Help with code on website

[Patrick817]

Hello Everyone,

 

I sure hope someone can assist with my situation.  I read the terms of the website and not sure what code I could post to diagnose the issue. 

 

We hired a guy to program a website.  Since that initial work was done, I have inherited the upkeep without any background in this.  So, please understand my inexperience and request for assistance.

 

Here is the issue:

 

We have the equivalent of a shopping cart tailored to our business.  There are two php pages used for a login and product list for suppliers who go into that area.  The problem is that they are only supposed to see their products and they are seeing all products/companies in the database.  This is an issue with assigning the user id (supplier id).  I know kind of where the problem is and it appears to be that the php is using an ID field but maybe the wrong one?

 

Can someone take a look at the code and find the problem before I run out of time/patience.  I need to get this fixed quickly but lack the skills.

 

Thanks,

 

Patrick817

[-Karl-]

Post the code, in PHP tags and I'll take a look.

[Patrick817]

Ok, sorry for my inexperience.

 

Post PHP tags?  I am not sure what code to post.  There are two pages used.  Should I post the code in the two pages?  I think that the issue lies somewhere in the code and the database field names.  What info do I need to post to show?

 

Thanks

 

Patrick817

[MadTechie]

You should be able to solve this with a query update,

without the code that lists the products or at least some info about how it was coded its really hard to say...

 

Posting the code you believe is the problem is a good start also any info about the database schema would help,

 

PHP tags are the

 tags (see the # button)

[Patrick817]

Ok, I am uploading the two pages.  One is the login page (I am posting this because I am not sure if the "Supplier ID" is assigned here for the user.

 

The other is the product Search page that is returning every product/client in the database instead of just the supplier that is logged in.  (They should only be able to see their products.)

 

Also, the table used for this id is the 'Supplier' table.  The field name is `Supplier ID`.

 

The 'Products' table has a `Supplier ID` field name too.  (Each of those two tables also have an unused `ID` that was set up originally.  But, I cannot see any code referencing that field by mistake.

 

[attachment deleted by admin]

[-Karl-]

Does login actually even work?

 

From what I can see, there's no login function. Just a form.

[Patrick817]

The login works.  I logged in as one of the users to check their products when I found this problem.  Apparently, the other users had logged in as administrators.  They did not see this issue.

 

There are three subdirectories in that structure:

Suppliers

Buyers

Administrators

 

Each has the similar php files for each user type's features.

 

I am not overly impressed at the coding but do now know it well enough to critique it.  The programmer disappeared after he was paid but before the 'scope creep' could be implemented. 

[Patrick817]

Sorry, I missed your question about the login functions.

 

They may be listed in the the 'included' php pages. 

 

It does login and display the menu items that the person has permission to view.  Also, the only users so far have been our staff. 

[-Karl-]

Well, the problem is I can't see if the sessions are being set correctly as there is nothing in the two files that you've posted.

 

Also, I'm taking the liberty of tidying the code up a bit. I hate it when programmers close PHP tags, only to reopen them on the next line!

[Patrick817]

What would you need to see regarding the session settings?

 

I can show one of the other files that has a lot of the subroutines in it.  That one starts turning into an alien language on me.

[-Karl-]

Well, I believe include.php may hold the answers.

 

 

Also, here's search.php tidied up a bit.

 

(It may not work correctly, so keep a back up of your original and I'll edit it if there are any mistakes.)

 

<?php 
include("../../include/include.php");
require_supplier();
include("../../include/open.php"); 

echo '<meta name="keywords" content="" />
  <title></title>';
  
include("../../include/navigation.php");

  $query = "WHERE (Products.`Supplier ID` = '" . $__user["id"] . "' AND ";
  if ($_GET["q"] != "") {
    $query .= "Products.Name like '%" . escape($_GET["q"]) . "%' AND ";
  }
  if ($_GET["supplier"] != "") {
    $query .= "Products.`Supplier ID` = '" . escape($_GET["supplier"]) . "' AND ";
  }
  if ($_GET["category"] != "") {
    $query .= "(Products.`Category ID` = '" . escape($_GET["category"]) . "' OR Products.`Subcategory ID` = '" . escape($_GET["category"]) . "' ) AND ";
  }
  $query .= "Products.Status != 'Deleted')";

echo '<h1>Product Search</h1>
    <form method="get" action="search.php">
    <input type="hidden" name="page" value="'.ehtml($_GET["page"]).'" />
    <input type="hidden" name="rpp" value="'.ehtml($_GET["rpp"]).'" />
    <table class="styled" style="width: 660px;">
      <tr>
        <th style="width: 120px;">Product Name:</th>
        <td><input style="width: 98%;" name="q" value="'.ehtml($_GET["q"]).'" /></td>
      </tr>
      <tr>
        <th>Category:</th>
        <td>
          <select name="category">';
            echo '<option value=""'; if ($_GET["category"] == "") { echo 'selected="selected"'; } echo'>-All Categories-</option>';

