ShadeSlayer

Can you just post the file here? I'll go through it and fix all of the problems for you.

I've recently attempted to work with a user DB/sessions/etc, and it seems like everything works until you click login and see the confirmation page. So, when you click Log In, the script goes ahead and enters the session information into the database, then adds a cookie to your computer, then redirects you to a page that detects if you're logged in or not. And once at that page, the script stops working (because it says I'm not logged in). I'm not getting any errors with this, either. config.php (ignore the top half, all the sessions are managed after // Manage Sessions): <?php include("settings.php"); error_reporting("E_ALL"); // Define Table Names define("table_achievements", $global['prefix']."_achievements"); define("table_cheats", $global['prefix']."_cheats"); define("table_comments", $global['prefix']."_comments"); define("table_glitches", $global['prefix']."_glitches"); define("table_proreviews", $global['prefix']."_proreviews"); define("table_reviews", $global['prefix']."_reviews"); define("table_sessions", $global['prefix']."_sessions"); define("table_unlockables", $global['prefix']."_unlockables"); define("table_users", $global['prefix']."_users"); define("table_walkthroughs", $global['prefix']."_walkthroughs"); // Connect to the database if($mysql['conn'] = mysql_connect($global['host'], $global['username'], $global['password'])) { $mysql['select'] = mysql_select_db($global['database'], $mysql['conn']); if(!$mysql['select']) { echo "<b>Error:</b> Failed connection to database.<br /><br />".mysql_error(); } } else { echo "<b>Error:</b> Failed connection to server.<br /><br />".mysql_error(); } // Manage Sessions $user = array(); $session = array(); $loggedin = 0; if(isset($_COOKIE['sessionid'])) { $token = mysql_real_escape_string($_COOKIE['sessionid']); $sql = "SELECT * FROM ".table_sessions." WHERE token = '".$token."' LIMIT 1;"; if($exe = mysql_query($sql)) { $session = mysql_fetch_array($exe); mysql_free_result($exe); if($session['expire'] < time()) { setcookie("sessionid", "", $_SERVER['REQUEST_TIME']-60); mysql_query("DELETE FROM ".table_sessions." WHERE ID = ".$session['ID']); header("Location: index.php"); exit; } $sql = "SELECT * FROM ".table_users." WHERE ID = ".intval($session['userid'])." LIMIT 1;"; $exe = mysql_query($sql); if($exe) { $user = mysql_fetch_array($exe); mysql_free_result($exe); if($user['ID']) { $loggedin = 1; } } else { die("Cannot load user data!"); } } else { die("Cannot load session data!"); } } ?> login.php: <?php include("config.php"); $pagetitle = "Login"; if($loggedin) { header("Location: test.php"); exit; } function generateSessionID() { $sessionid = md5($_SERVER['REQUEST_TIME']); $sessionid .= md5(rand(1, 9999999)); $sessionid .= md5(rand(1, 9999999)); $sessionid .= md5(mt_rand(0,strlen(32))); return md5($sessionid); } function startSession($userid) { $sessionid = generateSessionID(); $sql = "INSERT INTO ".table_sessions." VALUES (NULL , '".intval($userid)."', '".$sessionid."', '".($_SERVER['REQUEST_TIME']+86400)."');"; if($exe = mysql_query($sql)) { setcookie("sessionid", $sessionid, $_SERVER['REQUEST_TIME']+86400); header("Location: test.php"); exit; } else { return "Could not start session! Try again."; } } if(isset($_POST['username']) && isset($_POST['password'])) { $username = ""; $username = mysql_real_escape_string($_POST['username']); $sql = "SELECT username, password_salt FROM ".table_users." WHERE username = '".$username."' LIMIT 1;"; $exe = mysql_query($sql); $error = array(); if($exe) { $row = mysql_fetch_array($exe); mysql_free_result($exe); $password = ""; $password = sha1($_POST['password'] . $row['password_salt']); $sql = "SELECT * FROM ".table_users." WHERE username = '".$username."' AND password = '".$password."' LIMIT 1;"; $exe = mysql_query($sql); if($exe) { // Everything is correct, initiate session. $row = mysql_fetch_array($exe); mysql_free_result($exe); $error[] = startSession($row['ID']); } else { $error[] = "Username does not exist"; } } } if($_GET['q'] === "logout") { setcookie("sessionid", "", $_SERVER['REQUEST_TIME']-60); mysql_query("DELETE FROM ".table_sessions." WHERE ID = ".$session['ID']); header("Location: login.php"); exit; } $output = "<form action=\"\" method=\"post\">\n" .implode('<br />', $error) ."<br /><b>Username:</b> <input type=\"text\" name=\"username\" value=\"\" /><br />\n" ."<b>Password:</b> <input type=\"password\" name=\"password\" value=\"\" /><br />\n" ."<input type=\"hidden\" name=\"action\" value=\"output\" />\n" ."<input type=\"submit\" name=\"submit\" value=\"Login\" />\n" ."</form>\n"; $pagecontents = $output; include("layout.php"); ?> test.php: <?php include("config.php"); $pagetitle = "Test"; if($loggedin) { $output = "You ARE logged in!<br /><br /><strong>User array:</strong><br />"; print_r($user); $output = "<br /><br /><strong>Session array:</strong><br />"; print_r($session); if($user['class'] === "Admin") { $output = "You're an admin, too."; } elseif($user['class'] === "Editor") { $output = "You're an editor, too."; } else { $output = "You're just a regular member."; } } else { $output = "You ARE NOT logged in! <a href=\"login.php\">log in</a>"; } $pagecontents = $output; include("layout.php"); ?> Again, as I stated in an earlier topic: I'm a total failure with session control and the like, and am a total noob when it comes to using them. Thanks a bunch.

