nvee

Hey guys The code below does not give any errors, but the problem comes in with the final if/else statement. What needs to happen is that if $error != "" (so meaning if there is errors) if must output the errors, else it must add the new group into the database. It appears to skip that part, and irrelevant if there is errors, it continues to write the items to the database. Im sure its just a logic error, can anyone help? <?php if($_POST["addgroup"] == "ADD") { $name = htmlentities($_POST["name"]); if(empty($name)) { $error .= "<li>No name was entered, please try again</li>"; } if(!is_string($name)) { $error .= "<li>The name contained illegal characters. The group names can only contain text characters and no special characters or numbers. Please try again</li>"; } connectdb(); $name = mysql_escape_string($name); $query = mysql_query("SELECT * FROM groups WHERE name = '".$name."'"); if(!$query) { trigger_error("There has been a problem with the database:" . mysql_error()); } $rows = mysql_num_rows($query); if(rows > 0) { $error .= "<li>There is already a group with the name ".$name." in the database. Try a different name</li>"; } if($error != "") { echo "<h3>GROUP MANAGER</h3>"; echo "<p>The following errors has occured. Please <a href='newgroup.php'>click here</a> to try again</p>"; echo "<ul>"; echo $error; echo "</ul>"; } else { $query = mysql_query("INSERT INTO groups (`name`) VALUES ('$name')"); if(!$query) { trigger_error("There has been a problem inserting the data into the database: ".mysql_error()); } echo "<h3>GROUP MANAGER</h3>"; echo "<p>The group named ".$name." has successfully been entered into the database. <a href='groups.php'>Click here</a> to return to the groups page</p>"; } } else { ?>

You see, the problem is a little more tricky. MY login.php file is actually my index.php file.

thank you, that was partially helpful, but the problem still remains. I know what the problem is, but I cant seem to find a solution: The problem comes in with the first part which looks if the session exists, if not, goto index.php. The problem is obviously that this code is also located on index.php, which means that it is directing and redirecting to itself the whole time, running a loop. Im not sure what the best way is of doing this?

Hey Im so tired of struggling with this topic I want to write a login script which 1) Checks if $_SESSION["id"] has been set, if not, go back to index.php and 2) if $_SESSION["id"] has been set, check if the $_SESSION["id"] matches session_id() and if the $_SESSION["username"] matches that stored in the database. If it fails, go back to index.php, else continue on the page. I am getting redirecting issues, it would appear my code is running in a loop. If someone can please help me sort this out, and maybe give me a better, more situable and probably more secure version on how to run this code, I would be really happy. The coke only works with sessions as the login does not have to be stored. CODE AT THE TOP OF EACH PAGE: <?php session_start(); include("includes/admin.php"); include("includes/functions.php"); if(!isset($_SESION["id"])) { session_destroy(); header("Location:index.php"); } else { if(isset($_SESSION["id"]) && $_SESSION["id"] != session_id()) { connectdb(); $username = mysql_real_escape_string($_SESSION["username"]); // uname is the field in the database for the username $query = mysql_query("SELECT * FROM admins WHERE uname = '".$username."'"); if(!$query) { trigger_error("Error: ".mysql_error()); } $rows = mysql_num_rows($query); if($rows != 1) { session_destroy(); header("Location:index.php"); } else { include("includes/head.php"); ?> // PAGE CONTENT GOES HERE <?php } } } ?> HERE IS THE CODE WHICH DOES THE LOGIN, PLEASE ASSIST WHERE YOU CAN. IT LOGS IN PROPERLY, DONT THINK THERES SOMETHING WRONG HERE, BUT ANY SUGGESTIONS WOULD DO: <?php if($_POST["Submit"] == "login") { $uname = $_POST["uname"]; $pass = $_POST["pass"]; if(empty($uname)) { $error .= "<li>You did not supply a username</li>"; } if(empty($pass)) { $error .= "<li>You did not supply a password</li>"; } if(!empty($error)) { echo "<h3>USER LOGIN</h3>"; echo "<br />"; echo "<p>The following errors has occured:</p>"; echo "<ul>"; echo $error; echo "</ul>"; } else { connectdb(); $username = mysql_real_escape_string("$uname"); $password = mysql_real_escape_string("$pass"); $query = mysql_query("SELECT * FROM admins WHERE uname = '".$username."' AND pass = '".$password."'"); if(!$query) { trigger_error("Error: ".mysql_error()); } $rows = mysql_num_rows($query); if($rows != 1) { $errors .= "Your username and password does not match. Please try again. <strong>REMEMBER:</strong> All failed login attempts are logged!"; echo "<h3>USER LOGIN</h3>"; echo "<br />"; echo "<p>The following errors has occured:</p>"; echo "<ul>"; echo $errors; echo "</ul>"; } else { while($result = mysql_fetch_array($query)) { $_SESSION["name"] = $result["name"]; } $_SESSION["active"] = 1; $_SESSION["username"] = $username; $_SESSION["id"] = session_id(); } } } if($_SESSION["active"] != 1) { ?> <h3>Welcome Guest, please log in</h3> <br /> <p>Please log in with your details below. All incorrect attempts are logged:</p> <br /> <form action="<?php echo htmlentities($_SERVER["PHP_SELF"]); ?>" method="POST"> Username: <input name="uname" type="text" /><br /> Password: <input name="pass" type="password" /><br /> <input name="Submit" id="Submit" type="submit" value="login" /> </form> <?php } else { ?> // SOME CONTENT IN THE CONTENT AREA <?php } ?>

