Defibber

Ok, Thanks for all of you help. You have given me some good ideas to work with. I don't think it will be too big of a problem to get the boss to get the SSL but I just want to make it as secure as possible. In the past we had used a canned CMS with Security and we were still getting hacked more and more regularly so I decided to do it on my own. I figured if I can barely get it to run then with shouldn't take much to lock someone out or at least lock it up. lol. Thanks again for the help.

that's not quite what I was looking for...sorry if I lost you . This is an example of what I have employed now: <a href="staff_detail.php?staffID=<?php echo $row_rsStaff['staffID']; ?>"><?php echo $row_rsStaff['f_name'] $row_rsStaff['l_name']; ?></a> but I want to create a link that would set a SESSION such as SESSION[selected_staff] to who ever I selected and then the detail page would set SESSION[selected_staff] for the MySQL WHERE statement. I hope this clears it up

I've got the login already set up. I guess to better explain (guess I should have done this earlier), here is a link to an existing public page: http://www.kearneyfire.org/personnel.php. The plan is to create a "details page" for the personnel (such as picture, send message, duties and such), I have started the replacement site/page to use a link like: details.php?staffID=1, but I am trying to get ideas for the more sensitive information such as after hours contacts and such. I have a basic knowledge of sessions, PHP and MySql. I know how to have the detail page pull MySql with the WHERE contID = $_SESSION[contID] (or set the variable and pass it along), but I just can't figure it out how click on a link to set the session[contID] to the selected contact (or staff). Hope that makes sense

How would I accomplish that? I know how to set Variables and such but I can't figure out how to have the list page create the links that will set the session information and tale you to the next page like $_get would.

ok, that is kind of what I was thinking. I had seen where someone had suggested MD5() the ID and use that in the URL.

I am building a dynamic site for my fire department. I have been searching here and elsewhere for ideas and answers. In the Public area the visitor can view a grouped list of personnel. They click on the link and it passes the "staffID" via $_get[] to a detail page. I have seen where people have suggested that that isn't safe because people can obviously modify the url and "go fishing" currently there is nothing that to hide in that section but what is the general thoughts? The reason I ask is in a private section I plan on setting up a database of contact information for staff and other important contact numbers (such as non-published numbers). I am going to talk the chief into purchasing a SSL certificate and all, but will that "hide" the information in the browser to unauthorized people? I will password protect the viewing pages but I don't want a hacker to get the contact ID and find a way to pull the information by some other way. Do I have valid concerns, or am I paranoid? I just don't want the information readily available. I have seen where there are pro's and con's to $_POST and $_GET, would it be more secure to set the "selected" ID into a SESSION via a link? If that is possible how would that be accomplished? I have looked without luck. Thanks

I broke it down to this and got the same results. I built a page that echo's the two sessions that my login page sets and I get the appropriate results. Same case and everything. <?php if ($_SESSION['MM_UserGroup']=='Admin' ) { ?>.<table width="75%" border="0"> <tr> <td colspan="2" class="page_header">Member's Only View </td> </tr> <tr> <td class="column_heading">Description</td> <td class="column_heading">Result</td> </tr> <tr> <td width="20%">Status: </td> <td width="80%"><?php echo $row_rsVideo_detail['status']; ?></td> </tr> </table><?php } ?>

I did Echo the Sessions and they are there and correct. I am confused about the - if(!isset($_SESSION[..... ) what does it do? I tried it and didn't have any luck.

Ok I have gone back to the Original code (listed Below) and it still does not show me the table. Any Ideas? <div> <?php if (isset($_SESSION['MM_UserGroup']) && $_SESSION['MM_UserGroup']=='Admin' ) { ?>.<table width="75%" border="0"> <tr> <td colspan="2" class="page_header">Member's Only View </td> </tr> <tr> <td class="column_heading">Description</td> <td class="column_heading">Result</td> </tr> <tr> <td width="20%">Status: </td> <td width="80%"><?php echo $row_rsVideo_detail['status']; ?></td> </tr> </table><?php } ?> </div>

Ok, the ) was the problem, but you knew that . I just didn't look far enough back. But now the code does not appear to be working. I know that My login is setting the session correctly because I can get into the Admin area but I cannot view the table that I have now hidden. I know some basic PHP but to me it looks correct. I realize that about the errors, that is where I usually start and work backwards but people a lot of times request the line number so I threw it in there. Thanks for your help so far.