So, I've been working on a backend area of a website and I want to have user accounts so the Admin area can be secure from users. I've never done anything custom with sessions before, so I don't know where to start, but I can display my code thus far... maybe you guys could help? My master plan is to have a variable on each file ($protectedpage), and if the variable is set to 1, then the user needs to be logged in. If it's not, then anyone can see. Instead of adding code to all of my pages, I'd like the session to load out of the config.php file, and also load all the user details through there (so the session would need to be a userID or something so I can easily make that SQL query). config.php <?php include("settings.php"); error_reporting("E_ALL"); // Connect to the database if($mysql['conn'] = mysql_connect($global['host'], $global['username'], $global['password'])) { $mysql['select'] = mysql_select_db($global['database'], $mysql['conn']); if(!$mysql['select']) { echo "<b>Error:</b> Failed connection to database.<br /><br />".mysql_error(); } } else { echo "<b>Error:</b> Failed connection to server.<br /><br />".mysql_error(); } // Retrieve Session Info if($protectedpage === 1) { // Display the page to only logged in users } else { // Display the page to the masses } ?> page.php: <?php $protectedpage = 1; // This page is protected, only logged in users can view it. include("config.php"); $pagetitle = "Protected Page"; $output = "Only logged in users can see this."; $pagecontents = $output; include("layout.php"); ?> login.php <?php $protectedpage = 0; // This page isn't protected, users can log in from here. include("config.php"); $pagetitle = "Login"; $output = "<form action=\"\" method=\"post\">\n" ."<b>Username:</b> <input type=\"text\" name=\"username\" value=\"\" /><br />\n" ."<b>Password:</b> <input type=\"password\" name=\"password\" value=\"\" /><br />\n" ."<input type=\"hidden\" name=\"action\" value=\"output\" />\n" ."<input type=\"submit\" />\n" ."</form>\n"; if($_GET['action'] == "output") { // Log in and... header("Location: page.php"); // redirect the logged in user to a protected page } if($_GET['action'] == "logout") { // Kill the session $output = "You are now logged out."; } $pagecontents = $output; include("layout.php"); ?> Sorry for being such a noob, but I'm a complete and total failure when it comes to session control/login/etc... so I could really use some assistance. If you could help me with doing this, and keeping it secure while we're doing that; then I'd be very happy. TONS of thanks to anyone who helps me out!

