CodeCharge Studio
search Register Login  

Web Reporting

Visually create Web Reports in PHP, ASP, .NET, Java, Perl and ColdFusion.
CodeCharge.com

YesSoftware Forums -> CodeCharge Studio -> PHP

 viktor

 Print topic Send topic

Author Message
viktor
Posted: 02/26/2004, 7:40 AM
Situation:
I try to build a web-based application in php using CCS.
There is a need for a user loggin in and seeing ONLY those records of a property or employees which / who are also from the same company as (s)he is.

I've added companyID to property and employees table so that when (s)he logs in could fileter the data source using that field

Now the question
==============
How do I use properly the sessions bit?
I've seen some tips regarding CCGetUSerID or something like that...

so far I wasted week trying to implement that

Is ther eny SIMPLE tutorial with a sample code and mayb screenshot (?) where and what to put?

Also the user is to be able to ADD use to the system and the newly added user would by default "belong" to the same company... meaning that I need to use hidden (?) fields and transfer them throughout sessions

This task looks to me quite difficult but I know people do it every day :-)

Please advise

Thank you in advance
Michael Mikkelsen
Posted: 02/26/2004, 8:32 AM
I am sure there is more than one way to do what you want to do but my suggestion would be not to pass hidden fields for security reasons.

I would get the company ID first and then incorporate it into your SQL statement when you pull data from the database as well as add data to the database.

This is how you would get that variable using custom code.

global $DBConnection1;
$CompanyID = CCDLookUp("companyID","users","user_id=".CCGetUserID(), $DBConnection1);

You can actually do this with out writing custom code as well. What you would want to do is add a new Grid to the top of your page.

You can delete all the components in the new Grid and just add one visable label and one not visable label. So it looks something like this
[]> Welcome <name> <companyID> <[]

In the properties for the Grid, under data source, add a WHERE using the "+" button. userID (type: integer) = UserID (type: session)

Set the properties for your labels so that they pull the persons name and companyID. Set the CompanyID label to visable=false.

Then when you need to use the company id in your SQL statements you can access that object Grid1->companyID->GetValue()

I hope that helps. It should at least give you some ideas. Feel free to ask clarifying questions if you don't understand my explination.

Michael Mikkelsen
mike@kccoupon.com
viktor
Posted: 02/27/2004, 5:11 AM
Quote Michael Mikkelsen:
I am sure there is more than one way to do what you want to do but my suggestion would be not to pass hidden fields for security reasons.
Fine. But what is the difference? There is a mentioning in documentation about using hidden fields - is it not that secure?

Quote Michael Mikkelsen:
I would get the company ID first and then incorporate it into your SQL statement when you pull data from the database as well as add data to the database.

This is how you would get that variable using custom code.

global $DBConnection1;
$CompanyID = CCDLookUp("companyID","users","user_id=".CCGetUserID(), $DBConnection1);


I've one similar thing:
//Custom Code @13-BC68F432
// -------------------------
global $test;
global $DBConnection1;
$userLogin = CCDLookUp("user_login","user","user_id=".CCGetUserID(), $DBConnection1);
echo $userLogin ;
// -------------------------
//End Custom Code

and indeed i get what i need but what do I next?
This code is in test.php in which I - let's say - need a list filtered to that userLogin / userID....
I have implemented the grid with datacode quary userID = userID via sessions, tried userLogin = userLogin via session AND IT DOES NOT WORK :-/


Quote Michael Mikkelsen:
You can actually do this with out writing custom code as well. What you would want to do is add a new Grid to the top of your page.

You can delete all the components in the new Grid and just add one visable label and one not visable label. So it looks something like this
[]> Welcome <name> <companyID> <[]
........
tried ... after deleting grid or rather its table i get couple of errors liked to /Tamplate.php or something...


=======================

Please, advise

I've done first step :-)

I can now "print" current logged user id and / or login etc

how can I filter the Data source based on that user ID?

Thank you in advance!

:-)
DonB
Posted: 02/27/2004, 6:34 AM
Hidden fields are only hidden from users that don't know there is a "view
source" function in their browser.

If you use a hidden field to "secure" some data you don't want the user to
see, then be aware they have ways to see it anyhow. This can be even more
insidious if they are a malicious user and use software that let's them
modify the hdden value before it gets sent back - imagine this was your
social security number and they changed it to theirs.

Or suppose they ordered something that cost $500 and they were clever enough
to change the hidden value to $1 and ordered 500 of them. Your application
might accept the order at the wrong price because you assumed the hidden
value could not be changed.

