calabiyau Posted May 3, 2007 Share Posted May 3, 2007 Okay I've taken out a trouble ticket with my host but haven't heard anything back yet. I have a user area that uses sessions to store the username and password. I've echoed these values in many places throughout the script and they are always what they are supposed to be, except at one point they magically turn into my database name and database password. I'm positive it's not something in my code. The only time I mention database is when I actually connect to it. Has anyone ever encountered anything like this before. Is this some kind of system malfunction? Quote Link to comment Share on other sites More sharing options...
john010117 Posted May 3, 2007 Share Posted May 3, 2007 I've never heard that happening before. Check your script again. Quote Link to comment Share on other sites More sharing options...
ataria Posted May 3, 2007 Share Posted May 3, 2007 Post your script, let us see if you made an error or something. Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted May 3, 2007 Share Posted May 3, 2007 as a security measuer you should never store usernames and passwords in a session. but otherwise seacrh all your code for where these variables are set (easy enough with dream weaver) and see what is happening. Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted May 3, 2007 Share Posted May 3, 2007 Is register_globals enabled? If it is, this could be causing your problem. Ken Quote Link to comment Share on other sites More sharing options...
calabiyau Posted May 3, 2007 Author Share Posted May 3, 2007 <?php //This is if client wants to download a file that cannot be shown in the browser if ($_GET['action']=='download') { //need to clear the ob, or previous html will be included in downloaded file //since this is actually an include. ob_get_clean(); $location = "../ext_client_doc/".$_GET['user']."/".$_GET['doc']; $fd = fopen($location, 'rb'); header("Cache-Control: "); header("Pragma: "); header("Content-Type: application/octet-stream"); header("Content-Length: " .(string)(filesize($location)) ); header('Content-Disposition: attachment; filename="'.$_GET['doc'].'"'); header("Content-Transfer-Encoding: binary\n"); ob_flush(); flush(); while(!feof($fd)) { $buffer = fread($fd, 2048); print $buffer; } fclose ($fd); exit; } //This is for client to view an html page if ($_GET['action']=='stream') { ob_get_clean(); $location = "../ext_client_doc/".$_SESSION['new_user']."/".$_GET['doc']; $fd = fopen($location, 'rb'); header("Content-Type: text/html"); ob_flush(); flush(); while(!feof($fd)) { $buffer = fread($fd, 2048); print $buffer; } fclose ($fd); exit; } if ($_GET['action'] == 'logout') { session_unset(); session_destroy(); $current_url = "http://".$_SERVER['HTTP_HOST']; header("$current_url"); } include('../connections.php'); $page = $_GET['page']; $user = $_POST['user']; $password = $_POST['password']; $user = quote_smart($user); $password = quote_smart($password); if ($_POST['log_attempt']=='true') { $query = "SELECT * FROM ext_client_users WHERE user='".$user."' AND password='".$password."'"; $result = mysql_query($query,$connect); $num_rows = mysql_num_rows($result); if ($num_rows>0) { $_SESSION['logged'] = 'true'; } else {echo "I'm sorry either the username or password is incorrect";} while ($row=mysql_fetch_array($result)) { $user_id = $row['user_id']; $user_name = $row['user']; $user_password = $row['password']; $_SESSION['user_id']= $row['user_id']; $_SESSION['user'] = $row['user']; $_SESSION['password'] = $row['password']; echo $row['user']."<br/>".$_SESSION['user']; } } if (!isset($_SESSION['logged'])) { echo '<form action="index.php?page='.$page.'" method="post">'; echo 'Username:<br/><input type="text" name="user"/><br/>'; echo 'Password:<br/><input type="text" name="password"/><br/>'; echo '<input type="hidden" name="log_attempt" value="true"/>'; echo '<input style="background: orange; color: white;" type="submit" value="Log In"/>'; echo '</form>'; } if (isset($_SESSION['logged'])) { echo "<h3>User Area for: ".$_SESSION['user']."</h3>"; echo '<h4><a href="index.php?page='.$page.'&action=logout" style="color: black;">Log Out</a></h4>'; echo "<h4>Files available for web browser viewing:</h4><ul>"; $query = "SELECT * FROM ext_client_protected WHERE user_id='".$_SESSION['user_id']."' AND visibility='2'"; $result = mysql_query($query,$connect); while ($row = mysql_fetch_array($result)) { echo '<li><a href="index.php?page='.$page.'&doc='.$row['doc_name'].'&action=stream&user='.$_SESSION['user'].'" style="color: black;">'.$row['doc_name'].'</a><br/>'.$row['notes'].'</li>'; } echo "</ul><h4>Files available for download:</h4><ul>"; $query = "SELECT * FROM ext_client_protected WHERE user_id='".$_SESSION['user_id']."' AND visibility='3'"; $result = mysql_query($query,$connect); while ($row = mysql_fetch_array($result)) { echo '<li><a href="index.php?page='.$page.'&doc='.$row['doc_name'].'&action=download&user='.$_SESSION['user'].'" style="color: black;">'.$row['doc_name'].'</a> <br/>'.$row['notes'].'</li>'; } echo "</ul>"; } ?> Quote Link to comment Share on other sites More sharing options...
calabiyau Posted May 3, 2007 Author Share Posted May 3, 2007 I realize there are many holes in this script but i'm just trying to get one thing working at at time. I'm still not exactly sure what kind of mechanism to use with sessions and log ins. Any suggestions? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.