Hey guys Im busy with a control panel for a client. The script is divided in 2 parts, the first checks for session variables and directs users either to index.php if session is incorrect or to admin.php if logged in and the session vars is correct. The second part is a login script which takes a default username and password, then sends a email to the user with a 2nd password which must first be submitted before you are gained access to the site. Although this piece of code appears to work, I am including it anyways for those who have comments/suggestions or maybe want to use it. The problem I am experiencing is with the login if the sessions are accepted. It does not direct properly, it says that the page will never direct properly. It appears to run in a loop. I see what the problem is, but I cannot find a way to make the script work. The problem appears to be with the else part of the if($rows !=...). It says that it directs the user to admin if it succeeds that condition, but what if I am already on admin.php? Anyways, its a infinite loop, but I need some suggestions, anyone wanna help, ill really appreciate it: // The top logincheck part <?php include("includes/functions.php"); session_start(); if(!isset($_SESSION["id"]) && !isset($_SESSION["username"])) { header("location:index.php"); } else { $uname = $_SESSION["username"]; $uid = $_SESSION["id"]; connectdb(); $query = mysql_query("SELECT * FROM ovmuser WHERE ovmuser = '".$uname."'"); $rows = mysql_num_rows($query); if($rows != 1 || $uid != session_id()) { session_unset(); session_destroy(); header("location:index.php"); } else { header("location:admin.php"); } } if($_POST["login"] == "Submit") { $ovmuser = $_POST["ovmuser"]; $ovmpass = md5($_POST["ovmpass"]); connectdb(); $query = mysql_query("SELECT * FROM ovmuser WHERE ovmuser = '".$ovmuser."' AND ovmpass = '".$ovmpass."'"); $rows = mysql_num_rows($query); $msg = $rows; if($rows == 1) { while($results = mysql_fetch_array($query)) { $ovmemail = $results["ovmemail"]; } $subject = "Marvin to the rescue"; $to = $ovmemail; $randompass = substr(md5(rand(0,100000)),0,6); $message = " Hey. Your random password is: $randompass "; $query = mysql_query("UPDATE ovmuser SET ovmrandompass = '".$randompass."' WHERE ovmuser = '".$ovmuser."'"); mail($to,$subject,$message); $ovmrandom = "aktiveer"; } } if(isset($_POST["random"])) { $ovmrandompass = $_POST["random"]; $ovmuser = $_POST["ovmuser"]; $ovmpass = $_POST["ovmpass"]; connectdb(); $query = mysql_query("SELECT * FROM ovmuser WHERE ovmuser = '".$ovmuser."' AND ovmpass = '".$ovmpass."' AND ovmrandompass = '".$ovmrandompass."'"); $rows2 = mysql_num_rows($query); if($rows2 == 1) { $_SESSION["username"] = $ovmuser; $_SESSION["id"] = session_id(); header("location:admin.php"); } else { header("location:index.php"); } } ?>

haha, well the thing is, the code is part of a include on multiple pages, so I find it better to rather PHP_SELF it.

