Password protected Profile View

1 Views

I have extended the user profile page in the backend so that each user profile has several extra custom fields for data such as favorite movies, birthday and so on can be stored. Creating a dating website, that is why more fields are needed. People with the proper code can see these profiles in the front end using an entry code which basically is some random code plus userID as number at the end. Using PHP substring the userID is grabbed and access is granted See code: 

if(empty($_REQUEST['enterCodeId'])){
            echo "<script>
                location.replace('".$_SERVER['HTTP_REFERER']."'); 
                </script>";
    }else{
            $getId=substr($_REQUEST['enterCodeId'], 4, 10);
            $querystr ="SELECT ID FROM wp_prefixcode_users WHERE ID='".$getId."'";
            $querystrChecking = mysql_query($querystr);
            if(mysql_num_rows($querystrChecking)<=0){
                echo "<script>
                location.replace('".$_SERVER['HTTP_REFERER']."'); 
                </script>";
            }
            $uploads = wp_upload_dir(); 
        //
    }

This setup is not ideal because a: the code cannot be added from the profile page yet, which can be remedied with an extra get_the_author_meta(), but I need a better way to generate a password, but also because b: a password will always end in the same userID number.

Read More

How can I give users the option to automatically generate an access password from the Dashboard > Users > User Profile so users can regenerate a new access key? This is needed so access given to another user can be revoked. I need a PHP function to generate a new key and get it stored as an author_meta field in the database.

Solution

Thanks to Toscho and another dev I got this code to load it all.
In functions.php I added: 

add_action( 'init', 'accesskeygen_func' );

function accesskeygen_func() {
    $phpfile = explode('/', $_SERVER['PHP_SELF']);
    $phpfile = $phpfile[count($phpfile)-1];

    if (($phpfile=='profile.php') && isset($_GET['accesskeygen'])) {
        echo wp_generate_password();
        exit;
    }}

and 

<!-- begin access key -->
<tr>
<th><label for="myaccesskey"><?php _e("Access Key"); ?></label></th>
<td>
<input type="text" name="myaccesskey" id="myaccesskey" value="<?php echo esc_attr( get_the_author_meta( 'myaccesskey', $user->ID ) ); ?>" class="regular-text" /><br />
<span class="description">
    <input type="button" class="button-secondary" id="myaccesskeygen" value="Generate Access Key"/>&nbsp;
    <?php _e("Please click the button generate access key."); ?>
</span>
</td>
</tr>
<!-- end access key -->
Post Views: 1

Related posts

Leave a Reply

1 comment

  1. Use wp_generate_password() to generate passwords. For example, you could add a button to the user profile to get a new password per AJAX.

    And you have a security vulnerability in your current code: $getId, the substring from a visitor request may contain malicious code. Always escape request data. Read Data Validation for more information, especially $wpdb->prepare() should be useful.