PHP / MySQL阻止用户访问其他用户上传的文件

Question

Ok, this is 2/5 tables from my my database, (no relationships between them):

USERS             PAPERS

user_id           p_id
username          p_name
e-mail            p_authors
password          p_coauthor
                  p_jname
                  p_date
                  p_url

which is suppose to be populated from a PHP script.

After registration, user folder is created, and then user can upload files to his folder. Users can see, access, and download other users upload, which I am trying to prevent .

Im not sure which scripts are relevant to c/p them here, so ill try to display important parts of code from scripts:

register script: (rest of the script just creates userfolder)

$uname = mysql_real_escape_string($_POST['uname']);
$email = mysql_real_escape_string($_POST['email']);
$upass = mysql_real_escape_string($_POST['pass']);

$sql = mysql_query ("SELECT username FROM users WHERE username='".$uname."'");
$num = mysql_num_rows($sql);

if ($num > 0)  { ?>
    <script>alert('Duplicate username');</script>
<?php } else {
    if(mysql_query("INSERT INTO users(username,email,password) VALUES('$uname','$email','$upass')")) { ?>
        <script>alert('Successfully registered');</script>
<?php }

login script:

$email = mysql_real_escape_string($_POST['email']);
$upass = mysql_real_escape_string($_POST['pass']);
$sql = mysql_query("SELECT * FROM users WHERE email='".$email."'");
$num = mysql_fetch_assoc($sql);

if ($num['password'] == $upass) {
    $_SESSION['user'] = $num['username'];
} else { ?>
    <script>alert('wrong details');</script> 
<?php }

and addfile script where file and data upload occurs:

$sql = mysql_query("INSERT INTO papers (p_name, p_authors, p_cauthor, p_jname, p_date, p_url) VALUES ('$name', '$authors', '$cauthor', '$jname', '$date', '$filename')");

if($sql) { ?>
    <script>alert('Data uploaded to database !'); 
    window.location.href = "home.php";</script>
<?php } else { ?>
    <script>alert('Data NOT uploaded to database !'); 
    window.location.href = "home.php";</script>
<?php } 

Now, when i do this on users homepage:

$result = mysql_query("SELECT username, p_url FROM users, papers WHERE username='".$_SESSION['user']."'");
$output = mysql_fetch_array($result);

foreach ($output as $key => $val) {
    $search = substr($val, 0, strpos($val, '.'));
    $trim = str_replace($val, '', $search);
    echo <<<HERE
    <a href="http://localhost:8080/testfolder/users/{$_SESSION['user']}/{$val}" target="_blank">{$trim}</a><br />
    HERE;
}

I can access and download all data and uploaded files from other user folder. How can i prevent this, and make script to display and download only logged user things from database? Is my users and papers table construction completely wrong, or maybe thing is in aforementioned query ?

Answer 1

To prevent this happening, you have to have a relationship between your tables and link them via this.

Your query is retrieving EVERY record in users mapped across to EVERY record in papers

Your tables must have a common field to prevent this. I would suggest adding user_id from the users table into the papers table and rewriting your query as

SELECT
    u.username,
    p.p_url
FROM
    users as u
INNER JOIN
    papers as p
    ON
        p.user_id=u.user_id
WHERE
    u.username='{$_SESSION['user']}'