justAnoob

let me explain this better. i have a form which i enter a number in. if there is a match to that number in my database, it takes me to another page, Great, thats what i want. if there is not a match to the number entered in, an error message is displayed, great also. so right now, the error message is being displayed, so, i enter another number in, and it is a match to a number in the database, and again, it takes me to that page. here is problem... now when i go back to the first page where i enter in the numbers, i still have that error being displayed from the previous entry that did not have a match. How do I get rid of that when I go back to the page. the code is above, i am using a variable sent thru the url to display the message.

I have these two lines below, both on separate php files. the varaible works great. the problem i am having is if there is a match it takes me to a certain page, then when I go back a page, i still have the echoed variable. i guess the question is after the script runs and the variable is echoed, i want to get rid of it so when i go back to that page it is gone. header("location: http://www.-------.com/-------.php?no_match=No item found."); if(isset($_GET['no_match'])) { $no_matches = $_GET['no_match']; echo $no_matches; } else { echo ""; }

i don't see anything wrong.

Okay, a couple times it worked. Now it does not. I can enter a username that is 6 or more characters and it still gives me the error that the username is not the correct length. <?php session_start(); require_once 'connection.php'; $username = mysql_real_escape_string($_POST["username"]); $email = mysql_real_escape_string($_POST['email']); $sql = "SELECT * FROM members WHERE username = '$username' and email = '$email'"; $result=mysql_query($sql); $count=mysql_num_rows($result); // if username is currently being used, display error if($count > 0) { unset($_SESSION['length']); $_SESSION['dup'] = "This username or email is already registered. Please try again."; header("location: http://www.-------.com/registration.php"); exit(); } // if username is not correct length, display error elseif ( strLen($_POST["username"]) < 6 ) { unset($_SESSION['dup']); $_SESSION['length'] = 'Username must be a minimum of 6 characters in length.'; header("location: http://www.------.com/registration.php"); exit(); } // if data is good, register the new member else { $username = mysql_real_escape_string($_POST["username"]); $password = md5($_POST["password"]); $email = mysql_real_escape_string($_POST["email"]); $sql = "INSERT INTO members (username, password, email)VALUES('$username','$password','$email')"; mysql_query($sql) or trigger_error(); unset($_SESSION['dup']); $_SESSION['goodreg'] = "Thank you for registering. Please log in above."; sleep(2); header("location: http://www.------.com/registration.php"); mysql_close(); exit(); } ?> Is there something wrong with the if,elseif,else?

ooppss, i knew that, thanks andy

i looke on google and it shows examples of something like this. but i still get the same prob. even if i enter a username that is 6 characters long, i get the error that the username is not the correct length. <?php if($count > 0) { $_SESSION['dup'] = "This username is already registered. Please try again."; header("location: http://www.--------.com/registration.php"); exit(); } elseif( strLen($_POST["$username"]) < 6 || strLen($_POST["$username"]) > 12 ) { $_SESSION['length'] = 'Username can only be 6-12 characters in length.'; header("location: http://www.---------.com/registration.php"); exit(); } // if data is good, register the new member else { ?>

i'm sorry,,, the error comes up no matter what length of username they input.

oopss, sorry, don't mind that, i forgot to change that back to my table name. but taking a look at the script, if it was yours, what would you do to beef up the security. I'm not looking for anything crazy. just your basic. also, why is my strLen not working correctly. it brings the error if the name is less then 6 or more than 12, but not something with, lets say 8. <?php session_start(); require_once 'connection.php'; // check if username or email is already registered, if so, give error message $username = mysql_real_escape_string($_POST["username"]); $sql = "SELECT * FROM members WHERE username = '$username'"; $result=mysql_query($sql); $count=mysql_num_rows($result); // if username exists, display error if($count > 0) { $_SESSION['dup'] = "This username is already registered. Please try again."; header("location: http://www.-----.com/registration.php"); exit(); } if(strLen($username) < 6 || strLen($username) > 12 ) { $_SESSION['length'] = 'Username can only be 6-12 characters in length.'; header("location: http://www.------.com/registration.php"); exit(); } // if data is good, register the new member else { $username = mysql_real_escape_string($_POST["username"]); $password = md5($_POST["password"]); $email = mysql_real_escape_string($_POST["email"]); $sql = "INSERT INTO members (username, password, email)VALUES('$username','$password','$email')"; mysql_query($sql) or die(mysql_error()); unset($_SESSION['dup']); $_SESSION['goodreg'] = "Thank you for registering. Please log in above."; sleep(2); header("location: http://www.-------.com/registration.php"); mysql_close(); exit(); } ?>

Okay, so back to the post I posted earlier where I took out 'sprintf' and then still had a problem with the ',' I've looked everywhere, and everyone is saying to use mysql_real_escape_string like this... $var = mysql_real_escape_string($_POST['whatever']) and not at the end of the SQL statement. here is a simple register script that i have. this is what i've seen on examples that people are doing to protect against hackers.(i know if someone wanted to mess stuff up they will. just looking for some basic protection.) <?php session_start(); require_once 'connection.php'; // check if username or email is already registered, if so, give error message $username = mysql_real_escape_string($_POST["username"]); $sql = "SELECT * FROM members WHERE username = '$username'"; $result=mysql_query($sql); $count=mysql_num_rows($result); // if username exists, display error if($count > 0) { $_SESSION['dup'] = "This username is already registered. Please try again."; header("location: http://www.--------.com/registration.php"); exit(); } // if data is good, register the new member else { $username = mysql_real_escape_string($_POST["username"]); $password = md5($_POST["password"]); $email = mysql_real_escape_string($_POST["email"]); $sql = "INSERT INTO %s (username, password, email)VALUES('$username','$password','$email')"; mysql_query($sql) or die(mysql_error()); unset($_SESSION['dup']); $_SESSION['goodreg'] = "Thank you for registering. Please log in above."; sleep(2); header("location: http://www.------.com/registration.php"); mysql_close(); exit(); } ?>

andy, what I'm working on doing is trying to secure some scripts. some people on here say I should do all this stuff, and then i read elsewhere saying I should do other things. i'm confused.

if you have some input, it would be great to hear it. I'm not just going to copy and paste. I like to learn PHP. Sometimes it is hard to find exactly what I'm looking for.

why would you say something like that?

still having probs with it that way,,, I need to look into some more... I though sprintf did something else,,, sorry guys..

