mooseychops

Hi Guys, Having a bit of a security problem with my login page which is driving me nuts. It looks like that users can bypass my login page and access other pages by simply navigating to them or keeping the url in thier favourites..!! what is the best way to tackle this problem? I have had a quick look and saw that there might be a way to do something with cookies to assign a cookie ID to each user who logs in to the system.. any ideas or hints towards putting me on the right track would be very much appreciated. thanks!

Thanks for your help chaps - much appreciated. I have been wrestling with this piece of code all day, and am having trouble implementing onlyican's code.. <?php // connect to the database include('config.php'); $result=mysql_query("select username from test"); $options=""; while ($row=mysql_fetch_array($result)) { $categoryname=$row["username"]; $options.="<OPTION VALUE=\"$categoryname\">".$categoryname.'</option>'; } ?> <select name="username_1"> <option >SELECT<?php echo $options ?></option> foreach ($results as $categoryname) { echo '<option value=".$categoryname['username'].'"'; if ($_POST['username_1'] === $categoryname['username']) { echo ' selected="selected"'; } echo '">'.$categoryname['text_field'].'</option>'; } Any hints? or am I going completly off track with this one! Please excuse me if I have made a blaring mistake, as I am still a novice at php! Cheers

Thanks for your reply Shadowing. Will I be able to implement your last suggestion: <select name="username_1"><option value="John" <?php echo $_SESSION['username'] == 'John' ? 'selected="selected"' : ''; ?> >John</option></select> The reason being that the options that I am derriving come from the database and are not listed in the code. <?php // connect to the database include('config.php'); $result=mysql_query("select username from test"); $options=""; while ($row=mysql_fetch_array($result)) { $categoryname=$row["username"]; $options.="<OPTION VALUE=\"$categoryname\">".$categoryname.'</option>'; } ?> <select name="username_1"> <option >SELECT<?php echo $options ?></option>}?> Any more ideas? Many thanks MC

Hi All, I am having some trouble with my drop down menus. I would like it so when the user submits the form and the errors pop up after the form refreshes the drop down options that the users entered stay selected, rather than revert to default. <?php include('menu.php'); ?> <?php require_once('calendar/calendar/classes/tc_calendar.php'); ?> <?php /* NEW.PHP Allows user to create a new entry in the database */ // creates the new record form // since this form is used multiple times in this file, I have made it a function that is easily reusable function renderForm($asset_tag, $asset_type, $model, $sku, $warrenty_expiry_date, $purchase_date, $serial_number, $location, $practice, $user_name, $mobile_number, $network, $po_number, $cost, $username, $input_date, $ram, $make, $processor, $operating_system, $hd_gb, $screen_size, $error, $error_2, $error_3, $error_4, $error_5, $error_6, $error_7) { ?> <html> <head> <link href="calendar/calendar/calendar.css" rel="stylesheet" type="text/css" /> <script language="javascript" src="calendar/calendar/calendar.js"></script> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <link rel="stylesheet" type="text/css" href="style2.css" /> <title> New Blackberry </title> </head> <body> <form action="" method="post"> <input type="hidden" name="asset_tag" value="<?php echo $asset_tag; ?>"/> <table border='1' id= 'asset_register'> <td><strong><span title="Enter 5 Numbers only"><b>ASSET TAG</b></span></strong> <input type="text" name="asset_tag" maxlength="5" value="<?php echo $asset_tag; ?