Jump to content

secure site

gwolff2005

By gwolff2005
in PHP Coding Help

 Share

Recommended Posts

gwolff2005 Regular Member

gwolff2005

Posted
Posted

Hi guys,

 

I try to build a restrict access level to my page, but it does not work. Who can help me. What is wrong?

 

Thanks in advance!

 

<?php

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

 

  switch ($theType) {

    case "text":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;   

    case "long":

    case "int":

      $theValue = ($theValue != "") ? intval($theValue) : "NULL";

      break;

    case "double":

      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

      break;

    case "date":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;

    case "defined":

      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

      break;

  }

  return $theValue;

}

 

$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

 

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {

  $insertSQL = sprintf("INSERT INTO users (name) VALUES (%s)",

                      GetSQLValueString($_POST['textfield'], "text"));

 

  mysql_select_db($database_Login, $Login);

  $Result1 = mysql_query($insertSQL, $Login) or die(mysql_error());

}

 

mysql_select_db($database_Login, $Login);

$query_Recordset1 = "SELECT users.name FROM users WHERE users.username= '$submitted_login_name' ";

$Recordset1 = mysql_query($query_Recordset1, $Login) or die(mysql_error());

$row_Recordset1 = mysql_fetch_assoc($Recordset1);

$totalRows_Recordset1 = mysql_num_rows($Recordset1);

?>

Link to comment
https://forums.phpfreaks.com/topic/153055-secure-site/
Share on other sites
gwolff2005 Regular Member

gwolff2005

Posted
  • Author
Posted

Yeah, ok that was a little bit general  ;D

What I do not get done is the query if a username is already in mysql. If yes that the user is directed back to the page saying. It already exists. If not to proceed. Here is the code again...

 

<?php require_once('Connections/Login.php'); ?>
<?php
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO users (username, password) VALUES (%s, %s)",
                       GetSQLValueString($_POST['username'], "text"),
                       GetSQLValueString($_POST['password'], "text"));

  mysql_select_db($database_Login, $Login);
  $Result1 = mysql_query($insertSQL, $Login) or die(mysql_error());
}

mysql_select_db($database_Login, $Login);
$query_Recordset1 = "SELECT code.code, users.username, users.password FROM code, users";
$Recordset1 = mysql_query($query_Recordset1, $Login) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['code'])) {
  $loginUsername=$_POST['code'];
  $password=$_POST['code'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "intro.php";
  $MM_redirectLoginFailed = "http://www.guntmarwolff.com";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_Login, $Login);
  
  $LoginRS__query=sprintf("SELECT code, code FROM code WHERE code='%s' AND code='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
   
  $LoginRS = mysql_query($LoginRS__query, $Login) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Registration</title>
</head>
<form action="" method="post"></form>
<body>
<p> </p>

<form method="POST" name="form1" action="<?php echo $loginFormAction; ?>">
  <table align="center">
    <tr valign="baseline">
      <td nowrap align="right"><div align="left">Code</div></td>
      <td><input name="code" type="text" id="code" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap align="right">Username:</td>
      <td><input type="text" name="username" value="" size="32"></td>
    </tr>
    <tr valign="baseline">
      <td nowrap align="right">Password:</td>
      <td><input type="text" name="password" value="" size="32"></td>
    </tr>
    <tr valign="baseline">
      <td nowrap align="right"> </td>
      <td><input type="submit" value="Insert record"></td>
    </tr>
  </table>
  <input type="hidden" name="MM_insert" value="form1">
</form>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
</body>
</html>
<?php
mysql_free_result($Recordset1);
?>

 

Link to comment
https://forums.phpfreaks.com/topic/153055-secure-site/#findComment-804330
Share on other sites
Maq Prolific Member

Maq

Posted
Posted

Looks like you're inserting without even testing to see if the user name exists.

 

You have to do something like:

 

$sql = "SELECT * FROM users WHERE username = '{$_POST['username']}'";
$result = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($result)) > 0) {
   // The user name already exists
} else {
   // Proceed with your INSERT code
.
.
.
}

Link to comment
https://forums.phpfreaks.com/topic/153055-secure-site/#findComment-804509
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.