PHP - Are Donations To Specific Users Okay?

I just discovered that I have a major security flaw with my website.
Anyone who logs in to the website can easily access other users information as well as delete and edit other users information just by changing the ID variable in the address bar.
I have user ID Session started on these pages but still people can do anything they like with other users information just by editing the address bar.
For example if your logged in in the address bar of www.mywebsite.com/delete_mystuff.php?id=5 and change the "5" say to a "9" then you will have access to user#9 information.

Every important page that I have has this code:
Code: [Select]
 session_start();

if (!isset($_SESSION['user_id'])) {
// Start defining the URL.
         $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
         if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
         $url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= '/index.php';
ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.
} else {
                //Else If Logged In Run The Script

if((isset($_GET['id'])) && (is_numeric($_GET['id']))) {
         $id = (int) $_GET['id'];
} elseif ((isset($_POST['id'])) && (is_numeric($_POST['id']))) {
         $id = (int) $_POST['id'];
} else {
         echo ' No valid ID found, passed in url or form element';
        
         exit();
}



What am I doing wrong?
Please help if you know how to correct this.

Many thanks in advance.

I use the Wholesale Suite Premium Prices plugin with WooCommerce. I have 6 specific wholesale roles out of 15 that I wish to hide two specific shipping methods from being selected for the 6 exceptions. I'm just trying this on my staging server at this time using a code snippet example that I found and modified for my specific conditions. Would the following work for this purpose?

/* Hide specific shipping methods for specific wholesale roles */
add_filter( 'woocommerce_package_rates', function( $shipping_rates ) {
// User role and shipping method ID to hide for the user role
    $role_shipping_method_arr = array(
    'ws_silvia_silver' => array( 'Silvia Premium Standard Shipping (Tracking Service)'),
    'ws_silvia_silver_pst_exempt' => array( 'Silvia Premium Standard Shipping (Tracking Service)'),
    'ws_silvia_silver_tax_exempt' => array( 'Silvia Premium Standard Shipping (Tracking Service)'),
    'ws_silvia_silver' => array( 'Silvia Union Standard Shipping (Tracking Service)'),
    'ws_silvia_silver_pst_exempt' => array( 'Silvia Union Standard Shipping (Tracking Service)'),
    'ws_silvia_silver_tax_exempt' => array( 'Silvia Union Standard Shipping (Tracking Service)'),
    'ws_silvia_gold' =>    array( 'Silvia Premium Standard Shipping (Tracking Service)'),
    'ws_silvia_gold_pst_exempt' => array( 'Silvia Premium Standard Shipping (Tracking Service)'),
    'ws_silvia_gold_tax_exempt' => array( 'Silvia Premium Standard Shipping (Tracking Service)'),
    'ws_silvia_gold' =>    array( 'Silvia Union Standard Shipping (Tracking Service)'),
    'ws_silvia_gold_pst_exempt' => array( 'Silvia Union Standard Shipping (Tracking Service)'),
    'ws_silvia_gold_tax_exempt' => array( 'Silvia Union Standard Shipping (Tracking Service)'),
    );

    // Getting the current user role
    $curr_user = wp_get_current_user(); 
    $curr_user_data = get_userdata($current_user->ID); 

    // Wholesale Suite Roles 
    if (isset($current_user) && class_exists('WWP_Wholesale_Roles')) {
        $wwp_wholesale_roles = WWP_Wholesale_Roles::getInstance();
        $wwp_wholesale_role = $wwp_wholesale_roles->getUserWholesaleRole(); 

// Loop through the user role and shipping method pair
    foreach( $role_shipping_method_arr as $role => $shipping_methods_to_hide ) {

// Check if defined role exist in current user role or not
    if( in_array( $role, $current_user->roles) ) {

// Loop through all the shipping rates
    foreach( $shipping_rates as $shipping_method_key => $shipping_method ) {
$shipping_id = $shipping_method->get_id();

// Unset the shipping method if found
    if( in_array( $shipping_id, $shipping_methods_to_hide) ) {
unset($shipping_rates[$shipping_method_key]);
}
}
}
}
}
    return $shipping_rates;
});

Any insights as to how to accomplish this would be greatly appreciated. Lyse

im new , and ... 

i hate tutorials .. books .. anything that does not make u part of the deal -  .. thats why i started by creating something and learning from my mistakes at the same time .. i like this way of learning ..

soo , while im building and trying things out .. i started thinking how the server know the person with this link is really U ? .. when u start just linking pages to each other its just a matter of finding out what is the link to do what ever u want with the users personal pages ! .. i know my questions r stupid but i just hate to go and write lessons without any effort

im confused with the concept of SESSIONS and COOKIES , r they the unswer to this security problem ? how u can work with them .. ?

im not asking for codes .. just general ideas about users and how they control their profiles and stuff with full security ?

ill be very thankful if i get any answer ^^

how can I list a user from a table and show the results in a grid with different color eg frist in blue color second on white , 3rd on blue 4th in with etc I do need to set select command and I have db name and ip on a file called dbconfig.php from wd calendar so I just need to read the info   ps: I cant post links so search for wd calendar and see the dbconfig.php in php folder

Hi. my browser ist telling me there are errors on line 3 and 4 for my code. It says summin like Notice: HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR are unidentified:

below is the code see if you can spot anything btw i copied down the code from beginner php tutorial 66 if you type that into youtube .
Code: [Select]
<?php

$http_client_ip = $_SERVER['HTTP_CLIENT_IP'];
$http_x_forwarded_for = $_SERVER['HTTP_X_FORWARDED_FOR'];
$remote_addr = $_SERVER['REMOTE_ADDR'];

if (!empty($http_client_ip)){
   $ip_addr = $http_client_ip;
   
}else if(!empty($http_x_forwarded_for)){
   $ip_addr = $http_x_forwarded_for;
}else{
   $ip_addr = $remote_addr;
}

echo $ip_addr;
?>

Thanks

MOD EDIT: code tags added.

