unidox

before, I was using cookies, and it used to be an integer, but they said Sessions is better, so I addedd sessions.

bump

i fixed the error, but now it just keeps redirecting to the login page. Here is part of the func: $islogged = preg_match("/index.php?page=login/", $_SERVER['PHP_SELF']); if ($islogged == "0") { if ($_SESSION['uniqueid'] == "") { header ("Location: index.php?page=login"); exit; } } if ((!$_REQUEST['method']) || (!$_SESSION['uniqueid'])) { $access = $_SESSION['access']; if (array_search($page,$levels)) { if ($access <= $levels[$page]) { echo $access . $levels[$page]; showError('You do not have access to this page.'); exit; } } }

well, i tried this, but now I get an error: Parse error: syntax error, unexpected '}' in /home/clansuni/public_html/adm_files/login.php on line 26 Here is the updated code: <?php session_start(); $page = "login"; require_once ("inc/db.inc.php"); require_once ("files/login.php"); if ($_REQUEST['m']) { if ($_REQUEST['m'] == "1") { $loginpass = $_POST['login_pass']; $password = md5($loginpass); $loginname = $_POST['login_name']; $checkrows = mysql_query ("SELECT * FROM cp_users WHERE username='$loginname' && password='$password'") or die (mysql_error()); $rowcount = mysql_num_rows ($checkrows); if ($rowcount == "0") { showError("User/Login Error"); } if ($rowcount != "0") { header ("Location: index.php?page=admin"); $time = date("h:i:a"); $date = date("m/d/Y"); $last_logged = $time . "\n(" . $date . ")"; $ip = getenv ("REMOTE_ADDR"); MYSQL_QUERY("UPDATE cp_users SET last_logged='$last_logged', cur_ip='$ip' WHERE username='$loginname'") or die (mysql_error()); while ($mysql=mysql_fetch_array($checkrows)) { $_SESSION['access'] = $mysql[access] } $_SESSION['uniqueid'] = $loginname $_SESSION['password'] = $password exit; } } elseif ($_REQUEST['m'] == "2") { header ("Location: index.php?page=login"); session_destroy(); exit; } } else { if ($_COOKIE['uniqueid'] == "") { $checkfields = "login_name&login_pass"; $errors = "Enter a username&Enter a password!"; $titles = "Username:&Password:"; $fields = "login_name&login_pass"; $type = "text&password"; $size = "30&30"; $maxlength = "25&25"; createJSValid($checkfields,$errors); createForm($titles,$fields,$type,$size,$maxlength,'1','','','','1'); } else { showError("You are already logged in, <a href=\"" . $_SERVER['PHP_SELF'] . "?page=login&m=2\">logout?</a><br /><br /><a href='index.php?page=admin'>Admin Home</a>"); } } ?>

How would I do that?

I have a cms, and I just found out that its not secure. I was just wondering how I can make it more secure. Right now, it sets cookies of the access level and the user level, when someone logs in. And in each page, to restrict access levels, it checks the cookie access to determine its access level. Thanks in advance! So here are my files: Code to check the user level on each page: <?php if ($_COOKIE['uniqueid']) { ?> <?php $a = $_COOKIE['access']; global $levels; if ($a <= $levels[pages]) { PAGE CONTENT } <?php if ($a > $levels[pages]) { if (!$_REQUEST['m']) { require_once("inc/db.inc.php"); require_once ("inc/func2.inc.php"); getHeader(); echo "Sorry, you dont have access to this page!"; } } login.php: <?php $page = "login"; require_once ("inc/db.inc.php"); require_once ("files/login.php"); if ($_REQUEST['m']) { if ($_REQUEST['m'] == "1") { $loginpass = $_POST['login_pass']; $password = md5($loginpass); $loginname = $_POST['login_name']; $checkrows = mysql_query ("SELECT * FROM cp_users WHERE username='$loginname' && password='$password'") or die (mysql_error()); $rowcount = mysql_num_rows ($checkrows); if ($rowcount == "0") { showError("User/Login Error"); } if ($rowcount != "0") { header ("Location: index.php?page=admin"); $time = date("h:i:a"); $date = date("m/d/Y"); $last_logged = $time . "\n(" . $date . ")"; $ip = getenv ("REMOTE_ADDR"); MYSQL_QUERY("UPDATE cp_users SET last_logged='$last_logged', cur_ip='$ip' WHERE username='$loginname'") or die (mysql_error()); while ($mysql=mysql_fetch_array($checkrows)) { setcookie("access", $mysql[access],time()+60*60*24*30); } setcookie ("uniqueid",$loginname,time()+60*60*24*30); exit; } } elseif ($_REQUEST['m'] == "2") { header ("Location: index.php?page=login"); setcookie ("uniqueid"); setcookie ("access"); exit; } } else { if ($_COOKIE['uniqueid'] == "") { $checkfields = "login_name&login_pass"; $errors = "Enter a username&Enter a password!"; $titles = "Username:&Password:"; $fields = "login_name&login_pass"; $type = "text&password"; $size = "30&30"; $maxlength = "25&25"; createJSValid($checkfields,$errors); createForm($titles,$fields,$type,$size,$maxlength,'1','','','','1'); } else { showError("You are already logged in, <a href=\"" . $_SERVER['PHP_SELF'] . "?page=login&m=2\">logout?</a><br /><br /><a href='index.php?page=admin'>Admin Home</a>"); } } ?>

bump

Thats what others have been saying, personally.. I dont know how to change it

Yea, but i use cookies to record the access levels... 1,2,3 so how would I make it safer. People can just change the 3 to a 1 and get admin access

Works! How do I fix the access so it is safer, so people cant just change their cookie to gain access.