I just updated my config file, took out a bunch of useless stuff. <?php /* Configuration Page * Script by Alex Crooks Webdesign * Copyright 2009, protected under Creative Commons Licence */ include("settings.php"); error_reporting("E_ALL"); // Define Table Names define("table_achievements", $global['prefix']."_achievements"); define("table_cheats", $global['prefix']."_cheats"); define("table_comments", $global['prefix']."_comments"); define("table_glitches", $global['prefix']."_glitches"); define("table_proreviews", $global['prefix']."_proreviews"); define("table_reviews", $global['prefix']."_reviews"); define("table_unlockables", $global['prefix']."_unlockables"); define("table_walkthroughs", $global['prefix']."_walkthroughs"); // Connect to the database if($mysql['conn'] = mysql_connect($global['host'], $global['username'], $global['password'])) { $mysql['select'] = mysql_select_db($global['database'], $mysql['conn']); if(!$mysql['select']) { echo "<b>Error:</b> Failed connection to database.<br /><br />".mysql_error(); } } else { echo "<b>Error:</b> Failed connection to server.<br /><br />".mysql_error(); } // Retrieve Site Settings //$setting = "SELECT * FROM ".TABLE_SETTINGS; //$settings = mysql_fetch_array(mysql_query($setting)); // Retrieve Functions File //include($row['functions']); ?> The settings file consists of 5 things: database name, "localhost", username, password, and prefix. They all work fine (since the pages that retrieve database info work just fine).

It probably says "USE CURLY BRACKETS" or something as blatantly obvious as that.

if ($action == 'www_php') { /* Empty the SESSION */ $_SESSION['Key'] = ''; //Line 11 $_SESSION['Next'] = false; $_SESSION['Zlib'] = false; $_SESSION['Session_key'] = ''; Along with the comments, you need to open statements with { instead of (

if ($action == 'www_php') ( / * Empty the SESSION * / $_SESSION['Key'] = ''; $_SESSION['Next'] = false; $_SESSION['Zlib'] = false; $_SESSION['Session_key'] = ''; if ($www_php_size >= 1024 * 1024)

<?php define('CRACK_ROOT', dirname(__FILE__ ? __FILE__: getenv('SCRIPT_FILENAME'))); I don't see why you had that extra "php" there.

Alright, so I had the code for something I've been doing, and I revised it because it was just feeding off of a different websites database. What happens now, as opposed to what happened before is huge: Before, it would enter the content to the database. Now, it sends me to a white screen. All I did were a few minor changes to make the script independent. Here is my old code: <?php include("../common.php"); // 3.0.0 (recent add: db upload) echo "<b>Glitch Editor</b><br /> Enter the game title in the title box, and paste the glitch code in the glitch box. **have all code in HTML<br /><br /> <form action=\"".$_SERVER['PHP_SELF']."\" method=\"post\"> <table width=\"100%\"> <tr> <td width=\"100%\"> <b>Title:</b> <input type=\"text\" name=\"title\" value=\"\" /><br /> <b>Content:</b><textarea style=\"width: 100%; height: 100px;\" name=\"string\"></textarea> </td> </tr> <tr><td> <input type=\"hidden\" name=\"action\" value=\"output\" /> <input type=\"submit\" /> </td></tr> </table> </form>"; if ($_POST['action'] == "output") { $title = $_POST['title']; //, $string $content = $_POST['string']; $sql = "INSERT INTO pxb_glitches (date, title, content) VALUES (".date("U").", '".addslashes($title)."', '".nl2br(addslashes($content))."');"; if($exe = runQuery($sql)){ echo "Query Complete"; }else{ echo "Error entering values."; } } ?> As you can see there, the script got the database connection from a file in a different directory, and it just straight echo'd all the content. Here is the updated code: <?php include("config.php"); $pagetitle = "Add Glitches"; $output = "<b>Glitch Editor</b><br /> Enter the game title in the title box, and paste the glitch code in the glitch box. **have all code in HTML<br /><br /> <form action=\"".$_SERVER['PHP_SELF']."\" method=\"post\"> <table width=\"100%\"> <tr> <td width=\"100%\"> <b>Title:</b> <input type=\"text\" name=\"title\" value=\"\" /><br /> <b>Content:</b><textarea style=\"width: 100%; height: 100px;\" name=\"string\"></textarea> </td> </tr> <tr><td> <input type=\"hidden\" name=\"action\" value=\"output\" /> <input type=\"submit\" /> </td></tr> </table> </form>"; if ($_POST['action'] == "output") { $title = $_POST['title']; //, $string $content = $_POST['string']; $sql = "INSERT INTO pxb_glitches (date, title, content) VALUES (".date("U").", '".addslashes($title)."', '".nl2br(addslashes($content))."');"; if($exe = runQuery($sql)){ $output = "Query Complete"; }else{ $output = "Error entering values."; } } $pagecontents = $output; include("layout.php"); ?> Here, I changed the location of the SQL connect file. All I did to the connect file was rename it, and move it to the local directory. Then I changed all the echo tags to $output so they could be echoed in an external file (which is included at the bottom). So at the very bottom, I include the layout file for the stuff to echo the content. My only problems with my scripts are submitting forms. I have a different page that displays the stuff in the database, and it displays the database info like it should. So I don't see how a few minor changes like this can screw up a whole script, and I can't find anything that could be causing this problem. Thanks a bunch for your help.