Hi guys,

I am trying to get a admin panel, which when the user is logged in, it will check if there user access is(say for this post) 9...

If there access is 9 in the database then direct to admin panel if not return them home.

Thanks guys

I would get the ip address of the user that is on the site. I used $ip = $_SERVER['REMOTE_ADDR']; and it doesn't show my actual ip. Is it because im using an apache server on my computer.

 Hi guys,

im just trying to work out an app in my head and on paper. im just wondering..
when a user registers they can choose an Avatar 100px by 100px jpg, when they upload one would i then grab the file and store all Avatars in a avatar image folder and rename it to something like.. avatar[user_id].jpg and keep them all in the same folder.

or

would i crate a folder called users, each user gets their own folder with files like avatar.jpg and it finds the [user_id] folder and pulls the avatar out from that, or is there a more prefered method?

cheers

Hi, I am having serious issues with compatibility with IE7 and below (and even 8 but they should be rectified). There is no way I can have these problems finished before the site is online, so I want to redirect users to a page apologizing and recommending alternative browsers.

Is this possible?


*Please don't reply just to tell me that banning an entire browser is bad, I know it is - I plan to sort it out. But this is an extra curricular project and I'm halfway through my penultimate year of uni, so IE and it's utterly shambolic rendering of CSS is not my priority. Thankyou*

I have used 

$sql = "SELECT id, username FROM $tbl_name ORDER BY username";
$result = $con->query($sql);
while ($row = $result->fetch_assoc())
{
    echo "<a href='editUser.php?id={$row['id']}'>{$row['username']}</a><br><br>\n";
    echo "<style>a {color: blue; text-decoration: none;} a:hover {color: #ff0000} body {background-color: #000;} </style>";
}

in euser.php which echo's out all the users in the database via an anchor tag and includes their id in the url. but when i click on their name i want to have options like: - change password - ban user e.t.c and i have tried 

$sql = "SELECT id FROM $tbl_name";
$result = $con->query($sql);
while ($row = $result->fetch_assoc()) {

echo "<a href='editUser.php?id={$row['id']}'> Change Password  </a>

in my other page editUser.php it posts Change Password Change Password Change Password and each change password has the 3 ids of the users   this is confusing me.

Hello. I have recently been building a user system and trying to code an "Online Users" script for it however it is not working out for me, so I thought I'd come and ask here.

I need a script that adds them to the table 'online' when they login and then remove them when they logout. That part is simple to do however I am using sessions and I am trying to figure out a way to check if they are inactive like every 10 minutes, and if they are delete their row from the db.

It'd be appreciated if someone could set up a code for this.

Hey guys.

So I'm about to start developing a Private Messaging system for a CMS that I already have set up and working fine, and I had a problem I would like to solve before I start. I would like to add a feature that allows users to send the message to one or more users at a time. Whether it be by typing in the different usernames seperated by commas in the input field or another method, I have no idea how I'd handle submitting this into the database.

I don't want it to be like a group conversation though, I want it to submit the message seperately for each user they included in the receptitents field.

Any suggestions on how to go about doing this?
Gathering it'd be like an array of some sort but I have very little experience with arrays from forms and how to seperate them.

Sites such as this one often show the logged on users and guests.     I have no reason to need to do so, but am curious on how this is accomplished.   For users, yes, you've authenticated them and logged them on regardless of IP address, but how do you know they didn't just close their browser?   For guests, are they just using IP address?  And still, how do you know when they leave?   PS.  How should I include an image in a post like I did?  What I did was first attach a file, and then edit the post to include that file as an image.  Couldn't seem to include an image off my local PC.  Not a better way? Attached Files  Capture.PNG   4.13KB   0 downloads

Afternoon All.  I wish to re-direct users to a 404 error page on my site if an article does not exist in my database.  Here's my code:


$SQL = "SELECT  headline FROM news WHERE news_id=".mysql_real_escape_string($_GET['news_id']); 
$result = mysql_query($SQL) OR die(mysql_error()); 
$num = mysql_num_rows($result);

//** Check that the entry exists otherwise send to error page
if ($num > 0) {
  $row = mysql_fetch_array($result);
  $headline = $row['headline'];
} else {
  echo "Why is this printed? - I should be leaving this page?";
  header("Location: error.php");
  exit;
}



Now the wierd thing is that when I enter a news_id  for a value that does not exist it prints the message Why is this printed? - I should be leaving this page? so it's actually going to the ELSE statement which is good, but surely it should not do this as I ask the page to re-direct?

Thank you

I have a mobile app. They visit a web site where they login. The videos live above web root, thus making it impossible for anyone to directly link to the video file. On iOS, I made a PHP script that checks if they are logged in first and if they are I use a range download method that acts like streaming. Works great! On android however, the script isn't working..lame.

So I was trying to think of other methods to deliver the video, but first checking if they are logged in. My idea was to check if they are logged in, if they are, copy the video from above web root to a temp directory in web root and give it a uniqid name and insert it into the DB. That ID will then expire after two hours and I would delete the video.

Ok that sounds like it would work for both phones, except with high traffic, that could be problematic.

My next idea was symlinks, but I don't know much about them other than they are a shortcut. Could I potentially use a symlink to give the logged in user a video file that lives above web root?