlogos.png"> <tr style="background-color:#7087A3; color:#fff; padding:5px;"> <td style="padding:5px;"><?php echo get_phrase('payment_details');?></td> <td width="30%" style="padding:5px;"> <div class="pull-right"> <?php echo get_phrase('amount');?> </div> </td> </tr> <tr> <td> <span style="font-size:20px;font-weight:100;"> <?php echo get_phrase('payment_made');?> </span> <br /> </td> <td width="30%" style="padding:5px;"> <div class="pull-right"> <span style="font-size:20px;font-weight:100;"> <?php echo "Gh", $row['amount'];?> </span> </div> </td> </tr> <tr> <tr> <td> <span style="font-size:20px;font-weight:100;"> <?php echo get_phrase('balance');?> </span> <br /> <?php echo $row['description'];?> <?php $exams = $this->db->get_where('fee_payment', array('student_id'=>$row['student_id']))->result_array(); foreach($exams as $row): ?> <?php $ttpaid = sum($row['amount']); echo $ttpaid;?> <?php endforeach; ?> </td> <td width="30%" style="padding:5px;"> <div class="pull-right"> <span style="font-size:20px;font-weight:100;"> <?php $tuition = $this->db->get_where('student' , array('student_id'=>$row['student_id']))->row()->tuition_fee; $status = $this->db->get_where('student' , array('student_id'=>$row['student_id']))->row()->status_fee; $total_fees = $tuition + $status; $balance_fee = $total_fees - $row['amount']; echo "Gh", $balance_fee; ?> </span> </div> </td> </tr> <tr> <td></td> <td width="30%" style="padding:5px;"> <div class="pull-right"> <hr /> <?php echo get_phrase('status');?> : <?php echo $row['status'];?> <br /> <?php echo get_phrase('receipt_no:');?> : <?php echo "FAVECSFP0000",$row['payment_id'];?> <br /> <?php echo get_phrase('date');?> : <?php echo date('m/d/Y', $row['creation_timestamp']);?> </div> </td> </tr> </table> <br /> <br /> <?php endforeach;?> </div> </div> output: ayment To fffff P O BOX 126 Credited Account: john Student Id : FAVECSID00006 Class : JHS2A I have noticed that many websites and php software generate a random token and put it in a hidden form field to be sent to the php page that gets the form. I was just wondering, if anyone knows how this makes a php script more secure? And is it worth it to put this in my application? I have read up a few tutorials on this, but it doesn't specifically say why this is more secure than not having it. The only reason I could find is that it helps making sure you don't make duplicate form submissions, however, I have always gone around this through by redirecting the user to a page saying the form was submitted successfully. Cheers for your help. I am using JWT for an API authentication and like them. Previously, I would query both some GUID and the user's ID (which wasn't their PK but a unique key per GUID), but now I just include both the account and user's DB PK in the token. Also, including something regarding the user's permissions, however, I still haven't bought into this approach as I don't know how to deal with changing permissions and still having some JWT with different permissions floating around. I suppose I could save the JWT's timestamp in the DB, but that seems to eliminate the benefit of token expirations... Sorry, back to the question at hand. I now have a need to provide emails with a reduced subset of endpoints to either view some resource or update some status. I don't want to make the user first go to some website and then include the JWT in the header, but instead just a single click action. Problem is now I have their JWT which is effectively their password in some email which isn't ideal, and their is no way to ensure that the specific user was the individual that viewed the resource or performed some action. Then I thought maybe I would make some common low access JWT and use the exact same GET routes as I would do so normally and create some new GET routes to emulate main application POST/PUT/PATCH routes. Before going down that path, I would like to investigate other solutions. Often single use tokens are used to reset passwords and other actions which should only performed once and this is not my need but maybe close. I am thinking of creating a token that includes the actual resource path with URL parameters along with the HTTP method. Since everything is in the token, I wouldn't need a typical REST path to identify the resource but would have a single endpoint to retrieve them. I searched for related information and didn't find anything which makes me concerned I am going down a rabbit hole. Any thoughts on how to implement this? Thanks Hi Is it necessary to hash stored access and refresh tokens that are stored in a database. Both these tokens have limited lifespan (access token - 20 minutes but refresh token is 14 days). The reason I ask is I have hashed the tokens using the password_hash function but a user can have multiple active sessions if they want (so there is a sessions table with user id (not username), access token, token expiry date/time, refresh token and refresh token expiry date/time. So in order to refresh the access token I have to do a look up to see which session it