>" /><br/> <td><strong><span title="Blackberry"><b>ASSET TYPE</b></span></strong> <input type="hidden" class="input" name="asset_type" value="Blackberry" /><br/> Blackberry <td><strong><span title="Select one option from the dropdown list"><b>MODEL</b></span></strong><br/> <?php // connect to the database include('connect-db.php'); $result=mysql_query("select model from b_model"); $options=""; while ($row=mysql_fetch_array($result)) { $categoryname=$row["model"]; $options.="<OPTION VALUE=\"$categoryname\">".$categoryname; } ?> <select name="model_1"> <option >SELECT<?php echo $options ?></option> } <td><strong><span title="Enter a 15 digit IMEI Number"><b>IMEI</b></span></strong> <input type="text" class="input" name="sku" maxlength="15" value="<?php echo $sku; ?>" /><br/> <td><strong><span title="Enter an 8 digit pin number"><b>PIN NUMBER</b></span></strong> <input type="text" name="serial_number" maxlength="8" value="<?php echo $serial_number; ?>" /><br/> <td><strong><span title="London"><b>LOCATION</b></span></strong> <input type="hidden" class="input" name="location" value="London"<?php echo $location; ?>" /><br/> London <td><strong><span title="Select a date"><b>WARRANTY</b></span> <?php $myCalendar = new tc_calendar("date5", true, false); //$myCalendar->setIcon("calendar/calendar/images/iconCalendar.gif"); //$myCalendar->setDate(date('d'), date('m'), date('Y')); $myCalendar->setPath("calendar/calendar/"); $myCalendar->setYearInterval(2012, 2040); $myCalendar->dateAllow('2008-05-13', '2040-03-01'); $myCalendar->setDateFormat('j F Y'); //$myCalendar->setHeight(350); //$myCalendar->autoSubmit(true, "form1"); $myCalendar->setAlignment('left', 'bottom'); $myCalendar->setSpecificDate(array("2011-04-01", "2011-04-04", "2011-12-25"), 0, 'year'); //$myCalendar->setSpecificDate(array("2011-04-10", "2011-04-14"), 0, 'month'); $myCalendar->setSpecificDate(array("2011-06-01"), 0, ''); $myCalendar->writeScript(); ?><strong><br/> <td><strong><span title="Select a date"><b>PURCHASE</b></span><strong><br/> <?php $myCalendar = new tc_calendar("date6", true, false); //$myCalendar->setIcon("calendar/calendar/images/iconCalendar.gif"); //$myCalendar->setDate(date('d'), date('m'), date('Y')); $myCalendar->setPath("calendar/calendar/"); $myCalendar->setYearInterval(2012, 2020); $myCalendar->dateAllow('2008-05-13', '2020-03-01'); $myCalendar->setDateFormat('j F Y'); //$myCalendar->setHeight(350); //$myCalendar->autoSubmit(true, "form1"); $myCalendar->setAlignment('left', 'bottom'); $myCalendar->setSpecificDate(array("2011-04-01", "2011-04-04", "2011-12-25"), 0, 'year'); //$myCalendar->setSpecificDate(array("2011-04-10", "2011-04-14"), 0, 'month'); $myCalendar->setSpecificDate(array("2011-06-01"), 0, ''); $myCalendar->writeScript(); ?> <td><strong><span title="Select one option from the dropdown list"><b>PRACTICE</b></span><strong><br/> <?php // connect to the database include('connect-db.php'); $result=mysql_query("select practice from practices"); $options=""; while ($row=mysql_fetch_array($result)) { $categoryname=$row["practice"]; $options.="<OPTION VALUE=\"$categoryname\">".$categoryname.'</option>'; } ?> <select name="practice_1"> <option >SELECT<?php echo $options ?></option> } ?> </tr> </tr> <td><strong><span title="Insert the first and last name of the BM user"><b>BM USER</b></span></strong> <input type="text" class="input" name="user_name" value="<?php echo $user_name; ?>" /><br/> <td><strong><span title="Enter the 11 digit mobile number"><b>MOBILE NO</b></span></strong> <input type="text" class="input" name="mobile_number" maxlength=11" value="<?php echo $mobile_number; ?>" /><br/> </tr> <td><strong><span title="Vodaphone"><b>NETWORK</b></span></strong> <input type="hidden" class="input" name="network" value="Vodaphone"<?php echo $network; ?>" /><br/> Vodaphone </tr> <td><strong><span title="Enter the 8 digit PO Number"><b>PO NO</b></span></strong> <input type="text" class="input" name="po_number" maxlength="8" value="<?php echo $po_number; ?