Jump to content

Error on custom PHP admin panel


Jakx

Recommended Posts

Hello, I am having trouble with this custom admin panel. It is pretty simple, it has an admin login page, an index page , and a page where you can Add and Delete invetory items ( <--this one is the one with the problem ) Everything was working okey, I added 2 items, deleted one, and now it gives me this Error everytime i try to add or deleted any items.

 

" Your login session data is not on record in the database. "

 

You can try it out. the URL is http://regismartinez.com/pepe/storeadmin/admin_login.php 

 

The credentials are: administrator / asdf1234

 

Here is the code for admin_login.php (works fine )

 

<?php 

session_start();
ob_start();
if (isset($_SESSION["manager"])) {
    header("location: index.php"); 
    exit();
ob_end_flush();
}
?>

<?php 
// Parse the log in form if the user has filled it out and pressed "Log In"
if (isset($_POST["username"]) && isset($_POST["password"])) {

$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]); // filter everything but numbers and letters
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password"]); // filter everything but numbers and letters
    // Connect to the MySQL database  
    include "../storescripts/connect_to_mysql.php"; 
    $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); // query the person

    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount = mysql_num_rows($sql); // count the row nums
    if ($existCount == 1) { // evaluate the count
     while($row = mysql_fetch_array($sql)){ 
             $id = $row["id"];
	 }
	 $_SESSION["id"] = $id;
	 $_SESSION["manager"] = $manager;
	 $_SESSION["password"] = $password;
	 header("location: index.php");
         exit();
    } else {
	echo 'That information is incorrect, try again <a href="index.php">Click Here</a>';
	exit();
}
}
?>

 

Here is the code for the index.php (the admin index page)

 

<?php 

session_start();
if (!isset($_SESSION["manager"])) {
    header("location: admin_login.php"); 
    exit();
}
// Be sure to check that this manager SESSION value is in fact in the database
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); // filter everything but numbers and letters

$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]); // filter everything but numbers and letters

$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); // filter everything but numbers and letters

// Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
// Connect to the MySQL database  
include "../storescripts/connect_to_mysql.php"; 
$sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person

// ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
$existCount = mysql_num_rows($sql); // count the row nums
if ($existCount == 0) { // evaluate the count
 echo "Your login session data is not on record in the database.";
     exit();
}
?>


 

And here is the code for the inventory_list.php ( the one with the problem I believe)

 


<?php 

session_start();
if (!isset($_SESSION["manager"])) {
    header("location: admin_login.php"); 
    exit();
}

// Be sure to check that this manager SESSION value is in fact in the database
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); // filter everything but numbers and letters

$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]); // filter everything but numbers and letters

$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); // filter everything but numbers and letters

// Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
// Connect to the MySQL database  
include "../storescripts/connect_to_mysql.php"; 
$sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person

// ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
$existCount = mysql_num_rows($sql); // count the row nums
if ($existCount == 0) { // evaluate the count
 echo "Your login session data is not on record in the database.";
     exit();
}
?>

<?php 
// Script Error Reporting
error_reporting(E_ALL);
ini_set('display_errors', '1');
?>

<?php 

// Delete Item Question to Admin, and Delete Product if they choose
if (isset($_GET['deleteid'])) {
echo 'Do you really want to delete product with ID of ' . $_GET['deleteid'] . '? <a href="inventory_list.php?yesdelete=' . $_GET['deleteid'] . '">Yes</a> | <a href="inventory_list.php">No</a>';
exit();
}
if (isset($_GET['yesdelete'])) {
// remove item from system and delete its picture
// delete from database
$id_to_delete = $_GET['yesdelete'];
$sql = mysql_query("DELETE FROM products WHERE id='$id_to_delete' LIMIT 1") or die (mysql_error());
// unlink the image from server
// Remove The Pic -------------------------------------------
    $pictodelete = ("../inventory_images/$id_to_delete.jpg");
    if (file_exists($pictodelete)) {
       		    unlink($pictodelete);
    }
header("location: inventory_list.php"); 
    exit();
}
?>


<?php 
// Parse the form data and add inventory item to the system

if (isset($_POST['product_name'])) {

    $product_name = mysql_real_escape_string($_POST['product_name']);
$price = mysql_real_escape_string($_POST['price']);
$category = mysql_real_escape_string($_POST['category']);
$subcategory = mysql_real_escape_string($_POST['subcategory']);
$details = mysql_real_escape_string($_POST['details']);

