Simple message system bug. Forwarded to login page even though its not necessary

[phakebrill]

Hey again everyone,

 

I'm trying to iron out a few bugs with my PHP/MSQL program. I'm using a very basic messaging/meeting system and each time I create/update/delete a message I am taken back to the login page. I don't actually need to authenticate again since the message is committed to the database and can be viewed by another user immediately. Obviously something has gone wrong with my code somewhere but I'm not having much luck debugging so far.

 

Can anyone offer any suggestions please?

 

<?php 
session_start();
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>SU Meeting System</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" href="mm_travel2.css" type="text/css" />

<script type="text/javascript">
//Provides date on top of each page
var d=new Date();
var monthname=new Array("January","February","March","April","May","June","July","August","September","October","November","December");
var TODAY = monthname[d.getMonth()] + " " + d.getDate() + ", " + d.getFullYear();
</script>

<style type="text/css">
<!--
.style1 {color: #FFFFFF}
.style2 {color: #666666; }
.style4 {color: #66FF33}
a:link {
color: #093B6D;
}
a:visited {
color: #093B6D;
}
-->
</style>

</head>

<body bgcolor="#C0DFFD">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr bgcolor="#3366CC">
    <td colspan="2" rowspan="2" bgcolor="#003A6B"><img src="logo.png" alt="sulogo" width="211" height="99" /></td>
    <td width="85%" height="63" align="center" valign="bottom" bgcolor="#003A6B" class="style1" id="logo">Sunderland University Meeting System</td>
    <td width="0%" bgcolor="#003A6B"> </td>
  </tr>
  <tr bgcolor="#3366CC">
    <td height="64" align="center" valign="top" bgcolor="#003A6B" class="style2" id="tagline">Wasting your time since 1979...</td>
<td bgcolor="#003A6B"> </td>
  </tr>
  <tr>
    <td colspan="4" bgcolor="#003366"><img src="mm_spacer.gif" alt="" width="1" height="1" border="0" /></td>
  </tr>

  <tr bgcolor="#CCFF99">
  	<td width="4%" bgcolor="#FFFFFF"> </td>
  	<td height="25" colspan="3" bgcolor="#FFFFFF" id="dateformat"><script type="text/javascript">
      document.write(TODAY);	</script>
      
      <a href="index.html"> home</a>  |  
       
      <a href="login.php">login</a> | <a href="calendar_view.php">meetings</a></td>
  </tr>
<tr>
    <td colspan="4" bgcolor="#003366"><img src="mm_spacer.gif" alt="" width="1" height="1" border="0" /></td>
  </tr>
<tr>
    <td> </td>
    <td colspan="2" valign="top"> <br />
     <br />
    <table border="0" cellspacing="0" cellpadding="2" width="500">
        <tr>
          <td class="pageName">meetings</td>
        </tr>
        <tr>
          <td class="bodyText">
          

<?php
// File: calendar_view.php

error_reporting(E_ALL ^ E_NOTICE);  // Suppresses the piddly little notices that the University PHP server cries about!

//session_start();

//The next few lines of code ensures that users are referred to this page from the login.php page.
//If not, they are re-directed back to login with correct credentials.

if ($_SERVER["HTTP_REFERER"] != "http://osiris.sunderland.ac.uk/~bd77gl/login.php")
    header("location: login.php");

if ($_POST["Logout"])
    header("location: index.html");

if (!isset($_SESSION['Id'])){
die("You are not logged in!<br><a href=\"login.php\">Click here to login</a>");
}

require_once("databaseauth.php");


$intId = $_SESSION["Id"];


if ($_POST["Delete"])
    deleteMessage($dbLocalhost);
if ($_POST["Update"])
    updateMessage($dbLocalhost);
if ($_POST["Create"])
    createMessage($dbLocalhost, $intId);
    
displaymessages($dbLocalhost, $intId);
displayCreateNewForm();



// Function: deleteMessage() - Deletes the selected meeting

function deleteMessage($dbLocalhost) {
    $intMessageId = $_POST['intMessageId'];
    $dbMessageRecords = mysql_query("DELETE FROM messages WHERE Id='$intMessageId'", $dbLocalhost)
        or die("Problem deleting record: " . mysql_error());
}



