gwolff2005 Posted April 7, 2009 Share Posted April 7, 2009 Hi guys, I try to build a restrict access level to my page, but it does not work. Who can help me. What is wrong? Thanks in advance! <?php function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue; switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } $editFormAction = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']); } if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) { $insertSQL = sprintf("INSERT INTO users (name) VALUES (%s)", GetSQLValueString($_POST['textfield'], "text")); mysql_select_db($database_Login, $Login); $Result1 = mysql_query($insertSQL, $Login) or die(mysql_error()); } mysql_select_db($database_Login, $Login); $query_Recordset1 = "SELECT users.name FROM users WHERE users.username= '$submitted_login_name' "; $Recordset1 = mysql_query($query_Recordset1, $Login) or die(mysql_error()); $row_Recordset1 = mysql_fetch_assoc($Recordset1); $totalRows_Recordset1 = mysql_num_rows($Recordset1); ?> Link to comment https://forums.phpfreaks.com/topic/153055-secure-site/ Share on other sites More sharing options...
Maq Posted April 7, 2009 Share Posted April 7, 2009 but it does not work. How doesn't it work? What happens? Use tags whenever posting code. Link to comment https://forums.phpfreaks.com/topic/153055-secure-site/#findComment-804054 Share on other sites More sharing options...
gwolff2005 Posted April 8, 2009 Author Share Posted April 8, 2009 Yeah, ok that was a little bit general What I do not get done is the query if a username is already in mysql. If yes that the user is directed back to the page saying. It already exists. If not to proceed. Here is the code again... <?php require_once('Connections/Login.php'); ?> <?php function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue; switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } $editFormAction = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']); } if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) { $insertSQL = sprintf("INSERT INTO users (username, password) VALUES (%s, %s)", GetSQLValueString($_POST['username'], "text"), GetSQLValueString($_POST['password'], "text")); mysql_select_db($database_Login, $Login); $Result1 = mysql_query($insertSQL, $Login) or die(mysql_error()); } mysql_select_db($database_Login, $Login); $query_Recordset1 = "SELECT code.code, users.username, users.password FROM code, users"; $Recordset1 = mysql_query($query_Recordset1, $Login) or die(mysql_error()); $row_Recordset1 = mysql_fetch_assoc($Recordset1); $totalRows_Recordset1 = mysql_num_rows($Recordset1); ?> <?php // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['code'])) { $loginUsername=$_POST['code']; $password=$_POST['code']; $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "intro.php"; $MM_redirectLoginFailed = "http://www.guntmarwolff.com"; $MM_redirecttoReferrer = false; mysql_select_db($database_Login, $Login); $LoginRS__query=sprintf("SELECT code, code FROM code WHERE code='%s' AND code='%s'", get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); $LoginRS = mysql_query($LoginRS__query, $Login) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = ""; //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Registration</title> </head> <form action="" method="post"></form> <body> <p> </p> <form method="POST" name="form1" action="<?php echo $loginFormAction; ?>"> <table align="center"> <tr valign="baseline"> <td nowrap align="right"><div align="left">Code</div></td> <td><input name="code" type="text" id="code" size="32" /></td> </tr> <tr valign="baseline"> <td nowrap align="right">Username:</td> <td><input type="text" name="username" value="" size="32"></td> </tr> <tr valign="baseline"> <td nowrap align="right">Password:</td> <td><input type="text" name="password" value="" size="32"></td> </tr> <tr valign="baseline"> <td nowrap align="right"> </td> <td><input type="submit" value="Insert record"></td> </tr> </table> <input type="hidden" name="MM_insert" value="form1"> </form> <p> </p> <p> </p> <p> </p> <p> </p> </body> </html> <?php mysql_free_result($Recordset1); ?> Link to comment https://forums.phpfreaks.com/topic/153055-secure-site/#findComment-804330 Share on other sites More sharing options...
Maq Posted April 8, 2009 Share Posted April 8, 2009 Looks like you're inserting without even testing to see if the user name exists. You have to do something like: $sql = "SELECT * FROM users WHERE username = '{$_POST['username']}'"; $result = mysql_query($sql) or die(mysql_error()); if(mysql_num_rows($result)) > 0) { // The user name already exists } else { // Proceed with your INSERT code . . . } Link to comment https://forums.phpfreaks.com/topic/153055-secure-site/#findComment-804509 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.