Haha well, it would appear that the code proccesses a number of the items at once. It would e.g. display the menu as if I am logged in, but straigh below say Your login details we're incorrect. The reason for the htmlentitities is explained in the following article : http://www.html-form-guide.com/php-form/php-form-action-self.html

Hey Guys Well I have a login script I wrote today, and it kinda took a turn for the worse as I cannot find the problem. I will try explain it as I go: <?php // CHECK IF SESSION IS ALREADY SET if($_SESSION["id"] == "1") { echo "<p>Welcome back ".$uname."! <a href='news.php'>News</a> |<a href='profile.php'>Profile</a> |<a href='logout.php'>Logout</a></p>"; } // CHECK IF THE USER PRESSED SUBMIT TO ATTEMPT A LOGIN if($_POST["userlogin"] == "submit") { $username = $_POST["email"]; $password = substr(md5($_POST["password"]),0,16); connectdb(); $query = mysql_query("SELECT name, email, password, account_type FROM ov_users WHERE email = '".$email."' AND password = '".$password."' AND account_type = '2'"); if(!$query) { echo "<p>Oops, this is strange ... we cannot seem to log you in at the moment! Please try again in 5 minutes. If this problem occurs again, please contact our support department at <a href='mailto:[email protected]'>[email protected]</a></p>"; } // This just assigns the users name to $uname so that I can use it as a message to welcome the user. while($result = mysql_fetch_array($query)) { $uname = $result["name"]; } $num = mysql_num_rows($query); // CHECK IF THE USER DID NOT SELECT REMEMBER ME, OBVIOUSLY CREATING A SESSION AS APPOSE TO A COOKIE. if($num > 0) { $_SESSION["username"] = $username; $_SESSION["id"] = session_id(); $_SESSION["active"] = "1"; echo "<p>Welcome back ".$uname." Click <a href='profile.php'>here</a> to view your profile!</a></p>"; } // CHECK IF THE USER DID SELECT REMEMBER ME. THIS CREATES A COOKIE CALLED cookie_id WITH A RANDOM STRING AND MD5. THIS THEN GETS SAVED IN THE DATABASE AND WILL BE RECALLED LATER. if($num > 0 && $rememberme == "remember") { setcookie("username",$username,time()+30754400); $rand = rand(0,10000000); set_cookie("cookie_id",$rand,time()+30754400); $mdrand = md5($rand); $query = mysql_query("UPDATE ov_users SET cookie_id='".$mdrand."' WHERE email='".$username."'"); echo "<p>Welcome back ".$username."! Click <a href='profile.php'>here</a> to view your profile!</a></p>"; if(!$query) { echo "<p>Oops, this is strange ... we cannot seem to log you in at the moment! Please try again in 5 minutes. If this problem occurs again, please contact our support department at <a href='mailto:[email protected]'>[email protected]</a></p>"; } } // THIS IS TRUE IF THE USERNAME AND PASSWORD DOES NOT MATCH if($num != 0) { echo "<p>The username and password you entered does not exist or your account needs to be verified. Please check your details and try again. | <a href='index.php'>TRY AGAIN</a> | <a href='forgotpass.php'>FORGOT MY PASSWORD</a> | <a href='register.php'>REGISTER A FREE ACCOUNT</a></p>"; } // THIS IS TRUE IF THE USER DID NOT PRESS SUBMIT. THIS JUST SHOWS THE LOGIN FORM } else { ?> <form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post"> <p> Email: <input type="text" name="email" /> Password: <input type="text" name="password" /> Remember me:<input name="rememberme" type="checkbox" value="remember" /></input> <input name="userlogin" type="submit" value="submit"></input> | Forgot my password </p> </form> <?php } ?>

Okay I am partially getting what Sader is trying to do: Add a field in the user database with cookie_id - Then when the user logs in, I create a md5 cookie password, store than in the database. Then when the user returns I connect to the database and check if the cookie_id has the correct cookie ID? The problem with this is, someone can get the cookie ID from the cookie file stored locally, and then still use it, so although this form of security sounds like it is heading in the right direction, I am not sure if it is the right way? What I think might work slightly better is: if(successful login) $random(1000,999999); set_cookie("user_id","$random",time()+7200); $dbid = md5($random); Then write the $dbid to the database. This way, if a hacker is stupid, he will see the dbid and never know that it was actually md5d to the database. So if he tries to authenticate with just the user_id, it will deny him because he first needs to md5 it back before usage? I mean, this is a secure way of doing it right? It sounds alot to me like cookies are not safe at all!