// Function: updateMessage() - Updates the selected meeting

function updateMessage($dbLocalhost) {
    $arrDate = getdate();
    $intHour = $arrDate["hours"];
    $intMinute = $arrDate["minutes"];
    $intDay = $arrDate["mday"];
    $intMonth = $arrDate["mon"];
    $intYear = $arrDate["year"];
    $intMessageId = $_POST['intMessageId'];
    $strMessage = $_POST['strMessage'];
    $dbMessageRecords = mysql_query("UPDATE messages SET Message='$strMessage', Day='$intDay', Month='$intMonth', Year='$intYear', Hour='$intHour', Minute='$intMinute' WHERE Id='$intMessageId'", $dbLocalhost)
        or die("Problem updating record: " . mysql_error());
}



// Function: createMessage() - Create a new meeting

function createMessage($dbLocalhost, $intId) {
    $arrDate = getdate();
    $intHour = $arrDate["hours"];
    $intMinute = $arrDate["minutes"];
    $intDay = $arrDate["mday"];
    $intMonth = $arrDate["mon"];
    $intYear = $arrDate["year"];
    $strMessage = $_POST["strMessage"];
    $dbMessageRecords = mysql_query("INSERT INTO messages VALUES ('', '$intId', '$strMessage', '$intDay', '$intMonth', '$intYear', '$intHour', '$intMinute')", $dbLocalhost)
   or die("Problem writing to table: " . mysql_error());
}



// Function: displayMessages() - Displays all the meeting

function displaymessages($dbLocalhost, $intId) {
    $dbMemberRecords = mysql_query("SELECT * FROM members WHERE Id='$intId'", $dbLocalhost)
        or die("Problem reading table: " . mysql_error());
    $arrMemberRecords = mysql_fetch_array($dbMemberRecords);
    $strForename = $arrMemberRecords["Forename"];
    $strSurname = $arrMemberRecords["Surname"];

    echo "<h2>Hello $strForename $strSurname!</h2> <h3>Welcome to the pre-Alpha release of the SU Meeting System.</h3>";
echo "<h3>Below you can find all of the meetings taking place over the course of the academic year. This page is updated daily so please remember to check back daily.</h3>";

    $dbMessageRecords = mysql_query("SELECT * FROM messages", $dbLocalhost)
        or die("Problem reading table: " . mysql_error());
    while ($arrMessageRecords = mysql_fetch_array($dbMessageRecords)) {
        $intMessageId  = $arrMessageRecords["Id"];
        $intmembersId = $arrMessageRecords["members_Id"];
        $strMessage = $arrMessageRecords["Message"];
        $intDay = $arrMessageRecords["Day"];
        $intMonth = $arrMessageRecords["Month"];
        $intYear = $arrMessageRecords["Year"];
        $intHour = $arrMessageRecords["Hour"];
        $intMinute = $arrMessageRecords["Minute"];
        $dbMemberRecords = mysql_query("SELECT * FROM members WHERE Id='$intmembersId'", $dbLocalhost)
            or die("Problem reading table: " . mysql_error());
        $arrMemberRecords = mysql_fetch_array($dbMemberRecords);
        $strForename = $arrMemberRecords["Forename"];
        $strSurname = $arrMemberRecords["Surname"];
        echo "<form action='" . $_SERVER["PHP_SELF"] . "' method='post'>";
    	echo "<fieldset id='ExistingMessage'><legend>";
        echo "Meeting on $intDay/$intMonth/$intYear at $intHour:$intMinute By: $strForename $strSurname</legend>";
        if ($intmembersId == $intId) {
            echo "<p><input type='submit' name='Delete' value='Delete'/>";
            echo "<input type='submit' name='Update' value='Update'/>";
            echo "<input type='hidden' name='intMessageId' value='$intMessageId'/></p>";
        }
        echo "<textarea cols='65' name='strMessage'>$strMessage</textarea>";
        echo "</fieldset></form>";
    }
}