Ok, Again I am using DW8 and trying to hide a menu using this code and I get this error. Parse error: syntax error, unexpected '{' in //........................... on line 185 (which is the second line - { ?><div> ) I've tried putting ";" before and after the { with no luck. <?php if (isset($_SESSION['MM_UserGroup']) && (($_SESSION['MM_UserGroup']=='Member' ) || ($_SESSION['MM_UserGroup']=='Admin' )) { ?><div> <table width="75%" border="0"> <tr> <td colspan="2" class="page_header">Member's Only View </td> </tr> <tr> <td class="column_heading">Description</td> <td class="column_heading">Result</td> </tr> <tr> <td width="20%">Status: </td> <td width="80%"><?php echo $row_rsVideo_detail['status']; ?></td> </tr> </table> </div><?php } ?>

Ok, I think I got it figured out. I used this code: .........if (isset($_POST['username'])) { $loginUsername=$_POST['username']; $password=md5($_POST['password']); $MM_fldUserAuthorization = "level"; $MM_redirectLoginSuccess = "index.php"; $MM_redirectLoginFailed = "unauth.php"; $MM_redirecttoReferrer = true; ............ I also found out the hard way that password() in MySql is different than md5() Thanks Anyways

Ok, I have a problem that directly relates to http://www.phpfreaks.com/forums/index.php/topic,175920.0.html but he had solved it himself but didn't post the solution. I think I might have come to the correct solution but it causes an error in Dreamweaver. When I make a change it creates a second Server Behavior that is Identical and it won't let you delete one. I think I want to do something like this: (I added the password() <?php ### Full script below in next code. $LoginRS__query=sprintf("SELECT username, password, level FROM users WHERE username=%s AND password=MD5(%s)" GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); ?> Any Ideas? I tried E-Mailing the Person that had the post but it is an invalid E-Mail. <?php // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['username'])) { $loginUsername=$_POST['username']; $password=$_POST['password']; $MM_fldUserAuthorization = "level"; $MM_redirectLoginSuccess = "file:///W|/websites/MySite/index.php"; $MM_redirectLoginFailed = "file:///W|/websites/MySite/unauth.php"; $MM_redirecttoReferrer = false; mysql_select_db($database_MySite, $MySite); $LoginRS__query=sprintf("SELECT username, password, level FROM users WHERE username=%s AND password=%s" GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); $LoginRS = mysql_query($LoginRS__query, $MySite) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = mysql_result($LoginRS,0,'level'); //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } ?>

OK, that fixed it!! The error was in one of my templates so it was grayed out and I didn't recognize it as a PHP section. Thanks for the help! (should I remove the majority of the code for security?) Thanks again, I can now lay off the IBprofen.

