bruckerrlb

I have a new app that I'm administering and noticed the guy who developed it let a little security hole get through. The website displays pages like example.com?company_id=$company_id and that displays the link like example.com?company_id=25 for example. Now, if we take out that company_id so the link looks like example.com?company_id= Everyones information is shown this way. What would be the fastest way to get this fixed? I've tried setting it up as if ($Company_Id != $_SESSION['UserID'] || is_null($Company_Id)) { header("Location: index.php"); } Yet, it still keeps getting through, does anyone have any suggestions?

Just in case anyone needs to know for the future, I was trying to get the key of an array and return the value, what worked was: if (array_key_exists($day_start, $complete_time)) { $this_val = $complete_time[$day_start]; echo "val is $this_val"; }

I should also point out I've also tried if(in_array($day_start, $complete_time)) { echo "Found something"; } yet, nothing gets found..

I'm trying to do an array search and return a variable. The Variables I"m trying to test to see if exists are: $day_start = $day."_start"; $day_end = $day; $day_end .= "_end"; The values of these arrays are: //These are results from a database, and the result is something like 2am or 4pm or something along those lines $mon_start = $row['mon_start']; $mon_end = $row['mon_end']; $tue_start = $row['tue_start']; $tue_end = $row['tue_end']; $wed_start = $row['wed_start']; $wed_end = $row['wed_end']; $thur_start = $row['thur_start']; $thur_end = $row['thur_end']; $fri_start = $row['fri_start']; $fri_end = $row['fri_end']; $sat_start = $row['sat_start']; $sat_end = $row['sat_end']; $sun_start = $row['sun_start']; $sun_end = $row['sun_end']; I have my array set up as following $complete_time = array("mon_start" => $mon_start, "mon_end" => $mon_end, "tue_start" => $tue_start, "tue_end" => $tue_end, "wed_start" => $wed_start, "wed_end" => $wed_end, "thur_start" => $thur_start, "thur_end" => $thur_end, "fri_start" => $fri_start, "fri_end" => $fri_end, "sat_start" => $sat_start, "sat_end" => $sat_end, "sun_start" => $sun_start, "sun_end" => $sun_end); Then, I have a while statement, trying to find the variable while($r = array_search($complete_time, $day_start)) { echo "<td>Found something</td><td>$complete_time</td><td>$day_start</td><br />R is $r"; } Nothing seems to be getting printed out, can anyone tell me what I'm doing wrong?

I'm working on making a calendar, basically the first part is set up where a user selects a service. There is a table in the DB for times which uses the service as an identifier. What I'm doing to make this calendar is I'm looping the days of the week and I've got the loop down but I'm not sure how I can put my dates in a variable and check to see when the variable is called if I need to put that in or not. My code should make a little more sense <h3>Schedule a time and a day</h3> <p>Click on the time that you would like to set up your appointment</p> <table border="3"><tr> <?php session_start(); $service_id = $_SESSION['service_id']; //have the service_id stored in a session /////////////select all time for service id call back time $spct = mssql_init('pctimecallback'); mssql_bind($spct, "@service_id", $service_id, SQLVARCHAR); $result = mssql_execute($spct) or die('MSSQL error: ' . mssql_get_last_message()); //variables to put into string $row = mssql_fetch_array($result); $mon = $row['mon']; $tue = $row['tue']; $wed = $row['wed']; $thurs = $row['thurs']; $fri = $row['fri']; $sat = $row['sat']; $sun = $row['sun']; $mon_start = $row['mon_start']; $mon_end = $row['mon_end']; $tue_start = $row['tue_start']; $tue_end = $row['tue_end']; $wed_start = $row['wed_start']; $wed_end = $row['wed_end']; $thur_start = $row['thur_start']; $thur_end = $row['thur_end']; $fri_start = $row['fri_start']; $fri_end = $row['fri_end']; $sat_start = $row['sat_start']; $sat_end = $row['sat_end']; $sun_start = $row['sun_start']; $sun_end = $row['sun_end']; ///////first for loop $days = 0; $maxdays = 6; while($days < $maxdays) { $day = date('M d', time() + $days * 86400); ?> <td id="<?php echo $day; ?>"><?php echo $day; ?></td> <?php $days++; } ?> </tr><tr> <?php //second for loop displaying the day $days0 = 0; $maxdays0 = 6; while($days0 < $maxdays0) { $theday = date('D', time() + $days0 * 86400); $theday = strtolower($theday); ?> <td><?php echo $theday; ?></td> <?php $days0++; } ?> </tr><tr> <?php //third for loop to do a test on variables $days1 = 0; $maxdays1 = 6; while($days1 < $maxdays1) { $theday1 = date('D', time() + $days1 * 86400); $theday1 = strtolower($theday1); $start_1 = $theday1; $start_2 = "_start"; $a_start = $start_1.$start_2; $end_1 = $theday1; $end_2 = "_end"; $a_end = $end_1.$end_2; //main variables for time here are $theday1, a_start, a_end, now find a way to pass over the service that was selected!!!!!!!!! ?> <td><?php echo $a_start; ?> and <?php echo $a_end; ?></td> <?php $days1++; } ?> </tr> </table> Can anyone show me how to put my variables for example $mon, $mon_start, $mon_end to check and see if it has data, and if it does, how to properly echo it in the for each statement. If that doesn't work, a better way of doing it?