relates to, what I have found is that I must retrieve all rows where the refresh token hasn't expired and then run password_verify against the tokens stored with the tokens provided to check each session to see if they match. What I have found is that it takes a while to run the password_verify function (by design I think) for each row (could be many if the users has been silly and logged in lots of time) which would cause an unacceptable delay when calling an API with an access token that needs refreshing (my tests resulted in times upwards of 30 seconds for a user who has around 10 active sessions). If both tokens were not hashed the same action to refresh a token for a user who has 10 active sessions takes less than a second which is much more acceptable. Edited December 15, 2018 by mds1256i want to make virtual money (credits, tokens) whatever you want to call it but make no mistake this is not for profit at this point but i like the concept of visitors having something to do with other members of site for example to kill bordom and create a reason to play games, compete in competetions, it will have to conversion to real money at this point but i wish to do this script using php and mysql and have very basic coding skills in these areas anyone please help me make this script... reply and let me know if you like this idea please help me as this is achievable as fb has it and more sites are moving toward these same ideas, even tho fb is real money it is more to do with fun at this point until we do this stage another stage canot proceed it. I would like to create a script to check wether a user has made a payment to access a members only area of my site, much like a check-login script that checks if the user has logged in, i need it do do a similar check only its not looking to see if the user is logged in but if they have ever paid and if not; send them to the payments page before the access is granted... What section(s) if any, do i need to modify from this check-login script to change it to check for their payments? Code: [Select] <?php ob_start(); // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php"); } else { echo "Wrong Username or Password"; } ob_end_flush(); ?>
Basically I would like to place a link on my website and have the user download a file, but rather than just right clicking and choosing save target as, the link must be clicked, on the next page the file is fetched and then the client can download the file. How would I go about setting this up please? I have a payment button for PayPal which securely stores the amount, but when the payment is made how do i know if it was paid or not so i can get the page to store this in the mysql database? I am developing paid property listing php website, I do not have al lot of scripting/database experience that is why I am farming this part of the work out. This website will provide a listing service which real estate agents can go to the site and look at the properties. They can search by Zip, city, or Sale by Owner. Alternatively, they can look at all the properties or recently posted. They will be able to see one tiny thumbnail with limited info like zip code/city. In order to see more pictures or get address info they will need to sign up and pay for each property to get more pics/info. So I need the script/scripts to do the following: 1. Provide all the search criteria as listed above (search by zip, search by city, Sale by Owner, Page that populates all the properties) 2. Provide a database interface so that I can upload the pics and enter new entries that will dynamically embed into my site. 3. Provide user access (new and existing) 4. Provide a shopping cart and payment gateway (Provide options for both Paypal and traditional Credit Card payment gateways) which will then allow the user access to the full info. 5. Must be able to integrate into my existing website/CSS If you are wondering if this will work, do not worry. My guy is taking the pics and getting the info has been getting business from real estate agents with this by word of mouth, it will work. Let me know ASAP as I am taking bids and looking to implement quickly. I can send a mock up by the man doing the property finding. Let me know what other info you need in order to get an accurate quote. best regards, Jordan McGehee I have a contact form with a file upload button, when you click on “submit” you are redirected on Paypal everything works fine but, I would like to send the contact form only when visitors have paid on Paypal. I’ve searched on google but I have not found a way to do this. Can anyone help? Cheers, Aidan. I created a field in "b_users" table as "banned" with default value="no". i.e, all members by default are set to "banned"="no". I was testing this code in my some pages to ban member and prevent access to my pages: $getid="SELECT * from b_users where id='$user_id'"; if($getid[banned]=="yes") { die("<center>You have been banned from posting</center>"); } else { show page Above code is banning all members. But i want to show ban message to members who's "banned" field value is set to "yes" only. How to do that? i been working on my view Members page for a while now i can't seem to get it to work right this is how i shows up for me and i want it to show up like this i think it has something to do with the loop, but have no idea how to fix this :S <?php require_once('settings.php'); checkLogin('1 2'); $Members = mysql_query("SELECT * FROM users") or die(mysql_error()); $numRowsMembers = mysql_num_rows($Members); ?