Hey Guys Im busy with my logic script and I am giving the user the ability to either just log in for a session (normal session usage) or "remember me" which then creates a cookie. Now I have the session thing under control. Once the user has been authenticated, I create a session variable for username, active (which is 1) and then one called $_SESSION = session_id(); On each page I authenticate the user by checking if the $_SESSION["username"] matches the username in the database and also check if the $_SESSION["id"] is infact the session_id(); With this, I feel the security is a little stronger than just checking the session exist or just checking a username. Now for the cookie I want to do something similiar. I have already setcookie("username",$username) but I am not sure if there is a php command to check if the cookiename is the same as a cookie_id(). Is there even something called cookie_id? Would it matter seeing that the user can gain access to it anyways? What is the best form of security using cookies?

well for whats its worth ... The problem was with the $_SESSION["id"]; I had it small letters $_session["id"];

FINALLY! I narrowed the problem down to: if($rows = 0 || session_id() != $_session["id"]) { session_destroy(); header("location:index.php"); } } ?> More specifically the || session_id() != $_session["id"] part: My idea was to check if session_id() was infact the sessionID used, to prevent someone from hijacking the id (have security with the username and the correct session. Now why would it not match? I mean they are suppose to be the same correct? I know im doing something wrong, but what?

wait, the code posted above is faulty, here is the right ones: <?php session_start(); if(isset($_SESSION["id"])) { connectdb(); $username = $_SESSION["username"]; $query = mysql_query("SELECT * FROM ov_users WHERE email = '".$username."'"); $rows = mysql_num_rows($query); if($rows = 0 || session_id() != $_session["id"]) { session_destroy(); header("location:index.php"); } } ?>

The problem is still looming ... And Wolphie ... not entirely ... you see: <?php session_start(); if(isset($S_SESSION["id"]) { connectdb(); $username = $_SESSION["username"]; $query = mysql_query("SELECT * FROM ov_users WHERE email = '".$username."'"); $rows = mysql_num_rows($query); if($rows = 0 || session_id() != $_session["id"]) { session_destroy(); header("location:index.php"); } ?> It checks if the session ID has been set, then matches the username in the database with the username assigned to the session when the user logs in. The if statement then checks if the username rows does not match OR if the session ID is the same as the session_id() when the session was started. If THAT fails then it reverts back to index.php Anyone else wanna shot at it? Im desperate

For what its worth: I realised that the $_SESSION["username"] was never specified, so it would never get a value. I added it so that once logged in, it will create a new session variable called $_SESSION["username"] = $username. When I click on profile.php - It redirects me back to index.php, which means atleast the session variable had to be set for session[id]. However, if I go directly to profile.php without logging in first, it just displays the page. So I think my sessions are a little stuffed. Any suggestions?

Wolfie, Goafer ... I made both changes. It logs on, but once I click on another page, it appears to disable the session or the session was never created properly

Haha, hey guys Well, I am busy with a project, and find myself stuck with the login script. I dont know sessions very well, and im pretty sure thats where the problem is. Here is my code, I will try to explain as I go: 1) This code goes at the top of each page, it connects to the db, checks if the username is the same as the username set at point number 2. If its false, it directs the user back to index.php: <?php if(isset($S_SESSION["id"])) { session_start(); connectdb(); $username = $_SESSION["username"]; $query = mysql_query("SELECT * FROM ov_users WHERE email = '".$username."'"); $rows = mysql_num_rows($query); if($rows = 0 || session_id() != $_session["id"]) { session_destroy(); header("location:index.php"); } } 2) This code is the actual code which logs the user in. It includes the form and shows the login if the user is not logged in, otherwise it shows (or should show) the message with the news | profile | logout page. <?php if($_SESSION["active"] == "1") { echo "<p>Welcome back ".$result["name"]."! <a href='news.php'>News</a> |<a href='profile.php'>Profile</a> |<a href='logout.php'>Logout</a></p>"; } else { if($_POST["userlogin"] == "submit") { $username = $_POST["email"]; $password = substr(md5($_POST["password"]),0,16); connectdb(); $query = mysql_query("SELECT name, email, password, account_type FROM ov_users WHERE email = '".$email."' AND password = '".$password."' AND account_type = '2'"); if(!$query) { echo "<p>Oops, this is strange ... we cannot seem to log you in at the moment! Please try again in 5 minutes. If this problem occurs again, please contact our support department at <a href='mailto:[email protected]'>[email protected]</a></p>"; } $num = mysql_num_rows($query); if($num > 0) { while($result = mysql_fetch_array($query)) { $_SESSION["id"] = session_id(); $_SESSION["active"] = "1"; echo "<p>Welcome back ".$result["name"]."! Click <a href='profile.php'>here</a> to view your profile!</a></p>"; } } else { echo "<p>The username and password you entered does not exist. Please check your details and try again. | <a href='forgotpass.php'>FORGOT MY PASSWORD</a> | <a href='register.php'>REGISTER A FREE ACCOUNT</a></p>"; } } else { ?> <form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post"> <p> Email: <input type="text" name="email" /> Password: <input type="text" name="password" /> <input name="userlogin" type="submit" value="submit"></input> | Forgot my password </p> </form> <?php } } ?> I get a feeling that my sessions is not registering properly. Once the user is logged in at number 2, it must create a session variable called active. The purpose of this is to use this to activate and de-activate menus which must only be displayed once a user is logged in. The other reason I get this feeling is at point 2 it first checks if $_SESSION[active] == 1, and it should display a menu accordingly, but it doesnt work. Any suggestions? AND can anyone give me some ideas on how to make this more secure?

