per1os

You chould try chmod'ing the DIR after creation. The 0700 part may be holding you up, try 0777 just for a test measure.

Current and next are really unnecessary. www.php.net/foreach <?php $message = ""; $array = array("Message1", "Message2"); foreach ($array as $key => $val) { $message .= $val . "\n"; } echo $message; ?>

Wow I am with thorpe. Thorpes way will prevent from sql injection, it is probably even overkill with the password part being escaped. The function as it is is very unefficient even if it works now, if you have 10,000 users in the database and you are always retrieveing every user any time someone logs in, wow...memory consupmtion database consumption...yea. I would listen to thorpe.

maybe try placing break; inside that if... or putting the if inside a function and just using return;

www.webmonkey.com Great site for HTML tutorials. It should only take you a week to know HTML from top to bottom. It is very basic.

http://www.dev-archive.net/articles/table-in-css.html May help you out.

http://us2.php.net/mkdir Should work.

register_globals would be what is jacking it up if you ask me. Because if $variable is some type of a cookie or session etc inadvertently it will be assigned that value each time the page is reloaded. I highly suggest turning off register_globals, that is a huge security breach. The thing that should be key is that you closed the tab in FF and re-opened and viola it was back to normal, that usually means it is a session issue of some type.

Yeah, but mine doesn't show \r, it shows both "rn". Not "\r\n". Not sure, it could be the way the server is setup to retrieve the data. You can use ereg_replace to create a regex that will replace only rn but if someone enters turn well yea. I would check on your server settings and make sure that something is not skewed there. Ace is talking about www.php.net/stripslashes.

<?php $text = str_replace("\r\n", "<br />", $text); Try that instead of nl2br.

Is register_globals on?

I would suggest using a different scheme for the database portion. Especially be very cautious about closing the mysql connection. www.php.net/mysql_close That part is unnecessary. I would look into making a database class and either passing the class to the constructor or creating functions that call the class functions. Anyhow I would suggest making the database connection part at least outside of the user login, as chances are more than just the login will need to use the database. Might as wall make it available to all classes.

It is simply an example, if you do not want to do complex conditions you modify the code, so you do not split at &&. <?php function condition_run($condition_str) { $condition_true = true; $rest = explode(" ", $condition_str); if (condition_test($rest[0], $rest[2], $rest[1])) { return true; } return false; } function condition_test($val1, $val2, $condition) { switch ($condition) { case '<': if ($val1 < $val2) { return true; } break; case '>': if ($val1 > $val2) { return true; } break; // add as many cases as you want. case '>=': if ($val1 >= $val2) { return true;} break; } return false; } ?> The basic gist of it is, take that code and manipulate it to suit your needs. It is just like a template. EDIT:: As I explained in the other post, $string = "1 > 2"; will return true as a string returned as an int > 0 which php generally takes any number in an if greater than zero as being true IE: <?php if ('this is just a simple string') { echo 'Wow this is true!'; } if ('12 < 3') { echo 'Wow this is also true!'; } ?> Since it is taking those literally like they are strings, it does not know the difference. You might be able to use www.php.net/eval , but that could be pretty dangerous. IE: <?php if (eval("<?php if ($statement) { return true;}else {return false;} ?>")) { echo 'Returned true!'; }else { echo 'Returned False!'; } ?> Unsure if it will work but yea.

Yes but a for loop is not necessary, www.php.net/in_array should work just fine.

http://www.phpfreaks.com/forums/index.php/topic,145271.html I would suggest reading that.

