beckerdt

@teynon ***UPDATE*** Still not done with the create page. I decided to refactor and clean up my code it was getting messy. In the process I found an issue with TinyMCE that could allow scripts to be executed after data has been loaded into the database, reloaded from the database and then saved to the database again. The issue lies in the fact that TinyMCE is too good at cleaning up code. I would like to do away with the wysiwyg editor altogether but my mother-in-law will be using the site so I need to keep it for her and probably the wife.

@teynon I think I have the edit and delete page stuff locked down, FINALLY. Now just got to lock down the create page. I could not recreate or figure out how you deleted the home page this morning but I went back over my code and made the validation as specific as I could possibly think to make it, so could you please do whatever you did this morning to delete my home page and see if it blocks you from deleting the page now. Thanks. I drop another note here when I get the create page stuff locked down.

But you can edit pages you created under edit_page.php, right? Ok I fixed the problem. It was a stupid mistake. I misspelled one of my variables. You should be able to create, edit and delete your own stuff now.

But you can edit pages you created under edit_page.php, right?

I'm tracking now. I will work on this tomorrow.

@teynon - I bet you can't do it now! Thanks for the help.

One last note to anyone that might want to use this code put your real domain where it says domain.com. DO NOT remove the leading period, it's important!

I got it to work!!! <?php $rootDomain = '.domain.com'; session_set_cookie_params( 3600, '/', $rootDomain, false, false); session_start(); if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 2700)) { // last request was more than 45 min ago if(isset($_SESSION['id'])){ $connection = mysql_connect('localhost', '******', '*******'); if (!$connection){ die('Database connection failed: ' . mysql_error()); } $db_select = mysql_select_db('******'); $query = "UPDATE users SET online='no' WHERE id='{$_SESSION['id']}' LIMIT 1"; mysql_query($query); } $_SESSION = array(); if(isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-42000, '/'); } session_destroy(); // destroy session data in storage session_unset(); // unset $_SESSION variable for the runtime if(isset($connection)){ mysql_close($connection); } } $_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp ?>

When a user logs into my site I put all their user info into a session like this session_start(); $_SESSION["login"] = 'true'; $_SESSION["id"] = $user_info['id']; $_SESSION["firstname"] = $user_info['firstname']; $_SESSION["lastname"] = $user_info['lastname']; $_SESSION["screen_name"] = $user_info['screen_name']; $_SESSION["facebook"] = $user_info['facebook']; $_SESSION["email"] = $user_info['email']; $_SESSION["date_joined"] = $user_info['date_joined']; $_SESSION["account_type"] = $user_info['account_type']; $_SESSION["account_active"] = $user_info['account_active']; $_SESSION["hashed_password"] = $user_info['hashed_password']; The problem is if they logged in from www.domain.com and then end up on a page at domain.com or the other way around they login from domain.com and end up on a page at www.domain.com the info stored in the session is not available. How can I have the session info available no matter if they logged in with www or not?

ok I think I have fixed the security flaw teynon pointed out by using strip_tags() on the title and removed the user_id from the form and placed it into the session for use after form submission.

thanks for the help looks like I'm going to go back to the drawing board with this. good luck with your ets.

teynon thanks for looking at my site. I see the two post you made. It looks like you entered some JavaScript that executed when the page loaded causing the site to behave oddly. I also appears that you were able to delete pages from the site without privileges. I'll admit you have me scratching my head. I really have no idea how you did that. The only way I can think of to keep that from happening is to strip out script tags with preg_replace or something like that. where you stationed at? I'm at Ft bliss.

Using var_dump() I tried my code on a clean page with no css and so on and the beginning space is missing so I am picking up that space from somewhere else. Thanks for the help

Still working on this same site. Have a quick question. I'm trying to use preg_replace to strip out a section of code but I am have problems getting it to work right. Code Example: $str = '<p class="code">some string here</p>'; PHP I'm using: $pattern = array(); $pattern[0] = '!<p class="code">!'; $pattern[1] = '!</p>!'; preg_replace($pattern,"", $str); This strips out the code just as I want with the exception of the space between the p and class. Returns: some string here //notice the single space at the beginning. I'm trying to get: some string here //no space at the beginning. I have been beating my head against the wall trying to find a solution. The reason I'm trying to strip it out in a chunk instead of breaking the preg_replace into pieces is because I don't want to change anything that may be in the string between the tags. Any ideas?

This is also a huge resource. https://www.owasp.org/index.php/Main_Page