How do I use PHP sessions and implement basic ACLs?

Question

I have been Googling session variables. As I understand it, I can use them to capture such things as username and other data.

I would like to be able to use the data in order to store the username of the last person to change the record of a particular field. Additionally, I would like to be able to limit what a particular user sees on the site. For instance, if a user generates a work order I would like that user to be limited to seeing only the work orders he/she creates and no one else's.

I'm very new at all of this and I don't have a enough understanding to even write some code you might correct for me. How can I send the data stored in the session variable as $_GET or $_POST? If I have it in that format I can use it in the query (I think).

1. I have a table called "work_orders" with a field called "updated_by". I would like to be able to store the ID of the last person who updated the record.
2. I would also like to add privileges to the work orders so that users can only view records created by particular users.

This is a project I undertook in my first year web design class. In the class are some students who think it is funny to see how much damage they can do to the work of others. This is the reason I would like to be able to limit them to accessing only the work orders they generate.

Answer 1

You seem to be mixing your questions here.

Firstly, where is your database? If it were - for instance - MySQl, then you need to add an extra column to the work order table (and others. Personally, I like to add timestamp column to, for auditing porpoises) .

I prefer POST over GET because 1) it can hold more data and 2) it's not so easy for the user to tamper with.

So, if you have a form with an input field declared

<form>

Name:

(see http://www.w3schools.com/html/html_forms.asp )

You can access $_POST['user_name'] eg
$sql = 'INSERT INTO work_order_table (user_name, ... <other column names>) VALUES($_POST['user_name'], .. <other values>)

I woudl recommend you to get a good book (cheap enough second had) or online tutorial and work your way through.

Pleas let me know if I missed anything or if anything is not clear. Good luck!

---

Since you are concerend about school kids screwing with your datbase

1) google for how to make MySql more secure
2) hint this will involve prepared staments
3) use POST, rather than get, so that you have urls like http://192.1.68.1.1/application rather than http://192.1.68.1.1/application?user=smith which tempt users to muck around with the URl "just to see what happens" (probably more of a danger than SQL injection at school level, but ... you never know
4) hit the libbrary for soemthign like O'Reilly's PHP & MySql for Dummies in 24 hours for complete idiot beginners - or find a god online tutorial
5) "I would like to be able to limit that particular user to viewing only the work orders they generated" READ up on WHERE in SQL SELECT
6) change the MySql root password - or even add anew user with root-like access then delete root
7) make sure that no student has acess to the server, lest they look at the PHP and see your MySql user & password

Answer 2

You might want to start by reading or watching a video tutorial that will help you better understand how and when to use session variables. The data that you store in the session won't stick around forever, so you will need to store most information in a database.

Here is what most people do: Once the user signs into the application, you put their user id into the session. This way, you know who they are. The server uses a cookie to make this bit of magic happen and when the user closes their browser, the server will forget who they are and the session data will be lost. So, in this example, the session is just keeping track of who the user is.

To store information about who last edited a field, you will probably want to use a database to store that information. There is no use in storing that information in a session variable.