This is the whole thing. As far as the error, it always refers to the last line of the code no matter what I do with the empty lines. If I have posted something that is crucially private please let me know. Like I said I have a base knowledge of PHP and I am a complete newbie at DW8. Thanks again. <?php require_once('Connections/KFD_site.php'); ?> <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } $maxRows_rsPublic_ann = 3; $pageNum_rsPublic_ann = 0; if (isset($_GET['pageNum_rsPublic_ann'])) { $pageNum_rsPublic_ann = $_GET['pageNum_rsPublic_ann']; } $startRow_rsPublic_ann = $pageNum_rsPublic_ann * $maxRows_rsPublic_ann; mysql_select_db($database_KFD_site, $KFD_site); $query_rsPublic_ann = "SELECT articles.articleID, articles.type, articles.`date`, articles.status, articles.title, articles.article, articles.dwnldID, downloads.dwnldID, downloads.`path`, downloads.filename, downloads.anchor, downloads.descript FROM articles, downloads WHERE (articles.dwnldID = downloads.dwnldID) AND articles.type = 2 AND articles.status = 'active'"; $query_limit_rsPublic_ann = sprintf("%s LIMIT %d, %d", $query_rsPublic_ann, $startRow_rsPublic_ann, $maxRows_rsPublic_ann); $rsPublic_ann = mysql_query($query_limit_rsPublic_ann, $KFD_site) or die(mysql_error()); $row_rsPublic_ann = mysql_fetch_assoc($rsPublic_ann); if (isset($_GET['totalRows_rsPublic_ann'])) { $totalRows_rsPublic_ann = $_GET['totalRows_rsPublic_ann']; } else { $all_rsPublic_ann = mysql_query($query_rsPublic_ann); $totalRows_rsPublic_ann = mysql_num_rows($all_rsPublic_ann); } $totalPages_rsPublic_ann = ceil($totalRows_rsPublic_ann/$maxRows_rsPublic_ann)-1; $maxRows_rsPublic_not = 3; $pageNum_rsPublic_not = 0; if (isset($_GET['pageNum_rsPublic_not'])) { $pageNum_rsPublic_not = $_GET['pageNum_rsPublic_not']; } $startRow_rsPublic_not = $pageNum_rsPublic_not * $maxRows_rsPublic_not; mysql_select_db($database_KFD_site, $KFD_site); $query_rsPublic_not = "SELECT articles.articleID, articles.type, articles.`date`, articles.status, articles.title, articles.article, articles.dwnldID, downloads.dwnldID, downloads.`path`, downloads.filename, downloads.anchor, downloads.descript FROM articles, downloads WHERE (articles.dwnldID = downloads.dwnldID) AND articles.type = 3 AND articles.status = 'active'"; $query_limit_rsPublic_not = sprintf("%s LIMIT %d, %d", $query_rsPublic_not, $startRow_rsPublic_not, $maxRows_rsPublic_not); $rsPublic_not = mysql_query($query_limit_rsPublic_not, $KFD_site) or die(mysql_error()); $row_rsPublic_not = mysql_fetch_assoc($rsPublic_not); if (isset($_GET['totalRows_rsPublic_not'])) { $totalRows_rsPublic_not = $_GET['totalRows_rsPublic_not']; } else { $all_rsPublic_not = mysql_query($query_rsPublic_not); $totalRows_rsPublic_not = mysql_num_rows($all_rsPublic_not); } $totalPages_rsPublic_not = ceil($totalRows_rsPublic_not/$maxRows_rsPublic_not)-1; $maxRows_rsPublic_art = 3; $pageNum_rsPublic_art = 0; if (isset($_GET['pageNum_rsPublic_art'])) { $pageNum_rsPublic_art = $_GET['pageNum_rsPublic_art']; } $startRow_rsPublic_art = $pageNum_rsPublic_art * $maxRows_rsPublic_art; mysql_select_db($database_KFD_site, $KFD_site); $query_rsPublic_art = "SELECT articles.articleID, articles.type, articles.`date`, articles.status, articles.title, articles.article, articles.dwnldID, downloads.dwnldID, downloads.