that's great, exactly what I was looking for, thanks!

I'm trying to create a loop, starting from today, until let's say 30 days down the road. The code I have now looks like <?php $today = date("D M d"); //$theday = date( for ($i=$today; $i<=30; $i++) { $date = $today++; ?> <option value="<?php echo $date; ?>"><?php echo $date;?></option> <?php echo $date; } ?> This just seems to be looping the number part (d) and not the M or the D, can someone show me how to do this or point me in the right direction? Thanks

I'm writing my first function here and after reading and testing with easy things, I'm trying to do something not so hard, but am having a hard time finding results. I have my functions page with a function declared like the following: function test_user_input($username) { $stmt = mssql_init('pgetuserid'); mssql_bind($stmt, "@loginuid", $username, SQLVARCHAR); $result = mssql_execute($stmt); //get the user id to store in session and or insert into new db $row = mssql_fetch_array($result); //get the loginid $loginid = $row['loginid']; $loginuid = $row['loginuid']; //echo "First result $loginid"; return $loginid; return $loginuid; return $row; return $result; } Then, I call the function as such $username=$_POST['myusername']; test_user_input($username); The function initiates, binds and executes a ms sql stored procedure which isn't the problem, whenever I take out the function and place it directly in the page it works fine, but trying to declare it in a function, it's failing at the count part $count = mssql_num_rows($result); //if user does exist: if($count==1) { Any ideas?

That's exactly what I was looking for, thanks!

Hey Guys, I've been checking the php manual for how to do this without success, so I thought I"d post here. I'm trying to put mysql data into an array, which would be the following: <?php $sql_license = "SELECT products.product_id as product_id, products.product_name as product_name , license.license_numbers as l_number, license.company_id as l_company_id FROM products LEFT JOIN license ON products.product_id = license.product_id WHERE license.company_id = '$id'"; $result1 = mysql_query($sql_license); while($thequery = mysql_fetch_array($result1)) { $prod = $thequery['product_id']; $b = array($prod); echo "<h1>$prod</h1>"; // This spits out 3 numbers, which is exactly what I'm looking for, but when I put it into a foreach statement, I get Invalid argument supplied for foreach() //So, then I tried to use this variable $b = array($prod); //but it just puts out the text array three times ?> I'm trying to get this array into a foreach statement to no avail, just can't figure out arrays here, how can I turn the data from $prod into an array? The overall foreach statement looks like this <?php foreach($b as $key => $value) { ///Get All Products that don't have licenses $sql_license = "SELECT * FROM products"; $result_license = mysql_query($sql_license); while($row_license = mysql_fetch_array($result_license)) { $prod_name = $row_license['product_name']; $prod_id = $row_license['product_id']; ?> <tr> <?php if($product_id != $prod_id) { ?> <td class="row1"><?php echo $prod_name; ?></td><td class="row1"><input type="text" name="product<?php echo $prod_id; ?>" /></td> </tr><?php } } } }