Yea, included files should not have the full out html like the file it is bbeing included to, that is where DW will screw you. <!--//the functionality for the drop-down was provided here: http://www.alistapart.com/articles/horizdropdowns --> <script type="text/javascript" src="../Scripts/mainmenu.js"></script> <style type="text/css"> /*@import "../Styles/layout.css";*/ @import "../Styles/menustyle.css"; </style> <p><img src="../Images/vtmlogo.png" width="151" height="75" hspace="2" vspace="0" /></p> <ul id="nav"> <li><a href="../../../org/userlogin/index.php">Home</a></li> <li><a href="../../../org/Clients/clientlist.php">Clients</a> <ul> <li><a href="../../../org/Clients/clientlist.php">Client List</a> <li><a href="../../../org/Contracts/contractsList_public.php">Contracts</a></li> <li><a href="#">Team</a></li> <li><a href="#">Offices</a></li> </ul> </li> <li><a href="../../../org/Employees/Employee_list_full.php">Employees</a> <ul> <li><a href="../../../org/Employees/Employee_list_full.php">Employee List</a> <li><a href="#">Org Chart</a></li> </ul> </li> <li><a href="#">Projects </a> <ul> <li><a href="../../../org/Projects/projects_allactive.php">All Projects</a></li> <li><a href="../../../org/Projects/projects_byClient.php">Projects by Client</a></li> <li><a href="#">project what</a></li> </ul> </li> <li><a href="../../../org/Timesheets/timesheet_redirect.php">Timesheets</a> <ul> <li><a href="../../../org/Timesheets/timesheet_main.php">New Timesheet </a></li> <li><a href="../../../org/Timesheets/timesheet_redirect.php">Review Timesheets </a></li> <li><a href="../../../org/Timesheets/timesheet_current.php">Current Timesheet</a></li> </ul> </li> <li><a href="../../../org/ExpenseReports/erMain_R.php">Expense Reports </a> <ul> <li><a href="../../../org/ExpenseReports/erMain_C.php">New Expense Report </a></li> <li><a href="../../../org/ExpenseReports/erMain_R.php">Review Expense Reports</a></li> <li><a href="../../../org/ExpenseReports/erDetails_C.php">Current Expense Report</a></li> <li><a href="../../../org/ExpenseReports/review_allexpenses.php">Review Expenses by Date</a></li> </ul> </li> </ul> <p></p> <ul> <li><a href="../../../org/forum/">Help and Support</a></li> </ul> Try that out, and see where it gets you, you may need to move the style/javascript into the <head> tag or the header.inc.php include.

It is more secure one way or the other. You could have a variable to check against, but 1 variable that is true/false is a lot easier to spoof than a userid/name and password (hashed of course) combination checking each time against the DB. The load on the DB will not be anymore and will not effect efficiency. Definitely is worth it for security.

The timestamp could be a constant he defines somewhere else. If it is not it needs to be time() instead of timestamp.

*chuckles at dw* Anyhow the inc.php is not causing the problem the way it is setup is fine and works because the naming scheme lets you know what the file is. Leave that be. Instead post the code for NewMenu.inc.php and maybe even view the source of the page see if there are any errors being hidden.

A few suggestions: <?php // check and make sure we do have post data and not throw a silly error giving information away. $username = isset($_POST['username'])?trim($_POST['username']):''; $password = isset($_POST['password'])?trim($_POST['password']):''; // add a check here to make sure that they did enter data into the form. if (empty($username) || empty($password)) { header ("Location: login.php?error_id=4"); // either username or password was left blank } $username = mysql_real_escape_string($username); // escape username $password = md5($password); // no escape needed here as it is hashed into md5. $sql = "SELECT * FROM users WHERE username = '$username' COLLATE latin1_bin"; // do this on 1 shot no need to make 2 trips to the db. $result = mysql_query($sql) or die(mysql_error()); $num = mysql_num_rows($result); if ($num == 1) //record found // verify the password vs md5. Since md5 is a hash it is case SenSitIve. username here will also be case SeNSiTiVe (to fix strtolower both) if ($result['password'] == $password && $result['username'] == $username) //password correct, set session variables and proceed to user home { $_SESSION['loggedin'] = "yes"; $_SESSION['id'] = $username; // I would suggest doing the userid, to avoid giving out more information than is needed. session_write_close(); //setcookie('Admin', md5($_POST['password'].$random)); header ("Location: index.php"); } else //incorrect password { header ("Location: login.php?error_id=2"); } } else //record not found { header ("Location: login.php?error_id=3"); } //exit; ?>

You include a file that does a login check. IE: func.gen.php // general functions file <?php function verify_user() { if (isset($_SESSION['username']) && isset($_SESSION['password'])) { $u_data = mysql_fetch_array(mysql_query("SELECT username,password FROM table_name WHERE username = '" . $_SESSION['username'] . "'")); if ($u_data['username'] == $_SESSION['username']) { // both should be MD5 hashes if ($_SESSION['password'] == $u_data['password']) { return true; } } } return false; } ?> index.php <?php session_start(); require('inc/func.gen.php'); // must be placed in the inc directory to work. $valid_user = verify_user(); if (!$valid_user) { // show the login form }else { // the user is valid show them the site. echo 'Hola ' . $_SESSION['username'] . '!'; } ?> That way you always know if a valid user is viewing the page or not. The code above is sort of half-assed and just used for demonstration.