  $categories = query_mysql("SELECT ID, Name FROM Categories WHERE `Parent Category ID` = '0' ORDER BY `Sort Index` ASC, `Name` ASC");
  while ($category = mysql_fetch_array($categories)) {
    $result = query_mysql("SELECT COUNT(ID) AS Count FROM Products " . $query . " AND `Category ID` = '" . escape($category["ID"]) . "'");
    $result = mysql_fetch_array($result);
    if ($result["Count"] == 0) { continue; }
            echo '<option value="'. $category["ID"].'"'; if ($category["ID"] == $_GET["category"]) { echo 'selected="selected"'; } echo '>'.ehtml($category["Name"]).'('.ehtml($result["Count"]).')</option>';
            $subcategories = query_mysql("SELECT ID, Name FROM Categories WHERE `Parent Category ID` = '" . escape($category["ID"]) . "' ORDER BY `Name` ASC");
                while ($subcategory = mysql_fetch_array($subcategories)) {
                    $result = query_mysql("SELECT COUNT(ID) AS Count FROM Products " . $query . " AND `Subcategory ID` = '" . escape($subcategory["ID"]) . "'");
                    $result = mysql_fetch_array($result);
                if ($result["Count"] == 0) { continue; }

            echo '<option value="'.$subcategory["ID"].'"'; if ($subcategory["ID"] == $_GET["category"]) { echo 'selected="selected"'; } echo '>   '.ehtml($subcategory["Name"]).'('.ehtml($result["Count"]).')</option>';
    }
  }

        echo '</select>
      </tr>
      <tr>
        <th>Supplier:</th>
        <td>
          <select name="supplier">
            <option value=""'; if ($_GET["supplier"] == "") { echo 'selected="selected"'; } echo'>-All Suppliers-</option>';
                $suppliers = query_mysql("SELECT Suppliers.`Supplier ID` AS ID, Suppliers.Company AS Company, COUNT(Products.ID) AS Count FROM Suppliers LEFT JOIN Products ON Products.`Supplier ID` = Suppliers.ID " . $query . " AND Suppliers.Status != 'Deleted' GROUP BY Company ORDER BY Company ASC");
                    while ($supplier = mysql_fetch_array($suppliers)) {
                        if ($supplier["Count"] == 0) { continue; }
                            echo '<option value="'.$supplier["ID"].'">'.ehtml($supplier["Company"]).'('.ehtml($supplier["Count"]).')</option>';
                    }
          echo '</select>
        </td>
      </tr>
      <tr>
        <td colspan="2">
          <input type="submit" value="Search" />
        </td>
      </tr>
    </table>
    </form><br />';
  product_search($query);
  ?>
    <script type="text/javascript">
      <!--
      $('[name=q]').focus();
      $('[name=q]').select();
      //-->
    </script>
<?php
include("../../include/close.php");
?>

[-Karl-]

Here's login.php:

 

<?php 
include("../../include/include.php");
require_guest();