--
DonB

http://www.gotodon.com/ccbth


"viktor" <viktor@forum.codecharge> wrote in message
news:5403f421c4c4a9@news.codecharge.com...
>
Quote Michael Mikkelsen:
> I am sure there is more than one way to do what you want to do but my
suggestion would be not to pass hidden fields for security reasons.
>
> Fine. But what is the difference? There is a mentioning in documentation
about using hidden fields - is it not that secure?
>
>
Quote Michael Mikkelsen:
> I would get the company ID first and then incorporate it into your SQL
statement when you pull data from the database as well as add data to the
database.
>
> This is how you would get that variable using custom code.
>
> global $DBConnection1;
> $CompanyID = CCDLookUp("companyID","users","user_id=".CCGetUserID(),
$DBConnection1);
>
>
>
> I've one similar thing:
> //Custom Code @13-BC68F432
> // -------------------------
> global $test;
> global $DBConnection1;
> $userLogin = CCDLookUp("user_login","user","user_id=".CCGetUserID(),
$DBConnection1);
> echo $userLogin ;
> // -------------------------
> //End Custom Code
>
> and indeed i get what i need but what do I next?
> This code is in test.php in which I - let's say - need a list filtered to
that userLogin / userID....
> I have implemented the grid with datacode quary userID = userID via
sessions, tried userLogin = userLogin via session AND IT DOES NOT WORK :-/
>
>
>
Quote Michael Mikkelsen:
> You can actually do this with out writing custom code as well. What you
would want to do is add a new Grid to the top of your page.
>
> You can delete all the components in the new Grid and just add one visable
label and one not visable label. So it looks something like this
> []> Welcome <name> <companyID> <[]
> .......
> tried ... after deleting grid or rather its table i get couple of errors
liked to /Tamplate.php or something...
>
>
>
> =======================
>
> Please, advise
>
> I've done first step :-)
>
> I can now "print" current logged user id and / or login etc
>
> how can I filter the Data source based on that user ID?
>
> Thank you in advance!
>
> :-)
> ---------------------------------------
> Sent from YesSoftware forum
> http://forums.codecharge.com/
>
filter using sessions
Posted: 02/27/2004, 6:55 AM
Quote DonB:
Hidden fields are only hidden from users that don't know there is a "view
source" function in their browser.

If you use a hidden field to "secure" some data you don't want the user to
see, then be aware they have ways to see it anyhow. This can be even more
insidious if they are a malicious user and use software that let's them
modify the hdden value before it gets sent back - imagine this was your
social security number and they changed it to theirs.

Or suppose they ordered something that cost $500 and they were clever enough
to change the hidden value to $1 and ordered 500 of them. Your application
might accept the order at the wrong price because you assumed the hidden
value could not be changed.

--
DonB

http://www.gotodon.com/ccbth



Quote Michael Mikkelsen:
I would get the company ID first and then incorporate it into your SQL
statement when you pull data from the database as well as add data to the database.

This is how you would get that variable using custom code.

global $DBConnection1;
$CompanyID = CCDLookUp("companyID","users","user_id=".CCGetUserID(),
$DBConnection1);


I've one similar thing:
//Custom Code @13-BC68F432
// -------------------------
global $test;
global $DBConnection1;
$userLogin = CCDLookUp("user_login","user","user_id=".CCGetUserID(),
$DBConnection1);
echo $userLogin ;
// -------------------------
//End Custom Code

and indeed i get what i need but what do I next?
This code is in test.php in which I - let's say - need a list filtered to
that userLogin / userID....
I have implemented the grid with datacode quary userID = userID via
sessions, tried userLogin = userLogin via session AND IT DOES NOT WORK :-/

that's clear with the hidden fields and what about getting sessions working by using datasource > filter using user_id etc...?
it does not work :-/ :-/
DonB
Posted: 02/27/2004, 9:43 AM
If by user you mean the logged-in user, then your Data Source should include
a "where" definition for userLogin = CCGetUserLogin() (note the function
being used). The right hand side of the dialog where you define this must
be set to a "type" of "Expression" instead of the default which is "URL"

