Ameslee Posted February 7, 2007 Share Posted February 7, 2007 Ok i have a problem with some code. It creates new users so they can login to the maintenance pages for a site. I add a new user and it automatically makes the username administrator. thats the problem it shouldnt be doing that... here is the code that adds the user add_user1.php <?php session_start(); include ("checklow.inc"); ?> <html> <head> <title>Add User</title> </head> <body bgcolor="#CCCCFE"> <FORM METHOD=POST ACTION="add_user2.php"> <h2>Add User</h3> <table> All fields must be filled in. <tr> <td>Username <td><input type="text" Name="username"> <tr> <td>Password <td><input type="text" Name="password"> <tr> <td>Level <td><input type="text" Name="level"> Enter <b>high</b> or <b>low</b>, depending on the amount of access permitted for the user </table> <p> <input type="submit" value="Add"> </form> </body> </html> add_user2.php <?php session_start(); include ("checklow.inc"); include("database.inc"); ?> <?php $query = "insert login(username,password,level)VALUES('$username','$password','$level')"; //echo $query; mysql_query ($query) or print mysql_error(); ?> <html> <head> <title>Add User</title> <body bgcolor="#CCCCFE"> User Added <p><a href="index.php">Main Menu</a> </body> </html> hope someone can help me thanks Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 7, 2007 Share Posted February 7, 2007 I bet you have register_globals enabled and you're logged in as administrator. Turn that off and use $_GET and $_POST. Quote Link to comment Share on other sites More sharing options...
Ameslee Posted February 7, 2007 Author Share Posted February 7, 2007 sorry i dont know what u mean....this is confusing me as is....it was working fine....and i havent changed anything as far as i can recall Quote Link to comment Share on other sites More sharing options...
Ameslee Posted February 7, 2007 Author Share Posted February 7, 2007 can anyone explain? im still learning it Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 7, 2007 Share Posted February 7, 2007 $query = "insert login(username,password,level)VALUES('$username','$password','$level')"; You're using the variable $username without ever defining it. This indicates you have register_globals on, which is a security no-no. This also means if you have $_SESSION['username'], that will overwrite the $_POST['username']. Are you administrator? That's where it's getting that from. Instead of using variables without declaring them, you need to do $username = $_POST['username']; You also need to read up on PHP security, things like SQL injection, and how to code without R_G. Quote Link to comment Share on other sites More sharing options...
Ameslee Posted February 7, 2007 Author Share Posted February 7, 2007 $query = "insert login(username,password,level)VALUES('$username','$password','$level')"; You're using the variable $username without ever defining it. This indicates you have register_globals on, which is a security no-no. This also means if you have $_SESSION['username'], that will overwrite the $_POST['username']. Are you administrator? That's where it's getting that from. Instead of using variables without declaring them, you need to do $username = $_POST['username']; You also need to read up on PHP security, things like SQL injection, and how to code without R_G. ok ur saying that because i have signed in as the administrator its kept that in memory and now that im making a new user its just doing it automatically. So i went to my login script - processlogin_script.php. I already have this $username = $_POST['username']; in there the only difference being $username = trim($_POST['username']); yes i am the administrator. so i really dont know what to do. Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 7, 2007 Share Posted February 7, 2007 That's not in your ADD script though, you just access $username, without getting it from the $_POST, so it's using the preexisting $username. Quote Link to comment Share on other sites More sharing options...
Ameslee Posted February 8, 2007 Author Share Posted February 8, 2007 oh i see, im slow today sorry. $query = "insert login(username,password,level)VALUES('$username','$password','$level')"; so i put $username = $_POST['username']; now how do i do that...... sorry im hopeless..... thanks for ur help Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 8, 2007 Share Posted February 8, 2007 The same way you did in your other script... Quote Link to comment Share on other sites More sharing options...
Ameslee Posted February 8, 2007 Author Share Posted February 8, 2007 omg i feel like an idiot like this $username = trim($_POST['username']); do i take the username out of $query = "insert login(username,password,level)VALUES('$username','$password','$level')"; Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 8, 2007 Share Posted February 8, 2007 $username = trim($_POST['username']); $query = "insert login(username,password,level)VALUES('$username','$password','$level')"; You should also do some research on SQL injection. Quote Link to comment Share on other sites More sharing options...
Ameslee Posted February 8, 2007 Author Share Posted February 8, 2007 alright thanks. that worked. thank you very much Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.