  if (isset($_POST["email"])) {
    // Verify the visitor has not attempted login too many times
    $visitors = query_mysql("SELECT `Login Attempts`, `Cookie Attempts`, `First Attempt` FROM `Visitors` WHERE `IP` = INET_ATON('" . escape($_SERVER["REMOTE_ADDR"]) . "')");
    if ($visitor = mysql_fetch_array($visitors)) {
      if (time() - $visitor["First Attempt"] >= $__options["attempts_timeout"]) {
        query_mysql("DELETE FROM `Visitors` WHERE `IP` = INET_ATON('" . escape($_SERVER["REMOTE_ADDR"]) . "')");
      } elseif ($visitor["Cookie Attempts"] >= $__options["max_session_attempts"] || $visitor["Login Attempts"] >= $options__["max_login_attempts"]) {
        $abort_session = 1;
      }
    }
    if (!isset($abort_session) || $abort_session != 1) {
      $users = query_mysql("SELECT `Supplier ID`, `Password`, `Force Password Change`, `Password Changed`, `Status` FROM `Suppliers` WHERE `Email` = '" . escape($_POST["email"]) . "'");
      if ($user = mysql_fetch_array($users)) {
        if (check_password($_POST["password"], $user["Password"]) == 1) {
          if ($user["Status"] = "Active") {
            if ($user["Force Password Change"] == "Yes" || time() > ($user["Password Changed"] + $__options["admin_password_change_time"])) {
                if ($_POST["password1"] != "") {
                  $temp = good_password($_POST["password1"]);
                  if ($_POST["password1"] != $_POST["password2"]) {
                    $temp = "Enter the same password twice.";
                  }
                  if ($_POST["password"] == $_POST["password1"]) {
                    $temp = "Your new password can not be the same as the old one.";
                  }
                  if ($temp !== 1) {
                    $password_change = 1;
                    $message = $temp;
                  } else {
                    if ($result = query_mysql("UPDATE `Suppliers` SET `Force Password Change` = 'No', `Password` = '" . escape(salt_hash_password($_POST["password1"])) . "', `Password Changed` = '" . time() . "' WHERE `Email` = '" . escape($_POST["email"]) . "'") && mysql_affected_rows() > 0) {
                      header("Location: /portal/supplier/login.php?action=passwordchange");
                      die(1);
                    } else {
                      $password_change = 1;
                      $message = "There was a problem.";
                    }
                  }
                } else {
                  $password_change = 1;
                  $message = "You are required to change your password.";
                }
            } else {
              $temp = random_string(40);
              if ($result = query_mysql("SELECT `ID` FROM `Sessions` WHERE `Cookie` = '" . escape($temp) . "'")) {
                if (mysql_num_rows($result) == 0) {
                  setcookie("session_id", $temp, time() + 600000, "/");
                  query_mysql("INSERT INTO `Sessions` (`Cookie`, `User ID`, `User Type`, `Activity`, `Login`) VALUES ('" . escape($temp) . "', '" . escape($user["ID"]) . "', 'Supplier', '" . time() . "', '" . time() . "')");
                  query_mysql("INSERT INTO `Login Tracking` (`ID`, `User Type`, `Login`, `Session ID`, `IP`, `Logout Type`, `Logout`, `User ID`) VALUES (NULL , 'Supplier', '" . time() . "', '" . mysql_insert_id() . "', INET_ATON('" . escape($_SERVER["REMOTE_ADDR"]) . "'), '0', '0', '" . escape($user["ID"]) . "')");
                  query_mysql("DELETE FROM `Visitors` WHERE `IP` = INET_ATON('" . escape($_SERVER["REMOTE_ADDR"]) . "')");
                  header("Location: /portal/supplier/");
                  die(1);
                } else {
                  $message = "There was a problem on our end.";
                }
              } else {
                $message = "There was a problem on our end.";
              }
            }
          } elseif ($user["Status"] = "New") {
            $message = "After we approve your account, you will be able to login.";
          } else {
            $message = "Either your email or password is incorrect.";
          }
        } else {
          $message = "Either your email or password is incorrect.";
        }
      } else {
        $message = "Either your email or password is incorrect.";
      }
    } else {
      $message = "You, or someone on your internet connection, has attempted to login to the system too many times. Either wait a while or contact us for help.";
    }
  }

  if ($message == "Either your email or password is incorrect.") {
    $visitors = query_mysql("SELECT `First Attempt` FROM `Visitors` WHERE `IP` = INET_ATON('" . escape($_SERVER["REMOTE_ADDR"]) . "')");
    if ($visitor = mysql_fetch_array($visitors)) {
      if (time() - $visitor["First Attempt"] >= $__options["attempts_timeout"]) {
        query_mysql("DELETE FROM `Visitors` WHERE `IP` = INET_ATON('" . escape($_SERVER["REMOTE_ADDR"]) . "')");
        query_mysql("INSERT INTO `Visitors` (`IP`, `Login Attempts`, `Cookie Attempts`, `First Attempt`) VALUES (INET_ATON('" . escape($_SERVER["REMOTE_ADDR"]) . "'), '1', '0', '" . time() . "')");
      } else {
        query_mysql("UPDATE `Visitors` SET `Login Attempts` = `Login Attempts` + 1 WHERE `IP` = INET_ATON('" . escape($_SERVER["REMOTE_ADDR"]) . "')");
      }
    } else {
      query_mysql("INSERT INTO `Visitors` (`IP`, `Login Attempts`, `Cookie Attempts`, `First Attempt`) VALUES (INET_ATON('" . escape($_SERVER["REMOTE_ADDR"]) . "'), '1', '0', '" . time() . "')");
    }
  }
  
  if (isset($_GET["action"])) {
    switch ($_GET["action"]) {
      case "timeout":
        $message = "You have been logged out due to inactivity or longevity. You will need to login again.";
        break;
      case "loggedout":
        $message = "You have been logged out.";
        break;
      case "passwordchange":
        $message = "Your password has been changed.";
        break;
      default:
        break;
    }
  }

include("../../include/open.php");

  echo '<meta name="keywords" content=" " />
  <title></title>';