I just posted my code, but it doesn't make sense without this part, so just wanted to post it so you can see what I"m trying to do here <?php /////////////bring back all licenses and their products $sql_license = "SELECT products.product_id as product_id, products.product_name as product_name , license.license_numbers as l_number, license.company_id as l_company_id FROM products LEFT JOIN license ON products.product_id = license.product_id WHERE license.company_id = '$id'"; $result_license = mysql_query($sql_license); while($row_license = mysql_fetch_array($result_license)) { $product_name = $row_license['product_name']; $product_id = $row_license['product_id']; $l_number = $row_license['l_number']; ?> <tr> <td class="row1"><?php echo $product_name; ?></td><td class="row1"><?php echo $l_number; ?> </td><td class="row1"> <a href="#">Delete</a></td> </tr> <?php } //////end getting back all products with licenses ?> <?php //turn the query into an array for the foreach statement ?> <?php $thequery = mysql_fetch_array($result_license); //get the array of product_id is this right? $product_id = $thequery['product_id']; ?> <?php foreach($thequery as $key => $value) { ///Get All Products that don't have licenses $sql_license = "SELECT * FROM products"; $result_license = mysql_query($sql_license); while($row_license = mysql_fetch_array($result_license)) { $prod_name = $row_license['product_name']; $prod_id = $row_license['product_id']; ?> <tr> <?php //with this method, if the prod_id from the newest query and product_id from the first query are not the same, return those rows if($product_id != $prod_id) { ?> <td class="row1"><?php echo $prod_name; ?></td><td class="row1"><input type="text" name="product<?php echo $prod_id; ?>" /></td> </tr><?php } } } //end getting all products that don't have licenses ?>

That's a great idea, and I'm thinking it might be the best way to go, quick question for you on a kind of unrelated note, I have a foreach statement here <?php /////////////bring back all licenses and their products $sql_license = "SELECT products.product_id as product_id, products.product_name as product_name , license.license_numbers as l_number, license.company_id as l_company_id FROM products LEFT JOIN license ON products.product_id = license.product_id WHERE license.company_id = '$id'"; $result_license = mysql_query($sql_license); while($row_license = mysql_fetch_array($result_license)) { $product_name = $row_license['product_name']; $product_id = $row_license['product_id']; $l_number = $row_license['l_number']; ?> <tr> <td class="row1"><?php echo $product_name; ?></td><td class="row1"><?php echo $l_number; ?> </td><td class="row1"> <a href="#">Delete</a></td> </tr> <?php } //////end getting back all products with licenses ?> <?php foreach($result_license as $key => $value) { ///Get All Products that don't have licenses $sql_license = "SELECT * FROM products"; $result_license = mysql_query($sql_license); while($row_license = mysql_fetch_array($result_license)) { $prod_name = $row_license['product_name']; $prod_id = $row_license['product_id']; ?> <tr> <td class="row1"><?php echo $prod_name; ?></td><td class="row1"><input type="text" name="product<?php echo $prod_id; ?>" /></td> </tr><?php } } //end getting all products that don't have licenses ?> I'm trying to bring back the first query as an array and put it in this foreach statement so that I can get all of the values for $product_id but I keep getting an error that says: Invalid argument supplied for foreach() in /Applications/MAMP/htdocs/websites/lmanager/admin/modify_accounts.php on line 103 How can I replace the variable $result_license so that it's a variable. At first I thought it would be row_license but that didn't work either. I know it's an array because I'm calling the mysql_fetch_array but it's not working, any ideas? Thanks again for all the help!

