Jump to content

kaiman

Members
 View Profile  See their activity

  • Posts

    104

  • Joined

  • Last visited

 Content Type 

Everything posted by kaiman

  1. kaiman
    Okay, I've added the mysql_fetch_array($sql) part like this: while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) { $row['id'], $row['level']); } and now I am getting this: Parse error: syntax error, unexpected ',' in /home/stormkin/public_html/projects/rft/scripts/php/loginform2.php on line 34 Any ideas?
  2. kaiman
    After running: var_dump($row['id']); var_dump($row['level']); I get NULL NULL
  3. kaiman
    The results of the var_dump($_SESSION); are below: array(4) { ["username"]=> string(6) "kaiman" ["pass"]=> string(40) "sha1passwordhere" ["id"]=> NULL ["level"]=> NULL } You Don't Have Permission to View This Page. Both level and id come up NULL... How in the heck do I get those columns out of the db?
  4. kaiman
    Okay got that thanks, however, I still can't get the variables id and level out of the database. It just says, "You Don't Have Permission to View This Page." Can you please help me here? When I use var_dump($_SESSION); to write the info to the screen I get: array(4) { ["username"]=> string(6) "kaiman" ["pass"]=> string(40) "sha1passwordhere" ["id"]=> NULL ["level"]=> NULL } You Don't Have Permission to View This Page. So for some reason the variables aren't being passed to the $_SESSION??? Any insight into this or where I am going wrong? Thanks, kaiman
  5. kaiman
    I keep getting multiple syntax errors on this script like this one: Parse error: syntax error, unexpected T_ELSE in .../scripts/php/loginform2.php on line 40 when I change that line I get another on line 33... Can someone please help me with this script? Thanks, kaiman <?php // connects to server and selects database. include ("dbconnect.inc.php"); // table name $tbl_name="registered_members"; // removes magic_quotes_gpc slashes function stripQuotes($arg) { if (get_magic_quotes_runtime()) { return stripslashes($arg); } else { return $arg; } } // protect against mysql injection function cleanString($string){ htmlentities(mysql_real_escape_string($string)); return $string; } // username and password sent from login form $username = stripQuotes($_POST['username']); $username = cleanString($_POST['username']); $pass = sha1($_POST['pass']); // select info from database $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$pass'"; $result=mysql_query($sql); // mysql_num_row counts the table row $count=mysql_num_rows($result); // if result matched $username and $pass, table row must be 1 row if($count==1){ // register $_SESSION session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; $_SESSION['id'] = $row['id']; $_SESSION['level'] = $row['level']; else { echo "Incorrect Username or Password"; exit ; } // user levels // 0 = guest // 1 = user - default // 2 = auther // 3 = moderator // 4 = admin // 5 = banned user // check user levels if ($_SESSION['level'] == '1') { header("Location: http://www.example.com/user/"); } if ($_SESSION['level'] == '2') { header("Location: http://www.example.com/author/"); } if ($_SESSION['level'] == '3') { header("Location: http://www.example.com/moderator/"); } if ($_SESSION['level'] == '4') { header("Location: http://www.example.com/admin/"); } } else { echo "You Don't Have Permission to View This Page"; exit ; } ?>
  6. kaiman
    Okay, After doing some more research, here is the script I am using now, but I keep getting the following syntax error: Parse error: syntax error, unexpected T_ELSE in .../scripts/php/loginform2.php on line 40 Any ideas? Thanks, kaiman <?php // connects to server and selects database. include ("dbconnect.inc.php"); // table name $tbl_name="registered_members"; // removes magic_quotes_gpc slashes function stripQuotes($arg) { if (get_magic_quotes_runtime()) { return stripslashes($arg); } else { return $arg; } } // protect against mysql injection function cleanString($string){ htmlentities(mysql_real_escape_string($string)); return $string; } // username and password sent from login form $username = stripQuotes($_POST['username']); $username = cleanString($_POST['username']); $pass = sha1($_POST['pass']); // select info from database $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$pass'"; $result=mysql_query($sql); // mysql_num_row counts the table row $count=mysql_num_rows($result); // if result matched $username and $pass, table row must be 1 row if($count==1){ // register $_SESSION session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; $_SESSION['id'] = $row['id']; $_SESSION['level'] = $row['level']; else { echo "Incorrect Username or Password"; exit ; } // user levels // 0 = guest // 1 = user - default // 2 = auther // 3 = moderator // 4 = admin // 5 = banned user // check user levels if ($_SESSION['level'] == '1') { header("Location: http://www.example.com/user/"); } if ($_SESSION['level'] == '2') { header("Location: http://www.example.com/author/"); } if ($_SESSION['level'] == '3') { header("Location: http://www.example.com/moderator/"); } if ($_SESSION['level'] == '4') { header("Location: http://www.example.com/admin/"); } } else { echo "You Don't Have Permission to View This Page"; exit ; } ?>
  7. kaiman
    bump, please help!
  8. kaiman
    Thanks mikesta707, that's what I was wondering. How would I go about grabbing those columns from (id and level) from the db then? Do I have to do a second query or can I just append it after the username and password part? i.e. // select info from database $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$pass' and id='$id' and level='$level'"; $result=mysql_query($sql); // mysql_num_row counts the table row $count=mysql_num_rows($result);
  9. kaiman