  include("../../include/navigation.php");
if ($password_change == 1) {
    echo '<form method="post" action="login.php">
    <h1>Change Password</h1>
    <p style="color: red; font-weight: bold;">'.$message.'</p>
      <table>
        <tr>
          <th style="text-align: right;">Email:</th>
          <td><input id="email" name="email" value="'.ehtml($_POST["email"]).'" /></td>
        </tr>
        <tr>
          <th style="text-align: right;">Password:</th>
          <td><input type="password" name="password" /></td>
        </tr>
        <tr>
          <th style="text-align: right;">New Password:</th>
          <td><input type="password" name="password1" /></td>
        </tr>
        <tr>
          <th style="text-align: right;">New Password Again:</th>
          <td><input type="password" name="password2" /></td>
        </tr>
        <tr>
          <td colspan="2" style="text-align: right;"><input type="submit" value="Login" /></td>
        </tr>
      </table>
    </form>';
} else {
    echo '<form method="post" action="login.php">
    <h1>Supplier Login</h1>
    <p style="color: red; font-weight: bold;">'.$message.'</p>
      <table>
        <tr>
          <th style="text-align: right;">Email:</th>
          <td><input id="email" name="email" value="'.ehtml($_POST["email"]).'" /></td>
        </tr>
        <tr>
          <th style="text-align: right;">Password:</th>
          <td><input type="password" name="password" /></td>
        </tr>
        <tr>
          <td colspan="2" style="text-align: right;"><input type="submit" value="Login" /></td>
        </tr>
      </table>
    </form>
    <a href="forgot_password.php">I forgot my password.</a>';
}
?>
    <script type="text/javascript">
      <!--
      $('#email').focus();
      $('#email').select();
      //-->
    </script>
<?php include("../../include/close.php"); ?>

[Patrick817]

I am uploading the include.php file. 

 

I really appreciate your help. 

 

[attachment deleted by admin]

[-Karl-]

Just out of curiosity:

 

  function ehtml($text) {
    echo htmlspecialchars($text);
  }

 

Why your programmer has made that a function, I'll never know.

[-Karl-]

What's in open.php?

[Patrick817]

This is the Open.PHP content.

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

  <link href="/assets/root.css" rel="stylesheet" type="text/css" />

  <script src="/assets/jquery.js" type="text/javascript"></script>

  <script src="/assets/SpryMenuBar.js" type="text/javascript"></script>

  <link href="/assets/SpryMenuBarVertical.css" rel="stylesheet" type="text/css" />

[-Karl-]

What you could try doing is echoing $__user["id"] to see if it's being set.

[Patrick817]

I have no idea how to do that.  Where would I put that code?

[-Karl-]

Ugh, hit me up a PM and we'll talk on MSN or something.

[Patrick817]

Sorry for the delay,  I was pulled into a few meetings. 

 

Any help to get this issue resolved would be greatly appreciated.

 

 

[Patrick817]

This problem is turning out to be a real challenge for me.  Is there like a php expert that can assist in figuring out the problem?

 

(The sad thing is that this is probably a simple code fix or database field reference....  It is no fun being inexperienced at php.)

[jcbones]

Here is the first 23 lines of -Karl- tidied up search.php WITH the echo of user id, and a redundant part of the Query string commented out.

<?php
echo 'USER ID: ' . $__user['id'];
include("../../include/include.php");
require_supplier();
include("../../include/open.php"); 

echo '<meta name="keywords" content="" />
  <title></title>';
  
include("../../include/navigation.php");

  $query = "WHERE (Products.`Supplier ID` = '" . $__user["id"] . "' AND ";
  if ($_GET["q"] != "") {
    $query .= "Products.Name like '%" . escape($_GET["q"]) . "%' AND ";
  }
  // if ($_GET["supplier"] != "") {
    // $query .= "Products.`Supplier ID` = '" . escape($_GET["supplier"]) . "' AND ";
  // }
  if ($_GET["category"] != "") {
    $query .= "(Products.`Category ID` = '" . escape($_GET["category"]) . "' OR Products.`Subcategory ID` = '" . escape($_GET["category"]) . "' ) AND ";
  }
  $query .= "Products.Status != 'Deleted')";

[MadTechie]

Okay,

IMHO I hate the code!

However line 50 of login.php

should be

query_mysql("INSERT INTO `Sessions` (`Cookie`, `User ID`, `User Type`, `Activity`, `Login`) VALUES ('" . escape($temp) . "', '" . escape($user["Supplier ID"]) . "', 'Supplier', '" . time() . "', '" . time() . "')");

 

[Patrick817]

Thank You, Thank You, Thank you!

 

Mad Techie -  Line 50 did it. 

 

Many thanks to everyone who helped out too.  I am so appreciative.

 

Patrick

[MadTechie]

Great

Remember to test each part of the system to check its all working as it should,

 

It should as the line 50 was actually a bug fix, so nothing else should be effected

any problems just ask

 

--MadTechie