Etherwood

Would are correct, didn't notice that

Take a look at this. [attachment deleted by admin]

At the very bottom of my php script you'll see a html link just before the </html>: <a href="main.php">Return To Main</a>. For some reason this is coming up on the page at the top of the page above the php generated table How wierd? <?php session_start(); include("config.php"); include("inc.php"); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Search Employee</title> </head> <div id="main"> <a name="TemplateInfo"></a> <h1>Search Employee</h1> <?php if (isset($_POST['submit'])) { // Form Is Submitted // Validate Search Query if ($_POST['searchquery'] != "") { $searchquery = filter_var($_POST['searchquery'], FILTER_SANITIZE_STRING); if ($searchquery == "") { $errors .= 'Please enter a valid search query.<br/><br/>'; } } else { $errors .= 'Please enter a search query.<br/>'; } // Validate Search Type if ($_POST['searchtype'] != "") { $searchtype = filter_var($_POST['searchtype'], FILTER_SANITIZE_STRING); if ($searchtype == "") { $errors .= 'Please enter a valid search type.<br/><br/>'; } } else { $errors .= 'Please enter a search type.<br/>'; } echo $searchtype; echo $searchquery; // Check For Errors if (!$errors) { $results = mysql_query("SELECT * FROM staffdb WHERE $searchtype LIKE '$searchquery'"); $numrows = mysql_num_rows($results); if ($numrows == 0) { echo "<p>Sorry, your search returned no results</p>"; } else { echo'<table><TR> <TD>Staff ID</TD> <TD>Forname</TD> <TD>Surname</TD> <TD>Department</TD> <TD>Vehicle Reg</TD> <TD>Locker ID</TD> <TD>Locker Key</TD> </TR>'; while ($row = mysql_fetch_array($results)) { echo "<TR> <TD><a href=\"viewemployee.php?id={$row['staffid']}\">{$row['staffid']}</a></TD> <TD>{$row['fname']}</TD> <TD>{$row['sname']}</TD> <TD>{$row['dept']}</TD> <TD>{$row['vehiclereg']}</TD> <TD>{$row['lockerid']}</TD> <TD>{$row['lockerkey']}</TD> </TR>"; } } } else { echo '<div style="color: red">' . $errors . '<br/></div>'; } } else { // No Form Is Submitted ?> <form name="searchemployee" action="searchemployee.php" method="post"> <select name="searchtype"> <option value="fname">Forename</option> <option value="sname">Surname</option> <option value="dept">Department</option> <option value="vehiclereg">Vehicle Reg</option> <option value="lockerid">Locker ID</option> <option value="lockerkey">Locker Key</option> </select> <br/> Search Query*<br /><input type="text" name="searchquery" size="35" /><br /> <input type="submit" name="submit" value="Search Employee" /> </form> <?php } ?> </div> <a href="main.php">Return To Main</a> </body> </html> The HTML output... <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Search Employee</title> </head> <div id="main"> <a name="TemplateInfo"></a> <h1>Search Employee</h1> fnametest<table><TR> <TD>Staff ID</TD> <TD>Forname</TD> <TD>Surname</TD> <TD>Department</TD> <TD>Vehicle Reg</TD> <TD>Locker ID</TD> <TD>Locker Key</TD> </TR><TR> <TD><a href="viewemployee.php?id=0">0</a></TD> <TD>test</TD> <TD>test</TD> <TD></TD> <TD>dfgdf</TD> <TD>2345234</TD> <TD>345</TD> </TR><TR> <TD><a href="viewemployee.php?id=0">0</a></TD> <TD>test</TD> <TD>test</TD> <TD></TD> <TD>test</TD> <TD>987</TD> <TD>9879</TD> </TR> </div> <a href="main.php">Return To Main</a> </body> </html>

Your a star

Can someone help me out here... mysql_query("SELECT * FROM staffdb WHERE fname LIKE '$searchquery'"); I want to change fname to a variable, for example WHERE '$searchtype' LIKE. The script works using fname, but whenever changing this to a variable it can't find results from the sql.