    Okay a couple of newbie questions here for all you PHP freaks out there... I currently have a fairly basic login script working on my site: <?php // connects to server and selects database. include ("dbconnect.inc.php"); // table name $tbl_name="registered_members"; // removes magic_quotes_gpc slashes function stripQuotes($arg) { if (get_magic_quotes_runtime()) { return stripslashes($arg); } else { return $arg; } } // protect against mysql injection function cleanString($string){ htmlentities(mysql_real_escape_string($string)); return $string; } // username and password sent from login form $username = stripQuotes($_POST['username']); $username = cleanString($_POST['username']); $pass = sha1($_POST['pass']); // select info from database $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$pass'"; $result=mysql_query($sql); // mysql_num_row counts the table row $count=mysql_num_rows($result); // if result matched $username and $pass, table row must be 1 row if($count==1){ // register $_SESSION and redirect to member page session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; header( "Location: http://www.example.com/members/" ); } else { echo "Incorrect Username or Password"; exit ; } ?> However, I want to add user levels and permissions to it. After recommendations on this forum I took a look at bitwise operators, but am sorry to say it is above my head at this point. So I am attempting to expand on it by adding user levels with the following simple permissions: // user levels 0 = guest 1 = user - default 2 = auther 3 = moderator 4 = admin 5 = banned user I have two columns in my database that I wish to call on for this function. Both are added at signup confirmation. The second is added as a default of 1 when a user signs up. 1. `id` int(4) NOT NULL auto_increment 2. `level` int(4) default '1' My first question is one about selecting these fields from the database. I currently get a syntax error when I run this query: // select info from database $sql="SELECT *, id, level FROM $tbl_name WHERE username='$username' and password='$pass'"; $result=mysql_query($sql); // mysql_num_row counts the table row $count=mysql_num_rows($result); What am I doing wrong here? Secondly, can I use something like this to start the $_SESSION and pass the user on to the appropriate page? // register $_SESSION session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; $_SESSION['id'] = $id; $_SESSION['level'] = $level; else { echo "Incorrect Username or Password"; exit ; } // check user levels if ($level == '1') { header("Location: http://www.example.com/user/"); } if ($level == '2') { header("Location: http://www.example.com/author/"); } if ($level == '3') { header("Location: http://www.example.com/moderator/"); } if ($level == '4') { header("Location: http://www.example.com/admin/"); } } else { echo "You Don't Have Permission to View This Page"; exit ; } Finally, so far I just use this to pass the sessions from page to page: <?php session_start(); if(!isset($_SESSION['username'])){ header("Location: http://www.example.com/login/" ); exit; } ?> Could I add something like this to run a check on user permissions: // level check on admin page if ($level != '4') { echo "You Don't Have Permission to View This Page"; exit ; } Thanks in advance for your help, kaiman
  10. kaiman
    Thanks for clarifying that thorpe... without sound condescending.
  11. kaiman
    Um, best practices are best practices regardless of whether I understand all the details or not. I don't understand regex that much at all, for example, but I know that if used correctly it will help filter out different things such as unwanted characters or invalid email addresses. I am not a programmer by trade, so some of the finer details escape me, but that doesn't mean that I don't understand their uses... BTW good point on limiting characters for the username, I will add that function to my scripts.
  12. kaiman
    I am using sha1, which I don't believe contains characters that need escaping, but correct me if I am wrong...
  13. kaiman
    Yep, the php manual confirms that, thanks for the tip! Any other suggestions? Also, do I need to use those functions on the password field?
  14. kaiman
    Hi again, I'm back with more newbie PHP questions I am curious about the security of the login script below and how I could do some simple things to make it stronger. I have been reading about securing sessions in particular session_regenerate_id(); but I am wondering how to use this in the script below? Currently I have a login script that looks like this: // connects to server and selects database. include ("dbconnect.inc.php"); // table name $tbl_name="registered_members"; // protect against mysql injection function cleanString($string){ htmlentities(mysql_real_escape_string($string)); return $string; } // username and password sent from login form // $username=$_POST['username']; $username = cleanString($_POST['username']); $pass = sha1($_POST['pass']); $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$pass'"; $result=mysql_query($sql); // mysql_num_row counts the table row $count=mysql_num_rows($result); // if result matched $username and $pass, table row must be 1 row if($count==1){ // register $username, $password and redirect to member page session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; header( "Location: http://www.domain.com/members/" ); } else { echo "Incorrect Username or Password"; exit ; } At the top of each members page I have this: <?php session_start(); if(!isset($_SESSION['username'])){ header("Location: http://www.domain.com/login/" ); exit; } ?> and for the logoff I have this: <?php session_start(); $_SESSION = array(); session_unset(); session_destroy(); ?> Also, I am planning on using HTTPS to encrypt the pages with SSL. My questions are these: 1. Will this cleanString function I have suffice for the fact that magic_quotes_gpc is enabled on the server I am using and I have no access to the php.ini file? 2. Is there an easy way to implement the session_regenerate_id(); function in this script? 3. Are there any other glaring deficiencies that I should address? 4. Should I use other $_SESSION functions like $ip addresses or user $id to keep users in their sessions and prevent attacks? Any help or constructive feedback would be appreciated. Thanks! kaiman
