-
Posts
2,527 -
Joined
-
Last visited
Posts posted by DeanWhitehouse
-
-
how can i fix this?
-
If you give me a email, i can send you a script i have, but adjust it to your needs.
my email: deanwhitehouse6@hotmail.com
-
you use IF
-
er, what you do in the login code set the session if they login successfully, then in the header of all the pages you need session start. then on protected pages check for the session.
-
u will have to use sessions to make the ?id=
-
create a username and password for each user who can edit it , and make a login form on the page, then check the data they enter against the database then set them a session and check for that session on the protected pafge
-
To turn it off(fix it) i need to create a .htacces file or a php.ini file?? what do i need to write in these
-
sorry, i was just saying, i haven't had access to the files yet, i will try when i have time , i was just saying
-
the user_id is also saved in a session, but this session seems to be overwrote when i click on another users id
-
also ,i just found out that the user level is also transfered so the user, can now see the admin area
-
STILL AVAIBLE< PM ME FOR A QOUTE
-
logged_in is already posted here, and heres nav_bar and db_connect, i don;t think it is.
<?php // Random Game Design: PHP Website Template // Version 1 // Copyright Dean Whitehouse, 2008 // Include config file require_once 'config.inc.php'; require_once 'config_table.inc.php'; // Connect to database mysql_connect($dbhost,$dbuser,$dbpass) or die('Could not connect: ' . mysql_error()); // Select database mysql_select_db($dbname) or die('Could not find the database: ' . mysql_error()); ob_start(); session_start(); ?>
db_connect.php
<?php $server = "http://".$_SERVER[HTTP_HOST] ; if ($_SESSION['is_valid'] == true){ if ($_SESSION['user_level'] == 2){ echo "<table class='nav_bar'><tr><td> <a class='nav_bar' href='$server'>Home</a> </td></tr><tr><td><font color='white'>Logged In</font></td></tr> <tr><tr><a href='members.php'>Members</a></td></tr></table>"; } if ($_SESSION['user_level'] == 1){ echo "<table class='nav_bar'><tr><td> <a class='nav_bar' href='$server'>Home</a> </td></tr><tr><tr><a href='members.php'>Members</a></td></tr></table>"; } } else { echo " <table class='nav_bar'><tr><td> <a class='nav_bar' href='$server'>Home</a> </td></tr><tr><tr><a href='members.php'>Members</a></td></tr></table>"; } ?>
nav_bar.php
-
they are echoed,in the logged_in script, it echos there username, and it does change, but i don't know how
-
if it's solved, please click solved at the bottom of the page.
-
hmm ,tried that didn't work. I just can see how it's doing this.
Should i identify people not just by user_id but user_name?
-
No Problem, if it's closed please click solved at the bottom
-
i can't see how this is happening, as it isn;t setting any thing on the members page
-
Np, read the comments next time though, there were there for a reason
-
don;t you have to ecnrypt it first like this
$password = "then the encryption and password";
then insert that variable into the database
-
did you change what i said, or just copied and pasted the code?
if you just copied and pasted, it won't here is the code, with changes
$prevsql = "SELECT entries.*, categories.cat FROM entries, categories WHERE entries.cat_id = categories.id ORDER BY dateposted DESC LIMIT 1, 5;"; $prevresult = mysql_query($prevsql); $numrows_prev = mysql_num_rows($prevresult);
-
this might be it
$prevsql = "SELECT entries.*, categories.cat FROM entries, categories // $prevsql WHERE entries.cat_id = categories.id ORDER BY dateposted DESC LIMIT 1, 5;"; $prevresult = mysql_query($presql); //$presql $numrows_prev = mysql_num_rows($prevresult);
-
this is logged_in.php
this also has the login form in it
<?php if (isset($_GET['logout'])) { setcookie("cookname", $_SESSION['username'], time() - 3600, "/"); setcookie("cookpass", $_SESSION['user_password'], time() - 3600, "/"); session_unset(); session_destroy(); } if ($_SESSION['is_valid'] == true) { if ($_SESSION['user_level'] == 2) { ?> <table class='logged_in'><tr><td> <p>Welcome, <br><?php echo $_SESSION['username']; ?> <br><a href='user_profile.php?id=<?php echo $_SESSION['user_id']; ?>'>User Profile</a><br> <a href='user_setting.php'>Settings</a><br> <a href="<?php print $_SERVER["PHP_SELF"]; ?>?logout=true">Logout</a><br /> </td></tr><tr><td>Logged In</td></tr></table></p> <?php } if ($_SESSION['user_level'] == 1) { ?> <table class='logged_in'><tr><td> <p>Welcome, <?php echo $_SESSION['username']; ?> <br><a href='user_profile.php?id=<?php echo $_SESSION['user_id']; ?>'>User Profile</a><br> <a href='user_setting.php'>Settings</a><br> <a href='admin_centre.php'>Admin Area</a><br> <a href="<?php print $_SERVER["PHP_SELF"]; ?