PFMaBiSmAd

What's on line 34 of config.php that is producing output?

$folder clearly does not contain exactly the string 'bios' What do you get when you echo it and what does var_dump() show (in case it contains some non-printing characters.)

You have an extra ( in your query before the mysql str_to_data() function that is probably producing a sql syntax error. It would help if you post errors you are getting as they generally point to where a problem is occurring at and result in quicker solutions.

Look at your code. js2 is not the second value.

Use - LEFT JOIN

The following will produce a TIME value from either a xxx starting value or a xxxx starting value - SELECT TIME(CONCAT('630','00')); As previously stated, you would replace the 'xxx' term with wherever your starting value is at.

http://php.net/manual/en/language.types.string.php

The $_GET array is a perfectly usable set of variables. By making a series of named variables from it, you must now keep track of each of those variable names and know how many there were and write out code to reference each one. That does not make for general purpose coding. Since you are trying to write a generic script where you won't know the names before hand, it will be impossible for you to know how many and what names the variables will be. Just use array functions (i.e. foreach(){}) to process the $_GET array directly without going through an additional intermediate step of creating named variables (this will save processing time and memory as well.)

One way (gives a TIME value with :00 seconds) - SELECT STR_TO_DATE('1720', '%H%i'); Another way (gives a string in the format you are showing) - SELECT CONCAT(LEFT('1720', 2),':',RIGHT('1720',2)); Replace the '1720' term in each of the above with your column name (with no single-quotes.) Are the hours always two digits, with leading zeros?

You already started one thread for this topic. Don't start another one.

The posted code appears that it will only set the session variables upon a correct login. Any chance that the session variables were already set from previous testing and you were already logged in? Beyond that, it would take seeing the code you are putting on the protected pages that is supposed to be preventing access.

Yes, it is one of the most common mysql related errors. It generally means that your query failed. However, in your case it is because you used the wrong variable name in the mysqli_fetch_array() function call. Did you look at the line of code producing the error and attempt to see what was wrong with the parameter you were passing it?

The only piratical (practical) reason the authors would have for intentionally putting the security check code after the form processing code would be so that the authors or any other hacker can alter the ACL database tables on your site by submitting the appropriate post/get data.

You can get what? For all we can tell that means you can visit a protected page and access anything like there was no security check code on it.

Putting the security check code as the first thing a page does would be kind of important for a script that was trying to show how to create and use an Access Control List. It's only three lines of php code (plus the {} brackets for the if() statement.) You can always move it to be above the form processing code on the pages. Other than the two security holes already mentioned, the script is primarily just a tutorial to show ACL, it is lacking the typical input validation, escaping, error checking, and error reporting... logic that would be needed in a real application.

What makes you think the web server and browsers are not passing a session id cookie back and forth?

The only way to associate the correct session data on the server with a http request by the correct browser is by a unique identifier that comes with the http request, i.e. the session id. Therefore, either the URL must contain the session id or the session id must be sent as data that makes up the http request.

ALL your html table code is inside of the while(){} loop. You would want to only put the portion of the html table code for the repeating table-rows inside of the while(){} loop.

There is another security problem in the tutsplus code. On the admin pages that do form processing, some of the form processing code is before the security check code. So, it is possible for ANYONE to submit form data and it will be processed.

You probably have a logic error in your code on the page that is setting the session variable to an empty value. The quickest solution would be for you to post the code on the page.

Assuming this is for a 'configuration file' exercise, if you just include() the file, the variables will be set with the current value. There is no need to actually parse through the file to find the variables and values. Using an array $settings['something1'] = 'value1'; $settings['something2'] = 'value2';will make the code simpler.

The demo code is setting $_SESSION['userID'] = 1; That is equivalent to having some login script that has authenticated you as userid 1, which is the main administrator account in the demo data for that script. As soon as you visit the index.php page, you are logged in as the main administrator and have sufficient permissions and group membership to pass all the security checks.

Probably a permission problem. It would take seeing the actual code and the error message to be able to directly help.

Php has been slow to mitigate the problems and remove any of the early unfortunate choices that were put into the language. And in fact, they don't consider many of the things that have been shown to actually hinder and waste time when writing real life actual applications to be a problem. The following is a quote taken from a section of the php.net documentation concerning one of the unfortunate choices that is finally being removed - There is a big difference between writing code that just barely produces the result you want for an assignment and efficiently writing real life actual applications that work well under all conditions. Programming languages should be, well, programming languages. They should not automatically manipulate data, especially when you don't want them to manipulate the data. They should not pollute variable scopes (which is where this thread falls under) and overwrite variables, especially when you don't want them to overwrite variables. They should not hide poor syntax in code. They should not have more than one tag that defines what code is and make one tag optional so that code is no longer seen as code on some servers.

LOL. The tutsplus code, while someone went to a lot of trouble to design and write, is actually not secure because there are no exit; statements after the header() redirects. All a hacker needs to do is ignore the header() redirects and he can access the pages the same as if the security checks were not present. If you use that code, add exit; statements after every header() redirect.