I appreciate that, and would say your right, my db logic is probably a little screwed up here!! I was studying the db logic you drew out here and it looks really good, like a really good start, the only thing I saw here was the products ----------- product_id product_name [b]company_id[/b] companies ----------- company_id company_name licenses ------------ license_id license_name license_sum product_id company_id in the products table, that wouldn't work because companies can have many products, companies can also have the same product, so things would get a little hairy in the db. I appreciate the re-design though and agree with you that it needs to be fixed up I"m wondering if this would even be possible to do with my current database layout because while I"m not opposed to changing the db design completely, it would cause me to have to start from scratch and if I could figure out a way to do it from how the db is now, that would be awesome. If it's not possible, then it's just not possible though

Well, I had this crazy left join written out but then I realized it wouldn't help me bring out all the tables of products weather they had licenses or not, not sure if that's something I need to do in mysql or php though My left join which joins licenses and products looks like this SELECT products.product_id AS product_id, products.product_name AS product_name, license.license_id AS license_id, license.company_id AS l_company_id, license.product_id AS l_product_id, license.license_notes AS license_notes FROM products LEFT JOIN license ON products.product_id = license.product_id WHERE license.company_id =1 LIMIT 0 , 30 So, I need to bring back all products on this company edit page, and a field for number of licenses which gets inserted into the license table. If the product doesn't have any licenses, that's fine it can be blank, but still needs to show up in case the user wants to add one. I appreciate the left join suggestion, but I think it's a little out of range for this solution, but thanks though! any other ideas?

Hey Guys, I'm working on calling data back from my database. I am basically dealing with three tables here, companies, products and licenses I'm trying to get all products to show up in one cell of the overall company information and if they have a license, I'd like to get it to show up in the corresponding cell of the products. I've set my database up so that this will work, basically it looks like this: Products product_id product_name company company_id company_name license license_id license_name product_id company_id license_numbers (really amount of licenses a company owns) So, with that knowledge, I have my form set up like this <form action="<?php echo $PHP_SELF;?>" method="post" name="modcompany"> <input type=hidden name="id" value="<?php echo $company_id ?>"> <table class="floattable"> <tr> <td class="row2">Company ID</td><td class="row2"><?php echo $company_id; ?></td> </tr> <tr> <td class="row1">Company Name</td><td class="row1"><input type="text" name="company_name" value="<?php echo $company_name; ?>" /></td> </tr> <tr> <td class="row1">Address</td><td class="row1"><input type="text" name="address" value="<?php echo $address; ?>" /></td> </tr> <tr> <td class="row1">City</td><td class="row1"><input type="text" name="city" value="<?php echo $city; ?>" /></td> </tr> <tr> <td class="row1">State</td><td class="row1"><input type="text" name="state" value="<?php echo $state; ?>" /></td> </tr> <tr> <td class="row1">Zip</td><td class="row1"><input type="text" name="zip" value="<?php echo $zip; ?>" /></td> </tr> <tr> <td class="row1">Country</td><td class="row1"><input type="text" name="country" value="<?php echo $country; ?>" /></td> </tr> <tr> <td class="row1">Phone</td><td class="row1"><input type="text" name="phone" value="<?php echo $phone; ?