  15. kaiman
    bump
  16. kaiman
    Nightslyr - thanks for the reply. I have a couple more questions: I was reading elsewhere about needing to use the "implode" and "explode" functions to do this. Is this no longer necessary? Can I just take: $firstname = cleanString($_POST['firstname']); $lastname = cleanString($_POST['lastname']); and then array them simly like this: $name = $firstname . " " . $lastname; and then insert them with the other form data like this: $sql="INSERT INTO $tbl_name1(name)VALUES('$name')"; $result=mysql_query($sql); Or is there something I'm missing?
  17. kaiman
    I have two fields from a form called $firstname and $lastname and want to insert them into a single column called 'name' Can someone give me a quick rundown on how to array them so that the two name fields can be joined together with a space in between them and then inserted into the 'name' column in the database? Thanks in advance, kaiman
  18. kaiman
    * SOLVED * Thanks john! My math is rusty and I was getting confused by the syntax and also forgetting the multiplication at the end. Now it seems to be working. I appreciate everyone's help, kaiman
  19. kaiman
    So how do I convert 90% or whatever percentage to a decimal in PHP? Because right now it is a number that will be changing as the percentage of donations change...
  20. kaiman
    Okay, see my script so far for details. 1. I have a total amount needed: $500.75 2. I have one percentage that is purchases from the store they equal: $30.17 or 6% of $500.75 3. I have one percentage that is donations they equal: $20.45 or 4% of $500.75 4. The combined totals of $30.17 + $20.45 = $50.62 5. Of the total ($500.75) the combined totals in donations + sales ($50.62) = 10% 6. How do I create a function that subtracts the 10% ($50.62) from the total ($500.75=100%) and then convert it back to a percentage (90%) which can be displayed next to the total still needed ($500.75-$50.62 = $450.13) or as I want it displayed: Total still needed $450.13 (90%) The question is how do I subtract a percentage (10%) from the total ($500.75) and then display it as 90% so that when I update the other numbers the percentage of donations already and percentage of donations needed are reflective of each other? i.e. if one says 15% of donations received the other will say 85% of donations still needed... Does that make sense?
  21. kaiman
    Yep, the problem is that 1 is a $ dollar amount and one is a percentage % What is the PHP syntax for the equation to figure out how to subtract a percentage from the dollar amount and then convert it back to a percentage? Thanks, kaiman
  22. kaiman
    I'm not trying to get the 10%, I am trying to display the other 90% I just don't know the syntax/equation to do it. Thanks, kaiman
  23. kaiman
    corbin, Thanks for the reply. Not sure what you mean by "retain the weight" but what I am trying to due is figure out how to display the difference between the percentage donated and the percentage not yet donated, i.e. total percentage = 100%, percentage donated = 10%, percentage not donated = 90% (this is what I want to display). I have already calculated the percentage donated (10%), but how do I show the remaining percentage not yet donated (90%)? Thanks again, kaiman
  24. kaiman
    I am trying to figure out how to take a percentage of the total and return the remaining percentage i.e. 10% of 100% = 90% I have a variable called $percentage_needed that I am trying to subtract from another variable $percentage_received but I am a little stumped by the syntax for the operators. Can anyone help? Thanks a ton! kaiman Code below: <?php // total dollar amount of donations needed $total = "500.75"; // total dollar amount of donations received $donations = "20.45"; // total dollar amount of sales recieved $sales = "30.17"; // figure out percentage of total donations $percent1 = ($donations * 100) / $total; $percent2 = ($sales * 100) / $total; $percentage_needed = ; // format numbers for dollar amount $total = number_format($total, 2); $donations = number_format($donations, 2); $needed = number_format($needed, 2); $total_received = number_format($total_received, 2); $percent1 = number_format($percent1, 0); $percent2 = number_format($percent2, 0); $percentage_received = number_format($percentage_received, 0); $percentage_needed = number_format($percentage_needed, 0); // total dollar amount received $total_received = $donations + $sales; // total percentage received $percentage_received = $percent1 + $percent2; // total donations still needed $needed = $total - $donations - $sales; // total percent of donations recieved echo "Total expenses: $".$total."<br /> \n"; echo "Total donations: $".$donations." (<strong>".$percent1."%</strong>)<br /> \n"; echo "Total sales: $".$sales." (<strong>".$percent2."%</strong>)<br /><br /> \n"; echo "Total received: $".$total_received." (<strong>".$percentage_received."%</strong>)<br /><br /> \n"; echo "Amount needed: $".$needed." (<strong>".$percentage_needed."%</strong>)"; ?>
  25. kaiman
    * SOLVED * $sql="UPDATE $tbl_name SET pass=sha1('$pass') WHERE username='$username' and email='$email'"; Should have been $sql="UPDATE $tbl_name SET password=sha1('$pass') WHERE username='$username' and email='$email'"; This is what happens when I stare at things too long Thanks for everyone's help, kaiman
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.