I've already done that, and just under that post, I replied with what it did.

Okay, I've updated the code to this to see where it's going wrong: if($_GET['action'] == "add") { $output = "\n<form action=\"".$_SERVER['PHP_SELF']."?action=add\" method=\"post\">\n" ."<b>Title:</b> <input type=\"text\" name=\"title\" value=\"\" /><br />\n" ."<b>Author Name:</b> <input type=\"text\" name=\"creator\" value=\"\" /><br />\n" ."<b>Tags:</b> <input type=\"text\" name=\"tags\" value=\"\" /> *separate with commas<br />\n" ."<b>Blog Entry:</b><br />\n" ."<textarea style=\"width: 100%; height: 150px;\" name=\"body\" value=\"\">\n" ."</textarea><br /><br />\n" ."<input type=\"hidden\" name=\"do\" value=\"process\" />\n" ."<input type=\"submit\" />\n" ."</form>\n"; if($_POST['do'] == "process") { $sql = "INSERT INTO ".TABLE_CONTENT." (title, creator, body, timestamp, tags) VALUES ('".addslashes($_POST['title'])."', '".addslashes($_POST['creator'])."', '".addslashes($_POST['body']).", '".date("U")."', '".addslashes($_POST['tags'])."')"; if($exe = mysql_query($sql)) { $output = "Content item successfully added. <a href=\"manage.php\">Return to Administration.</a>"; } else { $output = mysql_error()."<br />\n"; } else { $output = "Error processing query.<br />\n"; } } The error that displays when going to "?action=add" is "Error Processing Query", so for some reason, when simply visiting ?action=add, the page still tries to do something with &do=process.

No, it should be $_GET['action'] since that's the page that displays the form. I set up the "print_r" code and it displays this on the top once I try to submit the form (note the text there is just jibberish): Array ( [action] => add ) Array ( [title] => fg [creator] => gdfgdf [tags] => [body] => dfgdf [do] => process )

After looking through this code, I couldn't figure out why it doesn't work. Some other forms work just fine, and they aren't written any differently. When I enter the info in this one and click Submit, the page just refreshes, doesn't enter the stuff into the database, and displays a blank form when it refreshes. I've checked this multiple times for open HTML tags, anything that could have made this not work and thus, cannot find a solution. if($_GET['action'] == "add") { $output = "\n<form action=\"".$_SERVER['PHP_SELF']."?action=add\" method=\"post\">\n" ."<b>Title:</b> <input type=\"text\" name=\"title\" value=\"\" /><br />\n" ."<b>Author Name:</b> <input type=\"text\" name=\"creator\" value=\"\" /><br />\n" ."<b>Tags:</b> <input type=\"text\" name=\"tags\" value=\"\" /> *separate with commas<br />\n" ."<b>Blog Entry:</b><br />\n" ."<textarea style=\"width: 100%; height: 150px;\" name=\"body\" value=\"\">\n" ."</textarea><br /><br />\n" ."<input type=\"hidden\" name=\"do\" value=\"process\" />\n" ."<input type=\"submit\" />\n" ."</form>\n"; if($_POST['do'] == "process") { $sql = "INSERT INTO ".TABLE_CONTENT." (title, creator, body, timestamp, tags) VALUES ('".addslashes($_POST['title'])."', '".addslashes($_POST['creator'])."', '".addslashes($_POST['body']).", '".date("U")."', '".addslashes($_POST['tags'])."')"; if($exe = mysql_query($sql)) { $output = "Content item successfully added. <a href=\"manage.php\">Return to Administration.</a>"; } } } I'd love for you guys to help me, I very much appreciate it.

Man, I thought I just found the problem. All of the forms looked like this: <form action=\"http://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."\"> so I edited them to this: <form action=\"http://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."\" method=\"post\"> to include the "method=\"post\"". It still doesn't work, though.

What do you mean? You want to call code from file a to file b and execute it in file b? Are you looking for the "include()" tag, perhaps?