`path`, downloads.filename, downloads.anchor, downloads.descript FROM articles LEFT JOIN downloads ON articles.dwnldID = downloads.dwnldID WHERE articles.type = 1 AND articles.status = 'active'"; $query_limit_rsPublic_art = sprintf("%s LIMIT %d, %d", $query_rsPublic_art, $startRow_rsPublic_art, $maxRows_rsPublic_art); $rsPublic_art = mysql_query($query_limit_rsPublic_art, $KFD_site) or die(mysql_error()); $row_rsPublic_art = mysql_fetch_assoc($rsPublic_art); if (isset($_GET['totalRows_rsPublic_art'])) { $totalRows_rsPublic_art = $_GET['totalRows_rsPublic_art']; } else { $all_rsPublic_art = mysql_query($query_rsPublic_art); $totalRows_rsPublic_art = mysql_num_rows($all_rsPublic_art); } $totalPages_rsPublic_art = ceil($totalRows_rsPublic_art/$maxRows_rsPublic_art)-1; ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/kfd_public_home.dwt.php" codeOutsideHTMLIsLocked="false" --> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <!-- InstanceBeginEditable name="doctitle" --> <title>Untitled Document</title> <!-- InstanceEndEditable --><!-- InstanceBeginEditable name="head" --><!-- InstanceEndEditable --> <link href="theme/kfd.css" rel="stylesheet" type="text/css" /> </head> <body> <table width="100%" border="0"> <tr> <td class="kfd_banner"> </td> </tr> <tr> <td><table width="100%" border="0"> <tr> <td class="greeting_l"><? echo date("F j Y");?></td> <td class="greeting_c"><?php if ($_SESSION[username] != ""){ $greeting = "Welcomeback $_SESSION[username]"; echo "$greeting"; ?></td> <td class="greeting_r"><? echo date("H:i");?>Hrs</td> </tr> </table></td> </tr> <tr> <td> <div><!-- InstanceBeginEditable name="EditRegion4" --> <div class="sectionHeading">Welcome to KearneyFire.org </div> <!-- InstanceEndEditable --></div> </td> </tr> <tr class="contentRow"> <td> <table width="100%" border="0"> <tr> <td align="center" valign="top" class="sidebar_17_5"><table width="100%" border="0"> <tr> <td class="nav_header">Site Navigation </td> </tr> <tr> <td class="nav_links"><a href="index.php">Home</a><br /> </td> </tr> <tr> <td><!-- InstanceBeginEditable name="menu_nav" --> <div align="center"> </div> <!-- InstanceEndEditable --></td> </tr> <tr> <td class="nav_header">Registered Users </td> </tr> <tr> <td class="nav_links"><a href="login.php">Login Page </a></td> </tr> </table></td> <td class="content_82_5"> <div align="center" class="content_100"> <table width="100%" border="0"> <tr> <td width="78%" class="content_78"><!-- InstanceBeginEditable name="main_content_78" --> <div align="left"> <table width="100%" border="0"> <tr> <td class="sec_header">Public Announcements </td> </tr> <?php do { ?> <tr> <td><dl> <dt><?php echo $row_rsPublic_ann['title']; ?></dt> <dt><?php echo $row_rsPublic_ann['article']; ?></dt> </dl> <br /> <div align="right"><?php if($row_rsPublic_ann['dwnldID'] == 0) { $pub_ann = "No download available"; } else { $row_rsPublic_ann['path'] = $path; $row_rsPublic_ann['filename'] = $filename; $row_rsPublic_ann['anchor'] = $anchor; $row_rsPublic_ann['descript'] = $descript; $pub_ann = "<a href=\"http://kearneyfire.org/downloads/$path/$filename\">$anchor</a><br>$descript"; } echo "$pub_ann";?> </div></td> </tr> <?php } while ($row_rsPublic_ann = mysql_fetch_assoc($rsPublic_ann)); ?> <tr> <td class="sec_header">Public Notices </td> </tr> <?php do { ?> <tr> <td><dl> <dt><?php echo $row_rsPublic_not['title']; ?></dt> <dt><?php echo $row_rsPublic_not['article']; ?