>?logout=true">Logout</a><br /> </td></tr><tr><td>Logged In</td></tr></table></p> <?php } } else { require_once 'db_connect.php'; if ($_SESSION['is_valid'] == false) { if (isset($_POST['login'])) { $user_name = $_POST["user_name"]; $user_password = $_POST["user_password"]; $cookiename = forumcookie; $verify_username = strlen($user_name); $verify_pass = strlen($user_password); if ($verify_pass > 0 && $verify_username > 0) { $salt = substr($user_password, 0, 2); $userPswd = crypt($user_password, $salt); $sql = "SELECT * FROM `$user` WHERE user_name='$user_name' AND user_password='$userPswd' LIMIT 1;"; $result = mysql_query($sql); if (mysql_num_rows($result) == 1) { $row = mysql_fetch_assoc($result); $user_level = $row['userlevel']; if ($user_level == 1) { $login_check = @mysql_fetch_array(mysql_query("SELECT * from `$user` WHERE user_name = '$_GET[u]' AND user_password = '$_GET[p]'")); $userright = array($login_check['user_name'], $login_check['userlevel']); $s_userpass = serialize($userpass); $_SESSION['username'] = $row['user_name']; $_SESSION['user_password'] = $row['user_password']; $_SESSION['user_level'] = $row['userlevel']; $_SESSION['user_id'] = $row['user_id']; header("Location:http://".$_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI]); $_SESSION['is_valid'] = true; if(isset($_POST['remember'])) { setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/"); setcookie("cookpass", $_SESSION['user_password'], time()+60*60*24*100, "/"); } } elseif ($user_level == 2){ $login_check = @mysql_fetch_array(mysql_query("SELECT * from `$user` WHERE user_name = '$_GET[u]' AND user_password = '$_GET[p]'")); $userright = array($login_check['user_name'], $login_check['userlevel']); $s_userpass = serialize($userpass); $_SESSION['username'] = $row['user_name']; $_SESSION['user_password'] = $row['user_password']; $_SESSION['user_level'] = $row['userlevel']; $_SESSION['user_id'] = $row['user_id']; header("Location:http://".$_SERVER[HTTP_HOST].$_SERVER[REQUEST_URI]); $_SESSION['is_valid'] = true; //change the session variable name to what you want, just remember it for all files if(isset($_POST['remember'])){ setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/"); setcookie("cookpass", $_SESSION['user_password'], time()+60*60*24*100, "/"); } } } else{ echo "Login failed. Username and Password did not match database entries."; } } else { echo "Form was not completed. Please go back and make sure that the form was fully completed."; } } $server = str_replace("?logout=true","",$_SERVER['PHP_SELF']); ?> <html> <table bgcolor='#999999' align='right'><form action="<?php echo $server ?>" method='POST'> <tr><td>Username: </td><td><input type='text' name='user_name' /><br /></td></tr> <tr><td>Password:</td><td> <input type='password' name='user_password' /><br /></td></tr> <tr><td><input type="hidden" name="login" value="true"><input type="submit" value="Submit"></td></tr> <tr><td><input type="checkbox" value="1" name="remember"> Remember Me </td></tr><tr><td><a href="register.php">[Register]</a></td></tr><tr><td><a href="forgot_password.php">[Forgot Password?]</a></td></tr></table> </form> </html> <?php mysql_close(); } else { header("Location:http://".$_SERVER[HTTP_HOST]); } } ?>
and yes they are identified by there user_id stored in a variable
-
I have a site, where the users can have profiles, i was just testing something when i found this security issue.
When i view the page listing the members and click on one, i become that member, i can edit there settings everything. How can i fix this. this is my member page code.
<?php require_once 'db_connect.php'; require_once 'nav_bar.php'; require_once 'logged_in.php'; if ($_SESSION['is_valid'] == true){ if (isset($_GET['id'])) { if ((int) $_GET['id'] > 0) { $user_id = $_GET['id']; $sql = "SELECT * FROM $user WHERE `user_id`='{$user_id}' LIMIT 0,1;"; $result = mysql_query($sql); $row = mysql_fetch_assoc($result); $username = $row['user_name']; $email = $row['user_email']; echo "$username<br>"; $show_email = $row['show_email']; if ($show_email == 1) { echo "Email:<a href='mailto:$email'>$email</a>"; } elseif ($show_email == 0) { echo "Email:Hidden"; } exit(); } else { echo "Invalid user ID passed to page! <br />"; echo "<a href=\"members.php\">Return to user list</a>"; exit(); } } //No ID passed to page, display user list: $query = "SELECT user_id, user_name FROM $user"; $result = mysql_query($query) or die("Error:" . mysql_error()); if (mysql_num_rows($result) > 0) { echo "User List:<br />"; while ($row = mysql_fetch_assoc($result)) { echo '<a href="?id=' . $row['user_id'] . '">' . $row['user_name'] . '</a><br />'; } } } else { echo "Please login to view this page."; } ?>
this is a big risk, please help
-
o rite, because i closed a page i made when i was logged in, and went back to it after ten minutes and i was still logged in.
How can i make it so when they close the page, the session is ended.
What site would attract you
in Miscellaneous
Posted
I am doing research into what websites attract people.
Please post below what type of site would attract you.
Anything from social networks, to sites like wikipedia.