>" /></td> </tr> <tr> <td class="row1">Contact</td><td class="row1"><input type="text" name="contact" value="<?php echo $contact; ?>" /></td> </tr> <tr> <td class="row1">Status</td><td class="row1"><input type="text" name="status" value="<?php echo $status; ?>" /></td> </tr> <tr> <td class="row1">Kayako Link</td><td class="row1"><input type="text" name="kayako_link" value="<?php echo $kayako_link; ?>" /></td> </tr> <tr> <td class="row1">Vtiger Link</td><td class="row1"><input type="text" name="vtiger_link" value="<?php echo $vtiger_link; ?>" /></td> </tr> <tr> <td class="row1">Internal Link</td><td class="row1"><input type="text" name="internal_link" value="<?php echo $internal_link; ?>" /></td> </tr> <tr> <td class="row1">Notes</td><td class="row1"><textarea name="notes" rows="5" cols="5"><?php echo $notes; ?></textarea></td> </tr> <?php //this gets all of my products to show up, which is great for adding but need to figure something out for editing $sql_license = "SELECT * FROM products"; $result_license = mysql_query($sql_license); while($row_license = mysql_fetch_array($result_license)) { $product_name = $row_license['product_name']; $product_id = $row_license['product_id']; ?> <tr> <td class="row1"><?php echo $product_name; ?></td><td class="row1"><input type="text" name="product<?php echo $product_id; ?>" /></td> </tr><?php } ?> </table> And, thanks to another user, I have found a way to add the values to my db if (isset($_POST['modcompany'])) { $company_name = $_POST["company_name"]; $address = $_POST['address']; $city = $_POST['city']; $state = $_POST['state']; $zip = $_POST['zip']; $country = $_POST['country']; $phone = $_POST['phone']; $contact = $_POST['contact']; $status = $_POST['status']; $kayako_link = $_POST['kayako_link']; $vtiger_link = $_POST['vtiger_link']; $internal_link = $_POST['internal_link']; $notes = $_POST['notes']; $sql = "UPDATE company SET company_name='$company_name',address='$address',city='$city', state='$state', zip='$zip', country='$country', phone='$phone', contact='$contact', status='$status', kayako_link='$kayako_link', vtiger_link='$vtiger_link', internal_link='$internal_link', notes='$notes' WHERE company_id = $id"; $result = mysql_query($sql); echo "Thank you! Information updated."; $id = mysql_insert_id(); foreach($_POST as $key => $value) { // looping through each post variable. $key is the textbox name // check if the the variable name starts with 'product' which indicates it's a product$id variable if(strpos($key, 'product') === 0) { // found one, need to parse the ID off the end $prod_id = substr($key, 7); // 7 because 'product' is 7 chars long echo "<br />Product id = $prod_id"; echo "<br />Text Box = $value <hr />"; if($value != '') { $query = "INSERT INTO license (company_id, product_id, license_numbers) VALUES ('$id', '$prod_id', '$value')" or die('mysql_error'); mysql_query($query) or die('error'); /* at this point you now have the product id in $id and the value of the textbox in $value so you can now add to database or do anything else you want */ } } } So, right now with this code, I'm able to have my companies show up and all of my products show up which then get inserted into the license table, but I'm not sure how I could set this up to edit it, which means - have all products show up, and if they have an amount of licenses, that shows up as well, but all the products show up so that users can add licenses to that. I tried doing a table join, but realized it didn't make sense as it wouldn't help me to get all of the products out SELECT products.product_id as product_id, products.product_name as product_name, license.license_id as license_id, license.company_id as l_company_id, license.product_id as l_product_id, license.license_notes as license_notes FROM products LEFT JOIN license ON products.product_id = license.product_id Any ideas?