<?php require_once("inc/db.inc.php"); require_once ("files/levels.php"); if ($_COOKIE['uniqueid']) { ?> <?php $a = $_COOKIE['access']; global $levels; if ($a <= $levels[levels]) { $input = $_POST['dropdown']; if ($_POST['submit']) { // Check to see if something has been 'posted' from the form by checking to see if the submit button was sent echo $_REQUEST['dropdown']; // Display the VALUE of the 'dropdown' select item. MYSQL_QUERY("UPDATE `cp_levels` SET `level_id` = 1, `news` = '$input' WHERE 'level_id' = 1") or die (mysql_error()); } echo "<form name='form1' action='#' method='POST'>"; echo "<SELECT NAME='dropdown'>"; echo "<OPTION VALUE='1'>Admin</option>"; echo "<OPTION VALUE='2'>Staff</option>"; echo "<OPTION VALUE='3'>Member</option>"; echo "</SELECT>"; echo "<br><br><input type='submit' name='submit'>"; echo "</form>"; } ?> <?php } ?> <?php if ($a > $levels[levels]) { if (!$_REQUEST['m']) { getHeader(); echo "Sorry, you dont have access to this page!"; } } ?>

andy I tried that, but nothing in the db updated edit - I just want a form of dropdowns, so when someone selects a dropdown like Pizza. I want the value of the pizza like 1 to be updated into the db

anyone?

I tired changing the input var. But still doesnt work... $input = $_REQUEST['dropdown'];

I want it the value of the dropdown

hmm, i did that, but then nothing in the db updates :-\ My db is this : `level_id` int(11) NOT NULL auto_increment, `title` varchar(20) NOT NULL default '', `login` int(2) NOT NULL default '0', `home` int(2) NOT NULL default '0', `news` int(2) NOT NULL default '0', `roster` int(2) NOT NULL default '0', `links` int(2) NOT NULL default '0', `leagues` int(2) NOT NULL default '0', `matches` int(2) NOT NULL default '0', `servers` int(2) NOT NULL default '0', `sponsors` int(2) NOT NULL default '0', `downloads` int(2) NOT NULL default '0', `media` int(2) NOT NULL default '0', `demos` int(2) NOT NULL default '0', `settings` int(2) NOT NULL default '0', `pass` int(2) NOT NULL default '0', `users` int(2) NOT NULL default '0', `poll` int(2) NOT NULL default '0', `layout` int(2) NOT NULL default '0', `levels` int(2) NOT NULL default '0', `pages` int(2) NOT NULL default '0',

I keep getting this error: 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Query WHERE 'level_id' = 1' at line 1 I dont know whats wrong. Here is my code: <?php require_once("inc/db.inc.php"); require_once ("files/levels.php"); if ($_COOKIE['uniqueid']) { ?> <?php $a = $_COOKIE['access']; global $levels; if ($a <= $levels[levels]) { $input = $_POST['submit']; if ($_POST['submit']) { // Check to see if something has been 'posted' from the form by checking to see if the submit button was sent echo $_REQUEST['dropdown']; // Display the VALUE of the 'dropdown' select item. MYSQL_QUERY("UPDATE `cp_levels` SET `level_id` = 1, `news` = $input WHERE 'level_id' = 1") or die (mysql_error()); } echo "<form name='form1' action='#' method='POST'>"; echo "<SELECT NAME='dropdown'>"; echo "<OPTION VALUE='1'>Admin</option>"; echo "<OPTION VALUE='2'>Staff</option>"; echo "<OPTION VALUE='3'>Member</option>"; echo "</SELECT>"; echo "<br><br><input type='submit' name='submit'>"; echo "</form>"; } ?> <?php } ?> <?php if ($a > $levels[levels]) { if (!$_REQUEST['m']) { getHeader(); echo "Sorry, you dont have access to this page!"; } } ?>

Can someone help me make a php form? I need the form just dropdowns, and have it update a db. Thanks

bump

Anyone?

Ok, is there any other way to do it, I just want to update the DB. I am trying to have drop downs, and they choose admin,member,staff, whatever to certain pages, and it logs in the db as numbers. Can someone help?

So how do I fix it?

UPDATE cp_levels SET level_id='3' WHERE 'level_id'=''

I did, the error stopped, but now it didnt update anything

anyone?