I have had a look through the hotscript directory for a script which is suitable for my requirements. Unfortunately I wasn't able to find one so I'm having to create my own from scratch. So far I have got the register.php and login.php scripts done. I would like someone to have a look and tell me if the scripts I have made is considered secure. The information being held on the server needs to be as secure as possible. register.php <?php session_start(); include("config.php"); include("inc.php"); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta name="Description" content="" /> <meta name="Keywords" content="" /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta name="Robots" content="index,follow" /> <link rel="stylesheet" href="style.css" type="text/css" /> <title>Registration</title> </head> <?php include('header.php'); include('leftbar.php'); include('rightbar.php'); ?> <div id="main"> <a name="TemplateInfo"></a> <h1>Register New User</h1> <?php if (isset($_POST['submit'])) { // Form Submitted require_once('recaptchalib.php'); $privatekey = ""; $resp = recaptcha_check_answer ($privatekey, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); if (!$resp->is_valid) { die ("The reCAPTCHA wasn't entered correctly. Go back and try it again."); } else { // ReCaptcha Code Entered Correct // Validate Username if ($_POST['username'] != "") { $username = filter_var($_POST['username'], FILTER_SANITIZE_STRING); if ($username == "") { $errors .= 'Please enter a valid username.<br/><br/>'; } } else { $errors .= 'Please enter your a username.<br/>'; } // Validate Password if ($_POST['password'] != "") { $password = md5($_POST['password']); } else { $errors .= 'Please enter your a password.<br/>'; } // Validate Name if ($_POST['name'] != "") { $name = filter_var($_POST['name'], FILTER_SANITIZE_STRING); if ($name == "") { $errors .= 'Please enter a valid name.<br/><br/>'; } } else { $errors .= 'Please enter your a name.<br/>'; } if ($_POST['email'] != "") { $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL); if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { $errors .= "$email is <strong>NOT</strong> a valid email address.<br/><br/>"; } } else { $errors .= 'Please enter your email address.<br/>'; } // Check For Errors if (!$errors) { $query=mysql_query("select * from user where username like '$username'") or die(mysql_error()); if(mysql_num_rows($query)==0){ @mysql_query("insert into user (username, password, name, email, date) values('$username','$password','$name','$email', NOW())"); echo "Thank you, Your account has been created."; } else { echo '<div style="color: red">That username has already been taken, Please go back and try another.</div>'; } } else { echo '<div style="color: red">' . $errors . '<br/></div>'; } } } else { // Form Not Submitted ?> <form name="regitser" action="register.php" method="post"> Username: *<br /><input type="text" name="username" size="35" /><br /> Password: *<br /><input type="text" name="password" size="35" /><Br /><br /> Name: <br /><input type="text" name="name" size="35" /><br /> Email: *<br /><input type="text" name="email" size="35" /><br /> <input type="hidden" name="regform" value="1" /><br /> <?php require_once('recaptchalib.php'); $publickey = ""; // you got this from the signup page echo recaptcha_get_html($publickey); ?> <br /> <input type="submit" name="submit" value="Register" /> </form> <?php } ?> </div> <?php include('footer.php'); include ('endhtml.php'); ?> login.php <?php session_start(); include("config.php"); include("inc.php"); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta name="Description" content="" /> <meta name="Keywords" content="" /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta name="Robots" content="index,follow" /> <link rel="stylesheet" href="" type="text/css" /> <title>Login</title> </head> <?php include('header.php'); include('leftbar.php'); include('rightbar.php'); ?> <div id="main"> <a name="TemplateInfo"></a> <h1>Login</h1> <?php if (isset($_POST['Submit'])) { require_once('recaptchalib.php'); $privatekey = ""; $resp = recaptcha_check_answer ($privatekey, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); if (!$resp->is_valid) { die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." . "(reCAPTCHA said: " . $resp->error . ")"); } else { // ReCaptcha Code Entered Correct // Validate Username if ($_POST['username'] != "") { $username = filter_var($_POST['username'], FILTER_SANITIZE_STRING); if ($username == "") { $errors .= 'Please enter a valid username.<br/><br/>'; } } else { $errors .= 'Please enter your a username.<br/>'; } // Validate Password if ($_POST['password'] != "") { $password = md5($_POST['password']); } else { $errors .= 'Please enter your a password.<br/>'; } // Check For Errors if (!$errors) { $query = mysql_query("select * from user where username='$username'") or die(mysql_error()); $rows = mysql_fetch_array($query); if(($rows["username"] == $username) && ($rows["password"] == $password)) { $_SESSION['user'] = $username; echo "Login sucessful"; } else { echo "Login failed"; } } else { echo '<div style="color: red">' . $errors . '<br/></div>'; } } } else { ?> <form name="login" action="login.php" method="post"> Username: <br /><input type="text" name="username" size="35" /><br /> Password: <br /><input type="text" name="password" size="35" /><Br /><br /> <?php require_once('recaptchalib.php'); $publickey = ""; // you got this from the signup page echo recaptcha_get_html($publickey); ?> <br /> <input type="submit" name="Submit" value="Login" /> </form> <?php } ?> </div> <?php include ('footer.php'); include ('endhtml.php'); ?> Thank you for your help.