man you are a genius, thanks so much!

If I'm doing it wrong and should do something another way, I'm all ears

I'm trying to create a line style form. I have a company, and they should be able to add how many product licenses they have, but I am getting stuck and not even sure if this is possible. Basically I have a form to edit company information and within this form, I'd like for the user to be able to write in how many licenses a company has for each specific product. To achive this I have the following <form action="<?php echo $PHP_SELF;?>" method="post" name="modcompany"> <input type=hidden name="id" value="<?php echo $company_id ?>"> <table class="floattable"> <tr> <td class="row2">Company ID</td><td class="row2"><?php echo $company_id; ?></td> </tr> <tr> <td class="row1">Company Name</td><td class="row1"><input type="text" name="company_name" value="<?php echo $company_name; ?>" /></td> </tr> <tr> <td class="row1">Address</td><td class="row1"><input type="text" name="address" value="<?php echo $address; ?>" /></td> </tr> <tr> <td class="row1">City</td><td class="row1"><input type="text" name="city" value="<?php echo $city; ?>" /></td> </tr> <tr> <td class="row1">State</td><td class="row1"><input type="text" name="state" value="<?php echo $state; ?>" /></td> </tr> <tr> <td class="row1">Zip</td><td class="row1"><input type="text" name="zip" value="<?php echo $zip; ?>" /></td> </tr> <tr> <td class="row1">Country</td><td class="row1"><input type="text" name="country" value="<?php echo $country; ?>" /></td> </tr> <tr> <td class="row1">Phone</td><td class="row1"><input type="text" name="phone" value="<?php echo $phone; ?>" /></td> </tr> <tr> <td class="row1">Contact</td><td class="row1"><input type="text" name="contact" value="<?php echo $contact; ?>" /></td> </tr> <tr> <td class="row1">Status</td><td class="row1"><input type="text" name="status" value="<?php echo $status; ?>" /></td> </tr> <tr> <td class="row1">Kayako Link</td><td class="row1"><input type="text" name="kayako_link" value="<?php echo $kayako_link; ?>" /></td> </tr> <tr> <td class="row1">Vtiger Link</td><td class="row1"><input type="text" name="vtiger_link" value="<?php echo $vtiger_link; ?>" /></td> </tr> <tr> <td class="row1">Internal Link</td><td class="row1"><input type="text" name="internal_link" value="<?php echo $internal_link; ?>" /></td> </tr> <tr> <td class="row1">Notes</td><td class="row1"><textarea name="notes" rows="5" cols="5"><?php echo $notes; ?></textarea></td> </tr> <?php $sql_license = "SELECT * FROM products"; $result_license = mysql_query($sql_license); while($row_license = mysql_fetch_array($result_license)) { $product_name = $row_license['product_name']; $product_id = $row_license['product_id']; ?> <tr> <td class="row1"><?php echo $product_name; ?></td><td class="row1"><input type="text" name="product<?php echo $product_id; ?>" /></td> </tr><?php } ?> </table> The part that is messing with me is the end, how would I be able to recall the name parameter to insert it into the database. It's the last part that's confusing me <td class="row1"><?php echo $product_name; ?></td><td class="row1"><input type="text" name="product<?php echo $product_id; ?>" /></td> There are going to be various products, but how would I be able to identify each one? I'm identifying the other posts like this if (isset($_POST['modcompany'])) { $company_name = $_POST["company_name"]; $address = $_POST['address']; $city = $_POST['city']; $state = $_POST['state']; $zip = $_POST['zip']; $country = $_POST['country']; $phone = $_POST['phone']; $contact = $_POST['contact']; $status = $_POST['status']; $kayako_link = $_POST['kayako_link']; $vtiger_link = $_POST['vtiger_link']; $internal_link = $_POST['internal_link']; $notes = $_POST['notes']; But I just don't see how I can call the product$productid part..any ideas? Thanks

And a quick correction in my post, it wasn't the exit() it was the exit; statement

hey thanks for that info, that's what the problem was, I needed an exit() statement and I was able to take out the $_SESSION['sessid'] == ' ' part with the exit right after the header statement! I appreciate the help!

hey Guys, I had tried with the space there and not there on the header, finally I changed up the code a little, works a little better if ($_SESSION['sessid'] != session_id() || $$_SESSION['sessid'] == ' ') { header("Location:index.php"); } I'm sure thats not the best way but it seems to be working now, weird

Thanks for the reply! I error logged, not too familiar with doing this, but in my error log, I got the string I passed, nothing else. How would I be able to error_log my session array? Thanks!

Hey everyone, I'm trying to do a little security here, I have a login script it stores three sessions, session id, the username and the permission level of the user, the last two are database sessions, and I can get them to print out fine on the page, but what is killing me is when I do this if ($_SESSION['sessid'] != session_id()) { header("Location:index.php"); } Nothing seems to happen. What I mean is I logout, kill the session, try to hit a page that has this code in it, and it still lets me in. I don't understand why, there is no output getting sent before this, just start_session(); I've even done tests to see if $_SESSION['sessid'] and session_id() are the same, and they both show up different, but it lets me in. Does anyone know why this could be happening?

hey, thanks for the recommendation. For me, what worked was throwing a foreach that I found in the php.net manual //This stops SQL Injection in POST vars foreach ($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } //This stops SQL Injection in GET vars foreach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value); }

I"m having a bizarre issue, and not sure what's going on, I have a form, I fill out the form, and the data gets saved, but whenever I put an apostrophe in my form (i.e. this is what's going on) (notice the "what's") I get an error back saying that I have an error in my mysql syntax at line whatever. I've tried this with two types, the first a varchar and the second a longtext and every time, if I have an apostrophe in there, I get the error, does anyone know what might cause this?