Now i get an error with the comma $sql = "SELECT * FROM $tbl_name WHERE username = '$username'", mysql_real_escape_string($username);

this works fine for my reg script <?php $username = $_POST["username"]; $sql = sprintf("SELECT * FROM $tbl_name WHERE username = '$username'", mysql_real_escape_string($username)); $result=mysql_query($sql); ?>

what exactly does sprintf do? and how come in my register script I did not have to make that change? do I need to use sprintf?

this doesn't work,,, but my registration script works like this. <?php $username = $_POST['username']; $password = $_POST['password']; $sql=sprintf("SELECT * FROM $tbl_name WHERE username ='$username' and password = '$password' LIMIT 1", mysql_real_escape_string($username), md5($pasword)); ?> and this works <?php $username = mysql_real_escape_string($_POST['username']); $password = md5($_POST['password']); $sql="SELECT * FROM $tbl_name WHERE username ='$username' and password = '$password' LIMIT 1"; ?>

thank you.

I have a session that is displayed.... I only want it to display for 10 seconds... What should I do below? <?php if($count > 0) { $_SESSION['dup'] = "This username is already registered. Please try again."; } ?> <?php if(isset($_SESSION['dup'])) { set_time_limit(10); //this doesn't work.. where to put it? echo '<div class="duppy">'; echo $_SESSION['dup']; echo '</div>'; } ?>

I use a lot of sessions and things are starting to get confusing....I use sessions for error and success messages and so on...... What else can I do to accomplish this??? I'm looking for something a little more organized. example <?php $_SESSION['no_view'] = "You must be logged in to send messages."; header("location: http://www.------.com/------.php"); exit(); ?> then on my page where the session is to be displayed.. <?php if(isset($_SESSION['no_view'])) { unset($_SESSION['message']); unset($_SESSION['goodlog']); echo $_SESSION['no_view']; } ?>

All I really have have is registration, login, messaging, and picture/text upload.... So shouldn't I be worried about the places where users submit forms and text box data? The scripts that run to help display some of my pages,, are those really a big risk? Couldn't I also back up my server files and my mysql database everyday to ensure that I always have something to go back to?

Wow,, sounds like I still have tons of work to do.

i heard that was the most important to make sure you have. so if my site is pretty much done... I still have a lot more to do,, security issues i mean. right? Here is an example. I also heard that it is good to protect your include files... in the case below,, connection.php should somehow be protected. <?php session_start(); include "connection.php"; $item_name = mysql_real_escape_string($_POST['item_name']); $description = mysql_real_escape_string($_POST['description']); $in_return = mysql_real_escape_string($_POST['in_return']); $category = mysql_real_escape_string($_POST['listmenu']); define ("MAX_SIZE","1500"); function getExtension($str) { $i = strrpos($str,"."); if (!$i) { return ""; } $l = strlen($str) - $i; $ext = substr($str,$i+1,$l); return $ext; } $errors=0; if(isset($_POST['submit'])) { $image=$_FILES['image']['name']; if($image) { $filename = stripslashes($_FILES['image']['name']); $extension = getExtension($filename); $extension = strtolower($extension); if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "gif") && ($extension != "png")) { $_SESSION['badformat'] = "Your picture must be a .JPG .GIF or .PNG"; header("location: http://www.------.com/-------.php"); $errors=1; exit(); } else { $size=filesize($_FILES['image']['tmp_name']); if ($size > MAX_SIZE*1024) { $_SESSION['toobig'] = "Your picture can not exceed 1.5 megabyte."; header("location: http://www.----.com/-----.php"); $errors=1; exit(); } $image_name=time().'.'.$extension; $newname="userimages/$category/".$image_name; $copied = copy($_FILES['image']['tmp_name'], $newname); if (!$copied) { $_SESSION['notcopy'] = "There was an error posting your picture. Please try again later."; header("location: http://www.------.com/-----.php"); $errors=1; exit(); } } } } // if everything is good, post new pic for the user $mysqlcategory = $category; $imgpath = $newname; $findit = $_SESSION['id']; $result=mysql_query("SELECT id FROM members WHERE username = '$findit'"); $row=mysql_fetch_assoc($result); $user_id = $row['id']; $sql = "INSERT INTO abcxyz(item_name, description, in_return, imgpath, category, user_id)VALUES('$item_name','$description','$in_return', '$imgpath', '$mysqlcategory', '$user_id')"; mysql_query($sql) or die(mysql_error()); // go to confirmation page if upload is completed. if(isset($_POST['submit']) && !$errors) { $_SESSION['posted'] = $item_name; $_SESSION['picposted'] = $imgpath; header("location: http://www.-------.com/------.php"); exit(); } ?>

How secure is secure? Registration, login, user file uploads, etc. Can anyone take a look at a couple scripts and let me know?

I always do it this way also.... <?php header("Location: http://www.yoursite.com/yourpage.php"); ?>