I have a php script which creates databases, users, then grants the permissions. The php script uses a user called phpadmin which currently has same access as root. However, I don't want this user having such high access. I tried change the permissions to just allow CREATE, GRANT, and CREATE USER but it gives a Access Denied permission error when attempting to run. What access is required as a bare minimum to allow this script to run?

Ah, I didn't know about that, I do now. Thanks

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '= testdb' at line 1 $query=mysql_query("select * from users where database = '$database'") or die(mysql_error()); PHP 5.2.9 MYSQL 5.0.77

Excellent stuff Cheers

OK, Heres the latest... I have removed both PHP and HTTPD, then reinstalled them. It now loads my registration script but with a new error: Notice: Undefined variable: errors in /var/www/html/manager/createdb.php on line 65 Line 65: $errors .= "$email is <strong>NOT</strong> a valid email address.<br/><br/>"; Is 5.2 more strict than 5.1 or something?

error_reporting = E_ALL display_errors = On

I've upgraded the centos repo to support a yum update. Ran the yum update to install 5.2.9, then enabled the error loggin again, restarted httpd. Loaded the same page, but this time its blank with no output at all. Edit: PHP is working because I get output from phpinfo()

Balls

I'm on the centos default build of 5.1.6, so I assume its not installed with this build?

// Validate Database if ($_POST['database'] != "") { $database = filter_var($_POST['database'], FILTER_SANITIZE_STRING); if ($database == "") { $errors .= 'Please enter a valid database name.<br/><br/>'; } } else { $errors .= 'Please enter your a database name.<br/>'; } echo 1; // Validate Password if ($_POST['password'] != "") { $password = $_POST['password']; } else { $errors .= 'Please enter your a password.<br/>'; } echo 2; // Validate Name if ($_POST['name'] != "") { $name = filter_var($_POST['name'], FILTER_SANITIZE_STRING); if ($name == "") { $errors .= 'Please enter a valid name.<br/><br/>'; } } else { $errors .= 'Please enter your a name.<br/>'; } echo 3; With error reporting now set to on, it returns this: Fatal error: Call to undefined function filter_var() in /var/www/html/manager/createdb.php on line 37

I know you can't see this but var_filter is used somewhere in the script before it gets to echo 2, so wouldn't it have stopped up there somewhere?

Like mike says, you need to check if PHP is actually running.

My php script is stopping half way through my script. // Validate Password if ($_POST['password'] != "") { $password = $_POST['password']; } else { $errors .= 'Please enter your a password.<br/>'; } echo 2; // Validate Name if ($_POST['name'] != "") { $name = filter_var($_POST['name'], FILTER_SANITIZE_STRING); if ($name == "") { $errors .= 'Please enter a valid name.<br/><br/>'; } } else { $errors .= 'Please enter your a name.<br/>'; } echo 3; I added echo tags to see where it stops. It echos 2 but not 3. Any suggestions?