Jump to content

Jakebert

Members
  • Posts

    51
  • Joined

  • Last visited

    Never

Profile Information

  • Gender
    Not Telling

Jakebert's Achievements

Member

Member (2/5)

0

Reputation

  1. This is how I generate my first form. $results is where I keep the category headers (e.g. President, Vice-President) and $results2 is where the options are for those categories (e.g. Mitt Romney, Barack Obama, Joe Biden, Nameless Faceman, etc.) <?php while($results2 = mysqli_fetch_assoc($sql2)) { ?> <input type="radio" name="<?php echo $results['name'];?>" value="<?php $results2['value'];?>" /> <?php echo $results2['value']; echo "<br />"; ?> My question is: how can I create a process_vote.php form if I don't know how many fields I'm going to get in $POST? based on the link he clicked, he could get one category with just two options, or six categories with 6 options each. Is it easier to send the form back to the same file, or make another file?
  2. I'm trying to grab the current time of the user's computer and compare it to two date times in the database. The dates in the database are stored in this format: "2012-06-24 00:00:00". This is the code I have: //today's date $date = new DateTime(); // since that comes back in UNIX format, change it so it matches the DB format $now = date_format($date, 'Y-m-d H:i:s'); while ($output = mysqli_fetch_assoc($info)) { //let's check the open and close dates if (($now>$output['open_date']) || ($now<$output['close_date'])) {echo "There are no ballots for you at this time.";} else { echo $output['display_name']; echo "<br />"; echo $output['open_date']; echo "<br />"; } } } There's got to be a problem with the comparison line... I just can't tell what it is. Also where can I move the "there are not ballots for you at this time" so that it doesn't echo for every ballot?
  3. You are correct! Thanks for finding that for me!
  4. This is a silly question about functions. Why does this code: <?php //connect to the database $host = "localhost"; $DBuser = "root"; $DBpassword = ""; $database = "ksu"; $connection = new mysqli($host, $DBuser, $DBpassword, $database); if ($connection->connect_error) { die('Connection Error (' . $connection->connect_errno . ') ' . $mysqli->connect_error); } function getUserGroups($id) { $query = $connection->query("SELECT group_id FROM group_membership WHERE user_id = " . $id); // this is line 20, where the error gets thrown $results = mysqli_fetch_assoc($query); return $results; } ?> Throw this error: Notice: Undefined variable: connection in C:\wamp\www\KSU\connect.php on line 20 There must be a really obvious answer I'm missing.
  5. Sorry to be so dense but since the second and third queries are based on the results of their predecessors, how would multiquery work?
  6. Is there a less complicated/neater way to do this: <?php // the first query selects the group_ids that the user belongs to from the cross reference table $groups = $connection->query("SELECT group_id FROM group_membership WHERE user_id = '$user'"); while ($info = mysqli_fetch_assoc($groups)) { // 2nd query: What ballots are members of those groups eligible for? (from the groups/ballots cross reference table) $ballots = $connection->query("SELECT ballot_id FROM group_ballots WHERE group_id = " . $info['group_id']); while ($finfo = mysqli_fetch_object($ballots)) { // 3rd query: get the info of the ballots from query 2 $search = $connection->query("SELECT * FROM ballots WHERE id = " . $finfo->ballot_id); $output = mysqli_fetch_assoc($search); echo $output['display_name']; echo "<br />"; echo $output['open_date']; } }?> I'd also like to be able to echo out a "nothing found" message if any of those comes up with 0 results. Maybe my table design could be neater?
  7. Oh, I get what you mean. Well, yes, that part is easy and I imagine would be fairly simple to control. I guess what I'm asking is: are there any obvious or easy ways to break into a database or do a MySQL injection if all you have is a website with no textboxes? (since they only get radio buttons). As long as I make the database admin username and password complicated, is there any way for someone with some technical experience (e.g. annoying first-year computer science students) to break in?
  8. Well I'm the only person registering people (i.e. I get the list of potential voters and add them all manually), so yeah, I think we can make it that everyone only votes once. I actually think it would be unethical for me to be able to see who voted what (I run the elections)- is there a way to get the total results but keep me from seeing the individual votes?
  9. I figured this should go here: feel free to move it if it's in the wrong place. I wanted to discuss potential security issues and features that should be in an online voting platform (to be used for student council elections and such). Apart from hashing passwords, how would one go about reducing the possibility of fraud (either via MySQL injection, or some other nefarious device)? I'm afraid I'm not very experienced with security. I know some of the paid softwares give every voter a special ID for each ballot they fill out, and that the numbers aren't actually stored in a database, but I have NO clue how to do that. Does anyone have any experience with this?
  10. You can actually insert PHP variables into MySQL queries by placing single quotes around them like this: <?php $sql = mysql_query ("SELECT COUNT (*) FROM login_test WHERE username = '$username' AND password = '$password'"); $rows = mysql_fetch_array($sql);?> The code above will look through your table and see how many rows exist with the username and password entered. If the the number is one (i.e. the login was correct), then you can log them in: <?php if ($rows[0]) == 1) { print ("Welcome back, friend!"); } else { print("You aren't logged in!"); } ?> Hope that answers your question!