Interuppting myself: 1) For login, I have to give the user the option if they want to remain logged in. If true, I must use cookies, if they dont, I use sessions?

Okay wait ... Do I understand correctly that I must avoid sessions? I was told that cookies are not as secure as sessions, but understand that the session is destroyed when the browser is closed. I think that is what I dont understand. So in a nutshell: 1) If i want my users to remain logged in I have to use cookies? I cannot use sessions for this? 2) The most secure way would be to use cookies and a combination of cookies in DB?

anyone?

Hey guys This is not as much a code help as a little info help. I am busy with a project and I have very little session experience. I understand how they work, how to start them and use them, but the nature of my project means I have to make extra sure that it is safe and userfriendly, and I am not too clued up with the way things will have to happen. 1) Usings a combination of sessions and cookies - I want a function where my clients can say remember me. I understand that I need to use both cookies and sessions for this. If i understand it correctly, the cookie only really saves the session number, is this correct? If this is the case, wont the session be destroyed after the browser is closed? If I have it completely wrong, does this mean that if I want my clients to remain logged in, I must use cookies? 2) Storing session data in a database - I am busy going through a tutorial on saving session data in a database. I was always under the impression that doing this, it increases the security of my project, but it sounds not that its more to do with running a central project over multiple servers. Am I correct? Is there really any advantage storing session data in a database besides this? Is there any improved security? 3) What is your suggestion on the best practise to do my request?

legend! Thank you!

I know this is not the forum for ckeditor, but that forum has nothing going on, and was hoping that someone here uses it and can help me with a very simple problem. I downloaded ckeditor, copied the files to my web location, also added a 1 line javacode in my head and then just the word class="ckeditor" in my textarea line of code. It works perfectly, it opens, types and stores the styling to the database without any problems. My question is, how do I insert content already stored in a database back into ckeditor for editing. I tried value="<?php echo $result["description"]; ?>(where $result is the mysql_fetch_array but the text area remains blank. Is there anoher way I am suppose to do it? The method above works for normal input fields, but not for ckeditor. If this fails, do you know of any other wysiwyg editors which is freeware and works better?

well i really just want a filename in the field. I have validation which checks for empty fields. The form I use is exactly the same form I use for adding news items, only difference is with edit it retrieves the content from the database and inserts in into the text fields using <input name="img" type="file" value="<?php echo $result["img"]; ?>" /> (where result is the value of the mysql_fetch_array ealier in the script. If I dont have something in the text field, the validation will give an error and say that i need a value within the file field name. All i wanted to do was that the name must be there so that someone can just submit and the filename in the db will work. I however dont think its a bad idea to rather give the user an option if they want to override the file name, that way I can just add one more if else statement and that should do the trick. Keep you up to date

Hey Guys I have a edit feature for a simple news script I am writing. The user clicks on a news article under news.php which then takes him to edit_news.php?id=*** (depending on the article he clicked on in news.php edit_news.php then has a simple form (same form used to add news) which has 3 fields, namely header, content and image. Obviously, the fields are already populated with the existing content in the database. I manage to retrieve the content for header and content, but the image field remains empty. From what I understand, due to a security issue, I cannot populate the content for image in a <input type="file"> but there has to be a way to edit the image. All I want is for the image field to atleast default select the image already entered in the database, so that if the user decides to only edit e.g. a spelling mistake, it can still use the existing image, but if the user wants to change the image, they can select a new one with then ammends the image in the database. I guess this is more "how do I" than actual coding related issue, hope someone can help