// See if that product name is an identical match to another product in the system

$sql = mysql_query("SELECT id FROM products WHERE product_name='$product_name' LIMIT 1");
$productMatch = mysql_num_rows($sql); // count the output amount
    if ($productMatch > 0) {
	echo 'Sorry you tried to place a duplicate "Product Name" into the system, <a href="inventory_list.php">click here</a>';
	exit();
}

// Add this product into the database now

$sql = mysql_query("INSERT INTO products (product_name, price, details, category, subcategory, date_added) 
        VALUES('$product_name','$price','$details','$category','$subcategory',now())") or die (mysql_error());
     $pid = mysql_insert_id();
// Place image in the folder 
$newname = "$pid.jpg";
move_uploaded_file( $_FILES['fileField']['tmp_name'], "../inventory_images/$newname");
header("location: inventory_list.php"); 
    exit();
}
?>


<?php 
// This block grabs the whole list for viewing
$product_list = "";
$sql = mysql_query("SELECT * FROM products ORDER BY date_added DESC");
$productCount = mysql_num_rows($sql); // count the output amount
if ($productCount > 0) {
while($row = mysql_fetch_array($sql)){ 
             $id = $row["id"];
		 $product_name = $row["product_name"];
		 $price = $row["price"];
		 $date_added = strftime("%b %d, %Y", strtotime($row["date_added"]));
		 $product_list .= "Product ID: $id - <strong>$product_name</strong> - $$price - <em>Added $date_added</em>       <a href='inventory_edit.php?pid=$id'>edit</a> • <a href='inventory_list.php?deleteid=$id'>delete</a><br />";
    }
} else {
$product_list = "You have no products listed in your store yet";
}
?>



 

This is a tutorial I am trying to follow on youtube. I am new to php , and i do not own this code. However i am stuck with this problem. Thank you in advance for any help you guys can provide me.

Link to comment
Share on other sites

You know... I started to look at the code with the intention of fixing it up a bit, and posting comments on what to (and not to do). However, after reading the login part, I can only recommend you do drop this tutorial outright. There are so many WTF moments in that small amount of code, that I'm convinced the author doesn't really know what he's doing.

 

For instance, a short list of what I found in the login script alone:

  1. [*]The output buffering is completely unnecessary in there. It doesn't do anything at all, besides waste resources.

[*]Ending the PHP parsing, just to start it up again, is also completely unnecessary. Wastes time like nothing else, as PHP has to switch between modes (and send an empty line to the client).

[*]Which, incidentally, would have prevent you from using any header () calls later on in the code if there was just a single space or added line break.

[*]Never ever silently change the users' input, especially not for things like username. Validate it instead, and show a warning if it fails validation.

[*]Absolutely never manipulate the password, especially not to reduce complexity from it!!! Salt and hash passwords, but DO NOT put negative limitations on them!

(I strongly recommend that you read this article about secure login systems, btw)

[*]Neither the username or the password has been escaped when added to the SQL query, meaning that it's completely open for SQL injections.

[*]Minor detail, but saving the result from mysql_num_rows () for then to only use it once is wasteful.

[*]A while-loop to fetch one row is also completely unnecessary, since the code will run exactly once anyway the loop adds as much as the aforementioned output buffering.

[*]Never save the password in the session! Session data is stored as a plain-text file on the server, which means that anyone with proper access to the server can read the password.

[*]Related to that is the rechecking of the username and password on every pageload. You already have checked it once, and stored the ID in the session, so there really is no need to check it again every time. As long as you have a valid session with a set ID, you know that the user has provided a valid username and password.

[*]The author also didn't regenerate the session ID, meaning it's open for session fixation attacks.

[*]Another minor, but the else after return or die () is not needed. The script won't continue after reaching those statements anyway.

Link to comment
Share on other sites

Okay, So it works now

 

i got rid of the extra queries checking for the user in the data base, and i just left the check to determine if the page can be viewed or not , and now it works ! it adds and deletes items normally without giving the " Your login session data is not on record in the database. " message.

Link to comment
Share on other sites

Okay, So it works now

 

i got rid of the extra queries checking for the user in the data base, and i just left the check to determine if the page can be viewed or not , and now it works ! it adds and deletes items normally without giving the " Your login session data is not on record in the database. " message.

You should post your final code too if you want to know if you've done more things that might get you into trouble.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.