rdkd1970 Posted June 19, 2011 Share Posted June 19, 2011 I have my session_start(); set and my section to see if they are logged in or not but somehow it is allowing anyone to post to the forum without signing up. I have my table as follows :'( TABLE id INT (11) post_author var 255 post_author_id INT 11 otid INT 11 (original topic id and the responder) date_time DATETIME type ENUM a,b view_count INT 11 section_title VAR 88 section_id INT 11 thread_title VAR 64 post_body TEXT closed ENUM 0,1 default 0 CREATE TOPIC SECTION include_once "../Connection/mysql.php"; $logOptions = ''; // Check to see if the user is logged in with session variables if (!isset($_SESSION['userpass']) || $_SESSION['userpass'] == "") { $logOptions = '<a href="http://www.blessedtalk.com">Register Account</a> | <a href="http://www.blessedtalk.com/login-form.php">Log In</a>'; } else { // Assume they are a member because they have a password session variable set // Check the database to be sure that their ID, password, and email session variables all match in the database $u_id = mysql_real_escape_string($_SESSION['SESS_ID']); $u_name = mysql_real_escape_string($_SESSION['username']); $u_email = mysql_real_escape_string($_SESSION['useremail']); $u_pass = mysql_real_escape_string($_SESSION['userpass']); $sql = mysql_query("SELECT * FROM myMembers WHERE id='$u_id' AND username='$u_name' AND email='$u_email' AND password='$u_pass'"); $numRows = mysql_num_rows($sql); if ($numRows < 1) { echo "ERROR: You do not exist in the system."; exit(); } } // Check to make sure the URL variables of "sid" and "title" are set if (!isset($_POST['forum_id']) || $_POST['forum_id'] == "" || !isset($_POST['forum_title']) || $_POST['forum_title'] == "") { echo "Important variables are missing"; exit(); } else { // Acquire the variables and proceed to show them a form for creating a new topic $forum_section_id = preg_replace('#[^0-9]#i', '', $_POST['forum_id']); $forum_section_title = preg_replace('#[^A-Za-z 0-9]#i', '', $_POST['forum_title']); } $sql = mysql_query("SELECT * FROM forum_sections WHERE id='$forum_section_id' AND title='$forum_section_title'"); $numRows = mysql_num_rows($sql); if ($numRows < 1) { echo "ERROR: That section deos not exist."; exit(); } <script type="text/javascript" language="javascript"> <!-- function validateMyForm ( ) { var isValid = true; if ( document.form1.post_title.value == "" ) { alert ( "Please type in a title for this topic" ); isValid = false; } else if ( document.form1.post_title.value.length < 10 ) { alert ( "Your title must be at least 10 characters long" ); isValid = false; } else if ( document.form1.post_body.value == "" ) { alert ( "Please type in your topic body." ); isValid = false; } return isValid; } //--> </script> <div id="breadcrumbs"><a href="http://www.blessedtalk.com">Blessed Talk Home</a> ← <a href="http://www.blessedtalk.com/forum">Forum Home</a> ← <a href="section.php?id=<?php echo $forum_section_id; ?>"><?php echo $forum_section_title; ?></a></div> <h2>Creating New Topic In the <em><?php echo $forum_section_title; ?></em> Forum</h2> <form action="parse_post.php" method="post" name="form1"> <input name="post_type" type="hidden" value="a" /> Topic Author:<br /><input name="topic_author" type="text" disabled="disabled" maxlength="64" style="width:96%;" value="<?php echo $u_name; ?>" /> <br /><br /> Please type in a title for your topic here:<br /><input name="post_title" type="text" maxlength="64" style="width:96%;" /><br /><br /> Please type in your topic body:<br /><textarea name="post_body" rows="15" style="width:96%;"></textarea> <br /><br /><input name="" type="submit" value="Create my topic now!" onclick="javascript:return validateMyForm();"/> <input name="fsID" type="hidden" value="<?php echo $forum_section_id; ?>" /> <input name="fsTitle" type="hidden" value="<?php echo $forum_section_title; ?>" /> <input name="uid" type="hidden" value="<?php echo $_SESSION['SESS_ID']; ?>" /> <input name="upass" type="hidden" value="<?php echo $_SESSION['userpass']; ?>" /> </form> Quote Link to comment Share on other sites More sharing options...
rdkd1970 Posted June 19, 2011 Author Share Posted June 19, 2011 AND when I do log in through the main login section it is not recognizing the user. Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 19, 2011 Share Posted June 19, 2011 AND when I do log in through the main login section it is not recognizing the user. First invert the if statement... make it so the if is checking if they are logged in, not if there not... this way worst case some one can't log-in. Right now the else is letting anybody have access. Quote Link to comment Share on other sites More sharing options...
rdkd1970 Posted June 19, 2011 Author Share Posted June 19, 2011 I removed the else statement and took out the !. It is still allowing anyone to make a topic without logging in. Not sure why Quote Link to comment Share on other sites More sharing options...
rdkd1970 Posted June 19, 2011 Author Share Posted June 19, 2011 Also in my database the post_author and post_author_id is blank when I come as a logged in user or a visitor to the site and post a topic to the forum Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.