> <?php for($count = 1; $count <= $numRowsMembers; $count++) { $name = mysql_fetch_array($Members); ?> <table border=2> <tr><td><img src="<? echo $name['main_P']?>" width="50" height="50"/> <a href="view_profile.php?username=<? echo $name['Username']?>"><? echo $name['Username']?></a> <? $onlinestatus = $name['ON_OFF']; if ( $onlinestatus == OFFLINE ) { echo ""; } else { echo "<font color=green>Online Now!</font>"; } ?> </td></tr></table> <? } ?> Hi Guys, I was wondering how I could wrap my members page so that only 5 members appear at a time and you have to click the next button to go onto the next page. Here is the current code. Code: [Select] $userid = $_SESSION['userid']; $query = "SELECT username, first_name, last_name, password, email, dob, mob, yob, year, gender FROM spotty WHERE user_id = '" . $userid . "'"; $query2 = "SELECT user_id FROM spotty WHERE user_id = '" . $userid . "'"; $result = mysql_query($query) or die('Error Getting Information Requested'); $result2 = mysql_query($query2) or die('Error Getting user_id'); $row = mysql_fetch_array($result); $row2 = mysql_fetch_array($result2); //$result = mysql_query($query); $num = mysql_num_rows($result2); $username = $row['username'] ; if($_SESSION['userid'] == NULL) { echo "Sorry, wrong username or password. You will be redirected in 5 seconds."; echo "<meta http-equiv='refresh' content='7;url=http://www.klueless.net/daisysite'>"; } else { echo "Members."; echo "<br />"; $membsquery="SELECT * FROM spotty WHERE showmem = '0'"; $membs=mysql_query($membsquery); $num=mysql_numrows($membs); $membresult = mysql_result($membs,$i,"user_id"); $useridname = $membresult['username']; echo "<br /> <br />" ; echo "<table border='0' cellspacing='2' cellpadding='2'> <tr> <font face='Comic Sans MS, cursive'>Click on a username to see their profile.</font> <br /> <br /> </tr>"; $i = 0; while ($i < $num) { $f1 = "<font face='Verdana, Geneva, sans-serif'><a href='profile.php?id=" . mysql_result($membs,$i,"user_id") . "'>" . mysql_result($membs,$i,"username") . "</a><br /><br />"; echo "<tr> <td>" . $f1 ."</font></td> </tr> </table>" ; $i++; } } mysql_close() ?> Thanks in advance! Hi guys, Im trying to get my members_profile.php to display the users profile.... I.e members_profile.php?boxerman will display my information. I've been at it for hours but no luck... This is what im trying to code: <?php include ("connect.php") $username = $_GET['username']; $user = mysql_query("SELECT * FROM user WHERE username = '$username'"); $user=mysql_fetch_assoc($user); echo "<h1>User Info</h1>"; echo "<b>Username:".$user['username']."<br>"; echo "<br>"; echo '<form name="backlistfrm" method="post" action="members.php">'; echo '<input type="submit" value="Back to The List">'; echo '</form>'; echo "<br>"; ?> It displays nothing when going to members_profile.php?boxerman Any advice as to why? Regards, B-Man $_GET["find"] displays all users including the current user. The current user should not be displayed. I would like to display members that are NOT friends with the current user. Do I need to join the tables to make this work? $_GET["add"] inserts "screen_name" into "member and friendwith" Code: [Select] <?php if(isset($_GET["find"])) { $username = $_POST["screen_name"]; $query = "SELECT * FROM users WHERE screen_name LIKE '%$username%'"; $result = mysql_query($query); $exist = mysql_num_rows($result); if($exist=='0') { echo "No match found"; } else { echo "Matches for search: $username<br>"; while($currow = mysql_fetch_array($result)) { ?> <a href="users/member?addfriend=<?php echo $currow['screen_name']; ?>"><img src="avatars/<?php echo $currow["image"]; ?>" ></a> <?php } } } if(isset($_GET["add"])) { $username = $_SESSION["screen_name"]; $friend = $_GET["add"]; $query = "SELECT * FROM friends WHERE member='$username' AND friendwith='$friend'"; $result = mysql_query($query); $exist = mysql_num_rows($result); if($exist=='0') { $query = "INSERT INTO friends(member,friendwith) VALUES('$username','$friend')"; mysql_query($query); echo "$friend is now your friend!"; } else { echo "$friend is already your friend!"; } } ?> I'm getting the dreaded " Invalid parameter number: number of bound variables does not match number of tokens" error and I've looked at this for days. Here is what my table looks like:
| id | int(4) | NO | PRI | NULL | auto_increment | | user_id | int(4) | NO | | NULL | | | recipient | varchar(30) | NO | | NULL | | | subject | varchar(25) | YES | | NULL | | | cc_email | varchar(30) | YES | | NULL | | | reply | varchar(20) | YES | | NULL | | | location | varchar(50) | YES | | NULL | | | stationery | varchar(40) | YES | | NULL | | | ink_color | varchar(12) | YES | | NULL | | | fontchosen | varchar(30) | YES | | NULL | | | message | varchar(500) | NO | | NULL | | | attachment | varchar(40) | YES | | NULL | | | messageDate | datetime | YES | | NULL |Here are my params:
$params = array(
':user_id' => $userid,
':recipient' => $this->message_vars['recipient'],
':subject' => $this->message_vars['subject'],
':cc_email' => $this->message_vars['cc_email'],
':reply' => $this->message_vars['reply'],
':location' => $this->message_vars['location'],
':stationery' => $this->message_vars['stationery'],
':ink_color' => $this->message_vars['ink_color'],
':fontchosen' => $this->message_vars['fontchosen'],
':message' => $messageInput,
':attachment' => $this->message_vars['attachment'],
':messageDate' => $date );
Here is my sql:
$sql = "INSERT INTO messages (user_id,recipient, subject, cc_email, reply, location,stationery, ink_color, fontchosen, message,attachment) VALUES( $userid, :recipient, :subject, :cc_email, :reply, :location, :stationery, :ink_color, :fontchosen, $messageInput, :attachment, $date);";
And lastly, here is how I am calling it:
$dbh = parent::$dbh;
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
if (empty($dbh)) return false;
$stmt = $dbh->prepare($sql);
$stmt->execute($params) or die(print_r($stmt->errorInfo(), true));
if (!$stmt) { print_r($dbh->errorInfo()); }
I know my userid is valid and and the date is set above (I've echo'd these out to make sure). Since the id is auto_increment, I do not put that in my sql (though I've tried that too), nor in my params (tried that too). What am I missing? I feel certain it is something small, but I have spent days checking commas, semi-colons and spelling. Can anyone see what I'm doing wrong?
hey guys, im new to PHP and im trying to use a login script that allows users to register and login to my site from my database. on my login/register pages i get this error Warning: mysql_pconnect() [function.mysql-pconnect]: Unknown MySQL server host 'host' (1) in /home/hullcale/public_html/dbConfig.php on line 12 Error connecting to database. Warning: mysql_select_db() [function.mysql-select-db]: Access denied for user 'hullcale'@'localhost' (using password: NO) in /home/hullcale/public_html/dbConfig.php on line 20 Warning: mysql_select_db() [function.mysql-select-db]: A link to the server could not be established in /home/hullcale/public_html/dbConfig.php on line 20 it seems like al my problems are from my page dbConfig.php on line 12 and 20, problem is i dont know how to edit them, here is the code from that page... things you may need to know is my databse is called hullcale_database, user is Admin, password is password, as for host im not actually sure where i get this from? any tips?! <? // Replace the variable values below // with your specific database information. $host = "localhost"; $user = "UserName"; $pass = "Password"; $db = "dbName"; // This part sets up the connection to the // database (so you don't need to reopen the connection // again on the same page). $ms = mysql_pconnect(host, $user, $pass); if ( !$ms ) { echo "Error connecting to database.\n"; } // Then you need to make sure the database you want // is selected. mysql_select_db($db); ?> This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=317715.0 I'm using 3 files to try and mass mail my members, massmail.php massmail-exe.php and elist.php massmail.php <form name="massmail" method="post" action="./massmail-exe.php"> <table width="450px"> <tr> <td valign="top"> <label for="subject">Subject</label> </td> <td valign="top"> <input type="text" name="subject" maxlength="50" size="30" id="subject"> </td> </tr> <tr> <td valign="top"> <label for="message">Email Content</label> </td> <td valign="top"> <textarea name="message" maxlength="9001" cols="100" rows="18" id="message"></textarea> </td> </tr> <tr> <td colspan="2" style="text-align:center"> <input type="submit" value="Submit"> </td> </tr> </table> </form> massmail-exe.php <?php // read the list of emails from the file. $email_list = file("./elist.php"); // count how many emails there are. $total_emails = count($email_list); // go through the list and trim off the newline character. for ($counter=0; $counter<$total_emails; $counter++) { $email_list[$counter] = trim($email_list[$counter]); } // implode the list into a single variable, put commas in, apply as $to value. $to = implode(",",$email_list); if ( mail($to,$_POST["subject"],$_POST["message"]) ) { echo "The email has been sent!"; } else { echo "The email has failed!"; } ?> and elist.php which has the email addresses. What is wrong because every time i try and send it it say query failed. Thanks so much. Hi i followed a tutorial to create a register, login, members list and member profile pages but when i register, login and go to members list, the page its blank, i viewed the source code for the members page and its clearly trying to show something but i dont know what to do? Can any body help me please. |
|||||||