Hello People,
I'm not an expert programmer and I need all the help I can get to have this done the best way possible. I want to make the most secure possible login system and content submital to a mySQL database. I rely on a file I called motor.php to do all the work with the DB and here I needed seriously refactoring (I guess!) ... then I have a basic functions.php (from this file I only put here 1 function ... to get your opinion about it) and a connect.php
So ... if you guys can help me ... thanks A LOT !
functions.php
<?php
function clean($string){
$string = addslashes($string);
$string = strip_tags($string);
$string = htmlspecialchars($string);
$string = trim($string);
return $string;
}
?>
connect.php
<?php
$host = "localhost"; // default
$mysql_user = "XXX"; // mysql username
$mysql_pass = "XXX"; // mysql password
$mysql_db = "XXX"; //mysql database
@mysql_connect($host,$mysql_user,$mysql_pass) or die("Could not connect to MySQL<br />".mysql_error());
@mysql_select_db($mysql_db) or die("Could not connect to MySQL database $db");
// Protecção contra SQL Injections para todas as variáveis POST e GET
foreach ($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value); }
foreach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value); }
?>
motor.php ... help needed here ... I always feel something is missing!
<?php
ob_start();
require('connect.php');
include('functions.php');
$act = $_GET['act'];
if ($act == "adduser") {
$user=clean($_POST['user']);
$pass=md5(clean($_POST['pass']));
$nome=clean($_POST['nome']);
$sql="INSERT INTO users(user, pass, nome) VALUES('$user', '$pass', '$nome')";
$result=mysql_query($sql);
if($result){
echo"Sucesso!";
echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>";
}else{
echo" Insucesso!";
}
mysql_close();
} elseif ($act == "deluser") {
$user=$_POST['user'];
$sql="DELETE FROM users WHERE user='$user'";
$result=mysql_query($sql);
if($result){
echo"Sucesso!";
echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>";
}else{
echo" Insucesso!";
}
mysql_close();
} elseif (act == "loginerro" || $act == "logindel"){
setcookie("user", "erro", time()+3600);
echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>";
} elseif ($act == "authuser") {
$user = clean($_POST['user']);
$pass = md5(clean($_POST['pass']));
$usercookie = $user;
$sql = "SELECT * FROM `users` WHERE `user` = '$user' AND `pass` = '$pass' LIMIT 1";
$result = mysql_query($sql);
if(!mysql_num_rows($result)){
echo "Nome de utilizador ou password errados!";
setcookie("user", erro, time()+3600);
die();
}else{
echo "Login Válido";
setcookie("user", $usercookie, time()+3600);
echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>";
$logdate = date("Y-m-d");
$logtime = date("h:i:s");
$logip = $REMOTE_ADDR;
$loghost = $_SERVER['HTTP_HOST'];
$logentrada = mysql_query("INSERT INTO logentrada (loguser, logdate, logtime, logip, loghost) VALUES ('$user', '$logdate', '$logtime', '$logip', '$loghost')");
if(!$logentrada) die ('Database error ($logentrada): ' .mysql_error());
mysql_close();
}
}elseif ($act == "addcontent") {
$titulo=$_POST['titulo'];
$conteudo=$_POST['conteudo'];
$tipo=$_POST['tipo'];
$user=$_POST['autor'];
$imagem=$_POST['imagem'];
$data=$_POST['data'];
$hora=$_POST['hora'];
$sql="INSERT INTO content(titulo, conteudo, tipo, autor, imagem, data, hora) VALUES('$titulo', '$conteudo', '$tipo', '$user', '$imagem', '$data', '$hora')";
$result=mysql_query($sql);
if($result){
echo"Sucesso!";
echo"<meta http-equiv='refresh' content='3;url=utilizadores.php'>";
}else{
echo" Insucesso!";
}
mysql_close();
} elseif (empty($act)) { echo "Não há nada aqui para ver!"; }
ob_flush()
?>