>" /><br/> <td><strong><span title="Enter the cost of the device without the pound sign"><b>COST </b></span></strong> <input type="text" class="input" name="cost" maxlength="7" value="<?php echo $cost; ?>" /><br/> <td><strong><span title="Select one option from the dropdown list"><b>INPUT BY</b></span><strong<br/> <?php // connect to the database include('config.php'); $result=mysql_query("select username from test"); $options=""; while ($row=mysql_fetch_array($result)) { $categoryname=$row["username"]; $options.="<OPTION VALUE=\"$categoryname\">".$categoryname.'</option>'; } ?> <select name="username_1"> <option >SELECT<?php echo $options ?></option> } ?> <td><strong><span title="Today's input date"><b>DATE INPUT</b></span></strong> <input type="hidden" class="input" name="input_date" value="<?php echo date("20y-m-d") ?>" /><br/> <?php echo date("20y-m-d") ?> </td> <td><input type="submit" name="submit" value="SUBMIT" class="button" /><br/> </td> <td><input type="button" value="BACK" onClick="window.location.href='mainmenu.php'"/><br/> </tr> <?php // if there are any errors, display them if ($error != '') { echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>'; } if ($error_2 != '') { echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error_2.'</div>'; } if ($error_3 != '') { echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error_3.'</div>'; } if ($error_4 != '') { echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error_4.'</div>'; } if ($error_5 != '') { echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error_5.'</div>'; } if ($error_6 != '') { echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error_6.'</div>'; } if ($error_7 != '') { echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error_7.'</div>'; } ?> <?php } // connect to the database include('connect-db.php'); // check if the form has been submitted. If it has, start to process the form and save it to the database if (isset($_POST['submit'])) { // get form data, making sure it is valid $asset_tag = mysql_real_escape_string(htmlspecialchars($_POST['asset_tag'])); $asset_type = mysql_real_escape_string(htmlspecialchars($_POST['asset_type'])); $model = mysql_real_escape_string(htmlspecialchars($_POST['model_1'])); $sku = mysql_real_escape_string(htmlspecialchars($_POST['sku'])); $serial_number = mysql_real_escape_string(htmlspecialchars($_POST['serial_number'])); $location = mysql_real_escape_string(htmlspecialchars($_POST['location'])); $user_name = mysql_real_escape_string(htmlspecialchars($_POST['user_name'])); $mobile_number = mysql_real_escape_string(htmlspecialchars($_POST['mobile_number'])); $network = mysql_real_escape_string(htmlspecialchars($_POST['network'])); $po_number = mysql_real_escape_string(htmlspecialchars($_POST['po_number'])); $cost = mysql_real_escape_string(htmlspecialchars($_POST['cost'])); $input_date = mysql_real_escape_string(htmlspecialchars($_POST['input_date'])); $practice = mysql_real_escape_string(htmlspecialchars($_POST['practice_1'])); $username = mysql_real_escape_string(htmlspecialchars($_POST['username_1'])); $warrenty_expiry_date = isset($_REQUEST["date5"]) ? $_REQUEST["date5"] : ""; $purchase_date = isset($_REQUEST["date6"]) ? $_REQUEST["date6"] : ""; $ram='N/A'; $make='N/A'; $processor='N/A'; $operating_system='N/A'; $hd_gb='N/A'; $screen_size='N/A'; if(strlen($asset_tag)=='5' AND is_numeric($asset_tag) AND is_numeric($sku) AND is_numeric($mobile_number) AND strlen($sku)=='15' AND strlen($mobile_number)=='11' AND strlen($serial_number)=='8') { // check to make sure both fields are entered if ($asset_tag == '' OR $cost == '' OR $po_number =='' OR $mobile_number =='' OR $serial_number == '' OR $sku =='' OR $user_name == '' OR $username == 'SELECT' OR $model =='SELECT' OR $practice =='SELECT' OR $warrenty_expiry_date =='0000-00-00' OR $purchase_date =='0000-00-00') { // generate error message $error = 'ERROR: Please fill in all of the fields!'; $error_2 = '' ; $error_3 = '' ; $error_4 = '' ; $error_5 = '' ; $error_6 = '' ; $error_7 = '' ; // if either field is blank, display the form again renderForm($asset_tag, $asset_type, $model, $sku, $warrenty_expiry_date, $purchase_date, $serial_number, $location, $practice, $user_name, $mobile_number, $network, $po_number, $cost, $username, $input_date, $ram, $make, $processor, $operating_system, $hd_gb, $screen_size, $error, $error_2, $error_3, $error_4, $error_5, $error_6, $error_7); } else { // save the data to the database mysql_query("INSERT asset_register SET asset_tag='$asset_tag', asset_type='Blackberry', model='$model', sku='$sku', serial_number='$serial_number', location='$location', practice='$practice', user_name='$user_name', mobile_number='$mobile_number', network='$network', po_number='$po_number', cost='$cost', username='$username', input_date='$input_date', warrenty_expiry_date='$warrenty_expiry_date', purchase_date='$purchase_date', ram='$ram', make='$make', processor='$processor', operating_system='$operating_system', hd_gb='$hd_gb', screen_size='$screen_size'") or die(mysql_error()); // once saved, redirect back to the view page header("Location: view.php"); } } else{ if(strlen($asset_tag)<'5'){ $error = 'ASSET TAG ERROR: Please fill in 5 digits'; }else {$error = ''; } if(!is_numeric($asset_tag)){ $error_2 = 'ASSET TAG ERROR: Please enter Numbers only'; }else {$error_2 = ''; } if(strlen($sku)<'15'){ $error_3 = 'IMEI ERROR: Please fill in 15 digits'; }else {$error_3 = ''; } if(!is_numeric($sku)){ $error_4 = 'IMEI ERROR: Please enter Numbers only'; }else {$error_4 = ''; } if(!is_numeric($mobile_number)){ $error_5 = 'MOBILE NO ERROR: Please enter Numbers only'; }else {$error_5 = ''; } if(strlen($serial_number)<'8'){ $error_6 = 'PIN NO ERROR: Please fill in 8 digits'; }else {$error_6 = ''; } if(strlen($mobile_number)<'11'){ $error_7 = 'MOBILE NO ERROR: Please fill in 11 digits'; }else {$error_7 = ''; } renderForm($asset_tag, $asset_type, $model, $sku, $warrenty_expiry_date, $purchase_date, $serial_number, $location, $practice, $user_name, $mobile_number, $network, $po_number, $cost, $username, $input_date, $ram, $make, $processor, $operating_system, $hd_gb, $screen_size, $error, $error_2, $error_3, $error_4, $error_5, $error_6, $error_7); } } else // if the form hasn't been submitted, display the form { renderForm('','','','','','','','','','','','','','','','','','','','','','','','','','','','',''); } ?> </head> <body> <?php ?> </html> <br /> <br /><br /><div align="center"> <img src="blackberry.png"></div>

Thanks for your quick reply. Apologies for the tags - this is my first time using a forum, and first time using PHP! I have implemented the changes you have suggested, with the POST function as shown below, but it still doesnt display the option that I select into the database.. Any ideas? thanks // connect to the database include('connect-db.php'); // check if the form has been submitted. If it has, start to process the form and save it to the database if (isset($_POST['submit'])) { // get form data, making sure it is valid $asset_tag = mysql_real_escape_string(htmlspecialchars($_POST['asset_tag'])); $asset_type = mysql_real_escape_string(htmlspecialchars($_POST['asset_type'])); $model = mysql_real_escape_string(htmlspecialchars($_POST['model'])); $sku = mysql_real_escape_string(htmlspecialchars($_POST['sku'])); $warrenty_expiry_date = mysql_real_escape_string(htmlspecialchars($_POST['warrenty_expiry_date'])); $serial_number = mysql_real_escape_string(htmlspecialchars($_POST['serial_number'])); $location = mysql_real_escape_string(htmlspecialchars($_POST['location'])); $user_name = mysql_real_escape_string(htmlspecialchars($_POST['user_name'])); $mobile_number = mysql_real_escape_string(htmlspecialchars($_POST['mobile_number'])); $network = mysql_real_escape_string(htmlspecialchars($_POST['network'])); $purchase_date = mysql_real_escape_string(htmlspecialchars($_POST['purchase_date'])); $po_number = mysql_real_escape_string(htmlspecialchars($_POST['po_number'])); $cost = mysql_real_escape_string(htmlspecialchars($_POST['cost'])); $username = mysql_real_escape_string(htmlspecialchars($_POST['username'])); $input_date = mysql_real_escape_string(htmlspecialchars($_POST['input_date'])); $_POST['practice'];

Hi all, I am attempting to save the results that the user chooses from the drop down menu on my website and am running into some difficulty. I have got the code to display the drop down menu, but have no idea what the code might be to post the results to the table in my Database. Have had a thorough look on the internet and found some help, but most of this involved creating a new form, is there anyway to achieve this? the code for my page is below. <?php include('menu.php'); ?> <?php /* NEW.PHP Allows user to create a new entry in the database */ // creates the new record form // since this form is used multiple times in this file, I have made it a function that is easily reusable function renderForm($asset_tag, $asset_type, $model, $sku, $warrenty_expiry_date, $serial_number, $location, $user_name, $mobile_number, $network, $purchase_date, $po_number, $cost, $username, $input_date, $error) { ?> <html> <head> <link rel="stylesheet" type="text/css" href="style2.css" /> <title> BM New Record </title> <script type="text/javascript"> function show_alert() { alert("Proccessing Data.."); } </script> </head> <body> <span title="Words you want as the popup message"><b>Asset Tag</b></span> <?php // if there are any errors, display them if ($error != '') { echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>'; } ?> <form action="" method="post"> <input type="hidden" name="asset_tag" value="<?php echo $asset_tag; ?>"/> <table border='1' id= 'asset_register'> <td><strong> </strong> <a href="" onMouseOver="alert('Please enter a valid Asset Tag');return true;">Asset Tag *</a> <input type="text" name="asset_tag" value="<?php echo $asset_tag; ?>" /><br/> <td><strong>Asset Type </strong> <input type="hidden" class="input" name="asset_type" value="Blackberry" /><br/> Blackberry <td><strong>Model *</strong> <input type="text" class="input" name="model" value="<?php echo $model; ?>" /><br/> <td><strong>SKU *</strong> <input type="text" class="input" name="sku" value="<?php echo $sku; ?>" /><br/> <td><strong>Warrenty Exp Date *</strong> <input type="text" class="input" name="warrenty_expiry_date" value="<?php echo $warrenty_expiry_date; ?>" /><br/> <td><strong>Serial Number *</strong> <input type="text" name="serial_number" value="<?php echo $serial_number; ?>" /><br/> </tr> </tr> <td><strong>Location *</strong> <input type="hidden" class="input" name="location" value="London"<?php echo $location; ?>" /><br/> London <td><strong>Practice<strong><br/> <?php // connect to the database include('connect-db.php'); // get results from database $result = mysql_query("SELECT * FROM asset_register") or die(mysql_error()); $query="SELECT practice,id FROM asset_register ORDER BY id"; $result = mysql_query ($query); echo "<select practice=asset_register value=''>practice</option>"; // printing the list box select command while($nt=mysql_fetch_array($result)){//Array or records stored in $nt echo "<option value=$nt[id]>$nt[practice]</option>"; /* Option values are added by looping through the array */ } ?> </tr> <td><strong>User Name *</strong> <input type="text" class="input" name="user_name" value="<?php echo $user_name; ?