></dt> </dl> <br /> <div align="right"> <?php if($row_rsPublic_not['dwnldID'] == 0) {$pub_not = "No download available";} else { $row_rsPublic_not['path'] = $path; $row_rsPublic_not['filename'] = $filename; $row_rsPublic_not['anchor'] = $anchor; $row_rsPublic_not['descript'] = $descript; $pub_ann = "<a href=\"http://kearneyfire.org/downloads/$path/$filename\">$anchor</a><br>$descript";} echo "$pub_not";?> </div></td> </tr> <?php } while ($row_rsPublic_not = mysql_fetch_assoc($rsPublic_not)); ?> <tr> <td class="sec_header">Articles</td> </tr> <?php do { ?> <tr> <td><dl> <dt><?php echo $row_rsPublic_art['title']; ?></dt> <dt><?php echo $row_rsPublic_art['article']; ?></dt> </dl> <br /> <div align="right"><?php if($row_rsPublic_art['dwnldID'] == 0) {$pub_art = "No download available";} else { $row_rsPublic_art['path'] = $path; $row_rsPublic_art['filename'] = $filename; $row_rsPublic_art['anchor'] = $anchor; $row_rsPublic_art['descript'] = $descript; $pub_art = "<a href=\"http://kearneyfire.org/downloads/$path/$filename\">$anchor</a><br>$descript";} echo "$pub_art";?> </div></td> </tr> <?php } while ($row_rsPublic_art = mysql_fetch_assoc($rsPublic_art)); ?> <tr> <td class="sec_header">Call Log </td> </tr> <tr> <td> </td> </tr> <tr> <td class="sec_header">Current Conditions </td> </tr> <tr> <td><table width="100%" border="0"> <tr> <td>Air Quality by MARC.org<br /> <img src="http://www.marc.org/airquality/alert.gif" alt="Mid-America Regional Council: Air Quality" width="300" height="52" border="0" /></td> <td>National Weather Service Radar<br /> <a href="http://forecast.weather.gov/MapClick.php?CityName=Liberty&state=MO&site=EAX" target="_blank"><img src="http://radar.weather.gov/Thumbs/EAX_Thumb.gif" alt="National Weather Service Radar" /></a></td> </tr> </table></td> </tr> </table> </div> <!-- InstanceEndEditable --></td> <td width="22%" class="sidebar_22"><!-- InstanceBeginEditable name="right_sidebar" --> <div align="left"> <table width="100%" border="0"> <tr> <td class="nav_header">Calendar</td> </tr> <tr align="center" valign="top"> <td><iframe src="http://www.google.com/calendar/embed?height=600&wkst=1&bgcolor=%23FFFFFF&src=calendar%40kearneyfire.org&color=%23A32929&ctz=America%2FChicago" style=" border-width:0 " width="100%" height="300" frameborder="0" scrolling="yes"></iframe></td> </tr> <tr> <td class="nav_header">Photo Gallery </td> </tr> <tr align="center"> <td><?php @readfile('http://www.kearneyfire.org/gallery/main.php?g2_view=imageblock.External&g2_blocks=randomImage&g2_show=none'); ?></td> </tr> <tr> <td class="nav_header">Members of: </td> </tr> <tr align="center" valign="top"> <td><img src="images/entities/marc.gif" width="135" height="50" alt="MARC" /><br />Mid-America Regional Council<br /><hr /><img src="images/entities/ffam.gif" width="115" height="104" alt="FFAM" /><br />FFAM<br /><hr /><br /><img src="images/entities/ichief.gif" width="135" height="141" alt="I-Chiefs" /><br />Int'l Chiefs<br /><hr /><br /><img src="images/entities/iaff.gif" width="135" height="133" alt="IAFF_42" /><br />IAFF Local 42</td> </tr> </table> </div> <!-- InstanceEndEditable --></td> </tr> </table> </div> </td> </tr> </table></td> </tr> <tr> <td class="footer">201 E. 6th St / P.O. Box 341<br /> Kearney, Missouri. 64060</td> </tr> </table> <!-- InstanceBeginEditable name="EditRegion5" --> <tr> <td> </td> </tr> <!-- InstanceEndEditable --> <tr> <td> </td> </tr> <tr> <td> </td> </tr> </body><!-- InstanceEnd --></html> <?php mysql_free_result($rsPublic_ann); mysql_free_result($rsPublic_not); mysql_free_result($rsPublic_art); ?>