// Function: displayCreateNewForm() - Creates the new meeting

function displayCreateNewForm() {
    echo "<form action='" . $_SERVER["PHP_SELF"] . "' method='post'>";
    echo "<fieldset id='CreateMessage'><legend>Post New Meeting</legend>";
echo "<p>Inlcude meeting type, attendees, location, date and time.</p>";
    echo "<p><textarea cols='65' name='strMessage'></textarea></p>";
echo "<p>Remember to contact the administrator using the email link below once you post details of the meeting. This is a temporary measure, thank you for your patience.</p><br>";
    echo "<p><input type='submit' name='Create' value='Create'/>";
    echo "<input type='submit' name='Logout' value='Logout'/><p>";
    echo "</fieldset></form>";
}
?>
      
          
          <p> </p></td>
	</tr>
      </table>	  </td>
<td> </td>
  </tr>

<tr>
    <td> </td>
    <td width="11%"><span class="bodyText">© 2008 brill <span class="style4"><a href="#" id="rw_email_contact">Contact Me</a>
    
    <!-- Javascript Email obfuscator with the help of RapidWeaver on Mac OSX -->
          <script type="text/javascript">var _rwObsfuscatedHref0 = "mai";var _rwObsfuscatedHref1 = "lto";var _rwObsfuscatedHref2 = ":j.";var _rwObsfuscatedHref3 = "gil";var _rwObsfuscatedHref4 = "ber";var _rwObsfuscatedHref5 = "t-1";var _rwObsfuscatedHref6 = "@su";var _rwObsfuscatedHref7 = "nde";var _rwObsfuscatedHref8 = "rla";var _rwObsfuscatedHref9 = "nd.";var _rwObsfuscatedHref10 = "ac.";var _rwObsfuscatedHref11 = "uk";var _rwObsfuscatedHref = _rwObsfuscatedHref0+_rwObsfuscatedHref1+_rwObsfuscatedHref2+_rwObsfuscatedHref3+_rwObsfuscatedHref4+_rwObsfuscatedHref5+_rwObsfuscatedHref6+_rwObsfuscatedHref7+_rwObsfuscatedHref8+_rwObsfuscatedHref9+_rwObsfuscatedHref10+_rwObsfuscatedHref11; document.getElementById('rw_email_contact').href = _rwObsfuscatedHref;</script>
    </span></span></td>
    <td> </td>
<td> </td>
  </tr>
</table>
</body>
</html>

 

 

[akitchin]

it's because you're sending them off to the login.php page if they haven't been sent from there.  obviously if they submit the form, they'll reload the page and voila! - they're no longer being sent to that page from login.php.  you'll need to change this line:

 

if ($_SERVER["HTTP_REFERER"] != "http://osiris.sunderland.ac.uk/~bd77gl/login.php")

 

to account for that.  now that i've pointed you in the right direction, take a stab at what it NEEDS to look like to let the user stay on the page.  i'll give you a hint: let them be sent to the page from itself, not just login.php.

[phakebrill]

ok... so am I right in thinking it needs an else statement in there? I'm thinking something to the effect of

 

If the user navigates to this page they must have been referred here from login.php

  else if they are already here from login.php, reload page

 

Is there something like a reload() or refresh() function in PHP that I can use?

 

 

 

[akitchin]

no - you would simply need to add to the condition:

 

if ($_SERVER["HTTP_REFERER"] != "http://osiris.sunderland.ac.uk/~bd77gl/login.php" && $_SERVER["HTTP_REFERER"] != $_SERVER['PHP_SELF'])

 

this will send them away from the page if their referer is neither login.php nor itself.

[phakebrill]

Right - got it. so the AND operator as well as PHP_SELF.

PHP_SELF is kind of what I meant by reload/refresh... just the wrong syntax

It's the syntax that gets me - I am new to programming completely so I guess it'll just take practice and exposure.

Thanks ever so much for your help.

[phakebrill]

OK, when what you said made sense to me, i found it didn't work. ugh!

 

I have to admit - I'm confused now...

[akitchin]

the main thing you need to know is that $_SERVER['HTTP_REFERER'] is not worth using in your scripts.  users themselves can edit it, and so it is totally unreliable.  if you think about it, your check on whether $_SESSION['Id'] is set is sufficient to ensure the users are logged in (well, as sufficient as it will get with the current script).  drop the header redirect and if() block from that section, and you'll likely find it works fine.

 

i wasn't going to mention it because it looked to be a quick fix, but i guess it isn't, so this is worth mentioning now.