  11. Hi everyone, I'm having a lot of trouble writing this particular page, which is the voting page. Essentially, I want everyone to vote once, but they can change their votes. The page is set up like this currently. I've tried to include comments so that it makes sense. I'm having particular trouble with the javascript controlling the changing of votes. I'd also appreciate any general coding suggestions so that this code isn't as much of a monstrosity. I know this is a killer - I hope I'm not wasting anyone's time! <?php //when they vote using the form further down the page, this triggers // If they voted yes if (isset($_POST['aye'])){ //check that they haven't voted yes before $numrows = get_rows("votes WHERE `bid`=".$bid . " AND `uid`=" . $user . " AND `vote`=1"); //if they've voted yes before if($numrows > 0) { echo "<script type='text/javascript'> alert('You can only vote for bill once'); window.location='home.php'</script>"; } else { //check to see if they've voted at all $votedbefore = get_rows("votes WHERE `bid` = '$bid' AND `uid` = '$user'"); //if they've voted the other way before if ($votedbefore > 0) { echo "<script language=\"Javascript\" type=\"text/javascript\"> var r=confirm('Change your vote?'); if (r==false){ document.location.href='vote.php';}"; echo "else {"; } //now, change the DB information to match their vote $votes = $oldayes + 1; $edit = mysql_query("UPDATE bills SET ayes = '$votes' WHERE status = 'at vote'"); $record = mysql_query("INSERT INTO votes (bid, uid, vote) VALUES ('$bid', '$user', 1);"); echo "</script><script language=\"Javascript\" type=\"text/javascript\"> alert(\"Your vote has been recorded\");document.location.href='home.php'; </script>}"; } } // do the whole damn thing over again if they clicked the no button if (isset($_POST['nay'])){ $numrows = get_rows("votes WHERE `bid`=".$bid . " AND `uid`=" . $user . " AND `vote`=0"); if($numrows > 0) { echo "<script type='text/javascript'> alert('You can only vote for bill once'); window.location='home.php'</script>"; } else { $votes = $oldnays + 1; $edit = mysql_query("UPDATE bills SET nays = '$votes' WHERE status = 'at vote'"); $record = mysql_query("INSERT INTO votes (bid, uid, vote) VALUES ('$bid', '$user', 0);"); echo "<script language=\"Javascript\" type=\"text/javascript\"> alert(\"Your vote has been recorded\");document.location.href='home.php'; </script>"; } } // first we need to make sure that the user is logged in if (isset($_SESSION['uid'])) { //display that info echo "<strong>" . $row['title'] . "</strong><br/>"; echo $row['subtitle']; echo "<br/>Tabled by: " . $row2['first'] . " " . $row2['last']; echo "<br/><br/>"; echo $row['body']; echo "<table><tr><td style= 'color:green'>AYES: <b>" . $oldayes . "</b></style></td>"; echo "<td style= 'color:red'>NAYS: <b>" . $oldnays . "</b></style></td></tr></table>"; ?> <form action="vote.php" method="post"> <input type="submit" name="aye" value="AYE" /> <input type="submit" name="nay" value="NAY" /> </form> <?php } else // they aren't logged in { echo "<script language=\"Javascript\" type=\"text/javascript\"> alert(\"You are not logged in!\");document.location.href='index.php'; </script>"; } ?>
  12. Hi everyone, I'm trying to design a mock parliament: there is a bill up for vote, everyone may vote once (either AYE or NAY), but they can switch their vote. I tried it with a table VOTES with columns for BILLID (the id of the bill up for vote), USERID (the user voting) and VOTE (what they voted). The actual number of votes for each bill is stored in table BILLS. In the PHP processing the form, i have to check everything twice, i.e. did they click yes or no? if they clicked yes have they clicked yes before? have they voted no before? if they voted yes before display an error, if they voted no before remove 1 from nay and add one to ay, and then update table VOTES. And then all over again if they voted no. it looks like spaghetti. Can anyone think of an easier/more compact way to do this?
  13. BRILLIANT! database field was too short. it boggles my mind how you guessed that. You sir, are a gentleman and a scholar.
  14. this is the strangest thing. <?php $sql = "SELECT password FROM users WHERE username='$user'"; $query = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error()); $rows = mysql_fetch_array($query); $correctHash = $rows['password']; echo $correctHash . "<br />"; $salt = substr($correctHash,0, 64); echo $salt. "<br />"; $testHash = $salt . hash("sha256", $salt. $pass); echo $testHash. "<br />"; if ($testHash == $correctHash) ?> And the results of the echoes are: 7c3396065c8e7758f8afdeb57c53349e // $correcthash (password in the DB) 7c3396065c8e7758f8afdeb57c53349e // $salt 7c3396065c8e7758f8afdeb57c53349e1d509fa8ebe0323350b548f76ba0cbf7db8b912deeb0249b4d32a4368b400914 // $testhash (password the user entered) which means that the SALT and the password in the DB are the same..... what in the name of Valhalla?! Here's how I made the password in the DB. <?php $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex $hash = hash("sha256", $salt . $password); // prepend the salt, then hash $final = $salt . $hash; ?>
  15. Aha! That worked. Can anyone figure out why this keeps throwing the "incorrect login" info? This is how I'm hashing the password on registration: <?php $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex $hash = hash("sha256", $salt . $password); // prepend the salt, then hash $final = $salt . $hash;?> And this is how I'm hashing it in the login: <?php if($user && $pass) { $sql = "SELECT password FROM users WHERE username='$user'"; $query = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error()); $row = mysql_fetch_array($query); $correctHash = $row['password']; $salt = substr($correctHash,0, 64); $validHash = substr($correctHash, 64, 64); $testHash = hash("sha256", $salt. $pass); if ($testHash == $validHash) { $query="SELECT id,username FROM users WHERE username='$user'"; $row = mysql_fetch_assoc($query); $_SESSION['id'] = $row['id']; $_SESSION['username'] = $row['username']; echo "<script type='text/javascript'>window.location='home.php'</script>"; } else { echo "<script type='text/javascript'> alert('Username and password combination is incorrect'); window.location='index.php'</script>"; } } else { echo "<script type='text/javascript'> alert('Please enter a username AND a password'); window.location='index.php'</script>"; } }?> I'm sure I've mixed up one of the salts or something... gr.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.