>" /><br/> <td><strong>Mobile Number *</strong> <input type="text" class="input" name="mobile_number" value="<?php echo $mobile_number; ?>" /><br/> </tr> <br /> <td><strong>Network </strong> <input type="hidden" class="input" name="network" value="Vodaphone"<?php echo $network; ?>" /><br/> Vodaphone <td><strong>Purchase Date *</strong> <input type="text" class="input" name="purchase_date" value="<?php echo $purchase_date; ?>" /><br/> </tr> </tr> <td><strong>PO Number </strong> <input type="text" class="input" name="po_number" value="<?php echo $po_number; ?>" /><br/> <td><strong>Cost (£)* </strong> <input type="text" class="input" name="cost" value="<?php echo $cost; ?>" /><br/> <td><strong>Input by </strong> <input type="text" class="input" name="username" value="<?php echo $username; ?>" /><br/> <td><strong>Date Input </strong> <input type="hidden" class="input" name="input_date" value="<?php echo date("d/m/y") ?>" /><br/> <?php echo date("d/m/y") ?> </td> <td><input type="submit" name="submit" value="Submit" class="button" onclick="show_alert()" value="Show alert box" /><br/> </td> </tr> </table> </form> </body> </html> <br /> <br /> <br /><div align="center"> <img src="bm.jpg"></div> <?php } // connect to the database include('connect-db.php'); // check if the form has been submitted. If it has, start to process the form and save it to the database if (isset($_POST['submit'])) { // get form data, making sure it is valid $asset_tag = mysql_real_escape_string(htmlspecialchars($_POST['asset_tag'])); $asset_type = mysql_real_escape_string(htmlspecialchars($_POST['asset_type'])); $model = mysql_real_escape_string(htmlspecialchars($_POST['model'])); $sku = mysql_real_escape_string(htmlspecialchars($_POST['sku'])); $warrenty_expiry_date = mysql_real_escape_string(htmlspecialchars($_POST['warrenty_expiry_date'])); $serial_number = mysql_real_escape_string(htmlspecialchars($_POST['serial_number'])); $location = mysql_real_escape_string(htmlspecialchars($_POST['location'])); $user_name = mysql_real_escape_string(htmlspecialchars($_POST['user_name'])); $mobile_number = mysql_real_escape_string(htmlspecialchars($_POST['mobile_number'])); $network = mysql_real_escape_string(htmlspecialchars($_POST['network'])); $purchase_date = mysql_real_escape_string(htmlspecialchars($_POST['purchase_date'])); $po_number = mysql_real_escape_string(htmlspecialchars($_POST['po_number'])); $cost = mysql_real_escape_string(htmlspecialchars($_POST['cost'])); $username = mysql_real_escape_string(htmlspecialchars($_POST['username'])); $input_date = mysql_real_escape_string(htmlspecialchars($_POST['input_date'])); // check to make sure both fields are entered if ($asset_tag == '' OR $cost == '0.00') { // generate error message $error = 'ERROR: Please fill in all required fields!'; // if either field is blank, display the form again renderForm($asset_tag, $asset_type, $model, $sku, $warrenty_expiry_date, $serial_number, $location, $user_name, $mobile_number, $network, $purchase_date, $po_number, $cost, $username, $input_date, $error); } else { // save the data to the database mysql_query("INSERT asset_register SET asset_tag='$asset_tag', asset_type='Blackberry', model='$model', sku='$sku', warrenty_expiry_date='$warrenty_expiry_date', serial_number='$serial_number', location='$location', user_name='$user_name', mobile_number='$mobile_number', network='$network', purchase_date='$purchase_date', po_number='$po_number', cost='$cost', username='$username', input_date='$input_date'") or die(mysql_error()); // once saved, redirect back to the view page header("Location: view.php"); } } else // if the form hasn't been submitted, display the form { renderForm('','','','','','','','','','','','','','','','','','',''); } ?> Note: The bit in red is the code which successfully displays the drop down menu Many thanks Moose