You use either CCGetUserID() for the code value (primarykey) of the
logged-in user or CCGetUserLogin() for the name they entered in the Username
field when the log in. Whatever works best for your situation.
--
DonB

http://www.gotodon.com/ccbth


<filter usingsessions@forum.codecharge (filter using sessions)> wrote in
messagenews:5403f5a45e88c8@news.codecharge.com...
>
Quote DonB:
> Hidden fields are only hidden from users that don't know there is a "view
> source" function in their browser.
>
> If you use a hidden field to "secure" some data you don't want the user to
> see, then be aware they have ways to see it anyhow. This can be even more
> insidious if they are a malicious user and use software that let's them
> modify the hdden value before it gets sent back - imagine this was your
> social security number and they changed it to theirs.
>
> Or suppose they ordered something that cost $500 and they were clever
enough
> to change the hidden value to $1 and ordered 500 of them. Your
application
> might accept the order at the wrong price because you assumed the hidden
> value could not be changed.
>
> --
> DonB
>
> http://www.gotodon.com/ccbth
>
>
>
>
Quote Michael Mikkelsen:
> I would get the company ID first and then incorporate it into your SQL
> statement when you pull data from the database as well as add data to the
database.
>
> This is how you would get that variable using custom code.
>
> global $DBConnection1;
> $CompanyID = CCDLookUp("companyID","users","user_id=".CCGetUserID(),
> $DBConnection1);
>
>
>
> I've one similar thing:
> //Custom Code @13-BC68F432
> // -------------------------
> global $test;
> global $DBConnection1;
> $userLogin = CCDLookUp("user_login","user","user_id=".CCGetUserID(),
> $DBConnection1);
> echo $userLogin ;
> // -------------------------
> //End Custom Code
>
> and indeed i get what i need but what do I next?
> This code is in test.php in which I - let's say - need a list filtered to
> that userLogin / userID....
> I have implemented the grid with datacode quary userID = userID via
> sessions, tried userLogin = userLogin via session AND IT DOES NOT WORK :-/
>
>
> that's clear with the hidden fields and what about getting sessions
working by using datasource > filter using user_id etc...?
> it does not work :-/ :-/
> ---------------------------------------
> Sent from YesSoftware forum
> http://forums.codecharge.com/
>
peterr


Posts: 5971
Posted: 02/27/2004, 8:53 PM
viktor,

From my point of view the question is if you need help with creating the CompanyID session, or using it in your grids after it was created?

As for using the User ID, you can easily filter grids by specifying that your user id field in the database must be equal the "UserID" session variable. Make sure that you do not use "user_id" or "user ID" as I see in the above messages. The parameter type must be set to "Session".
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com
View profile  Send private message
svorlow

Posts: 18
Posted: 06/20/2005, 11:07 AM
Hi Peter,

there is a corresponding problem. Remember one situation. You got a grit with - lets say 10 - organisations. The user clicks on one org and finds out more about the organisation data in a dataset form.

fine

But now he finds out, that he can easily manipulate the url header. He manipulates it and writes a org=15 in the url string and bang - he gets an organisation that he is not allowed to see (just an constructed example).

It would be nice, if it would be possible to write the data into a session instead of putting it into the url (org=15). Any Idea, we have a serious security problem.

My idea ist to put verifiing code to the next page to check if the user is allowed to see the data - but that makes a lot of work in a huge project.

Any idea is appreciated.

Thanks in advance

Stephan
View profile  Send private message
peterr


Posts: 5971
Posted: 06/20/2005, 11:28 AM
If you want to display a link on a Web page then the link must point to some specific record. Sessions won't help here unless you simply want to use an exisiting session in a grid or record - you can do so.

Implementing record security is described in our main tutorial in the Help file. It's also online at http://docs.codecharge.com/studio/html/QuickStart/Creat...rInitEvent.html
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com
View profile  Send private message
wkempees


Posts: 1679
Posted: 06/20/2005, 11:33 AM
Svorlow

Assuming a table for users and a table for companies.
Also assuming that each Property in the table Property has a field like originating_company_id

Let user log in, after succesful login "set" a session variable SelectedCompanyId.
In the grid's displaying the properties for update by 'a' user, include in your where clause something like :
AND Originated_Company_id = SelectedCompanyId (type Session)

Greets
Walter
_________________
Origin: NL, T:GMT+1 (Forumtime +9)
CCS3/4.01.006 PhP, MySQL .Net/InMotion(Vista/XP, XAMPP)

if you liked this info PAYPAL me: http://donate.consultair.eu
View profile  Send private message

Add new topic Subscribe to topic   


These are Community Forums for users to exchange information.
If you would like to obtain technical product help please visit http://support.yessoftware.com.

MS Access to Web

Convert MS Access to Web.
Join thousands of Web developers who build Web applications with minimal coding.
CodeCharge.com

Home   |    Search   |    Members   |    Register   |    Login


Powered by UltraApps Forum created with CodeCharge Studio
Copyright © 2003-2004 by UltraApps.com  and YesSoftware, Inc.