As far as it seems, sql injection does not seem like an issue. If you want a real critique I suggest posting the login code, but yea. Other than that it seems fine.

You need session_start() at the top of the index.php page if you are using session variables. $au needs to also be global in the display_login function.

You may try and use: www.php.net/mysql_info To do it. Or another way is to use an existing class or create your own DB class for database functions, and inside there you can set a counter for every query ran etc. But I do not think MySQL stores that information, you may try www.php.net/mysql_stat too.

The big thing is making sure you do not double escape. Here is a function created to check that <?php function real_escape($string) { return get_magic_quotes_gpc()?mysql_real_escape_string(stripslashes($string)):mysql_real_escape_string($string); } ?> Usage <?php //initialize the session session_start(); // put here for demo purposes. function real_escape($string) { return get_magic_quotes_gpc()?mysql_real_escape_string(stripslashes($string)):mysql_real_escape_string($string); } //connect to server and select database $mysqli = mysqli_connect("localhost", "root", "", "test"); //trims and strips tags $checkuser = real_escape(trim(strip_tags($_POST['username']))); // note here $checkpassword = real_escape(trim(strip_tags($_POST['password']))); // note here //create and issue the query $sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = '$checkpassword' LIMIT 1"; $result = mysqli_query($mysqli, $sql); //gets number of unsuccessful logins $sql1 = ("SELECT failed_logins FROM employees WHERE username = '$checkuser' LIMIT 1"); $result1 = mysqli_query($mysqli, $sql1); $resultarr = mysqli_fetch_assoc($result1); $attempts = $resultarr["failed_logins"]; //disables user if failed logins >= 3 if ($attempts >= 3){ //records unsuccessful logins $sql1 = "UPDATE employees SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql1); $_SESSION['disabled'] = "<font color='red'>Your account has been disabled.<br>Please contact the MIS department.</font>"; header("Location: employee_resource.php"); //close connection to MySQL mysqli_close($mysqli); exit(); } else { //get the number of rows in the result set; should be 1 if a match if (mysqli_num_rows($result) == 1) { //if authorized, get the values of f_name l_name while ($info = mysqli_fetch_array($result)) { $f_name = stripslashes($info['f_name']); $l_name = stripslashes($info['l_name']); } //set authorization cookie setcookie("auth", "1", 0, "/", "dom.com", 0); $_SESSION['usersname'] = $f_name . " " . $l_name; //get last successful login $last_login = ("SELECT DATE_FORMAT(last_login, '%b %e %Y at %r') aS last_login FROM employees WHERE username = '$checkuser' LIMIT 1"); $result = mysqli_query($mysqli, $last_login); $result_login = mysqli_fetch_assoc($result); $_SESSION['login'] = $result_login["last_login"]; //record last login $sql2 = "UPDATE employees SET last_login=NOW() WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql2); //clears failed logins $sql3 = "UPDATE employees SET failed_logins = 0 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli, $sql3); //sets session to authenticate $_SESSION['loggedin_e'] = "yes"; //sets session to identify $_SESSION['identity'] = $checkuser; //close connection to MySQL mysqli_close($mysqli); //sets login timer $current_time = time(); // get the current time $_SESSION['loginTime']=$current_time; // login time $_SESSION['lastActivity']=$current_time; // last activity //directs authorized user header("Location: resource.php"); exit(); } else { //records unsuccessful logins $sql4 = "UPDATE employees SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql4); //stores a session error message $_SESSION['error'] = "<font color='red'>Invalid username and/or password combination<br>Please remember that your password is case sensitive.</font>"; //close connection to MySQL mysqli_close($mysqli); //redirect back to login form if not authorized header("Location: employee_resource.php"); exit; } } ?> Basically with the code above it checks if the magic_quotes are on (which escapes post data) if they are it strips the slashes from those and then it will escape with the mysql_real_escape function, if they are not on then it automatically escapes it. Anyhow hope that helps.