Blocking un authorised users who attempt via browsers URLs

oavs · June 19, 2003

Hi,

I have a similar problem like earlier posted by \'deki\'. Displaying ediable page as per current user (by sessions) is fine.

There is a menu items where user lists his total records. On that total record display page, there is a edit link per items listed. When you click the \'edit\' link takes you to update record page.

Update page is shared by multi level users. Such as Members and Admin depending on thier initial login level stage.

Problem is on the top of the Update page - browsers URL it has

http://www.oavs.com.au/membership/mdbedit....2&username=jack.

Now any one can go and change the AlbumId=value on the URL to any value to access other user\'s records even without even removing the rest of the stuff &username=jack AND EDIT !!

This is sll I want is, when the member logs on and starts editing he /she can not edit any records but his/hers even if they change the URL .

Anotherwords :

logged user must be current user equal to the session user who can only access to current user records in the mysql.

How can you do this? can someone please help?

Here is the code for the \'edit\' link-

<?php do { ?>

 <tr> 

   <td nowrap> </td>

   <td ><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong> 

     <a href="mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $row_rsReport[\'username\']; ?>">Edit</a></strong></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#FBFDEC"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'username\']; ?></font></td>

effigy · June 19, 2003

[php:1:f77af074c3]<?php

// at the top of mdbedit.php

if ( $_GET[\'username\'] != $_SESSION[\'username\'] )

{ exit; }

?>[/php:1:f77af074c3]

oavs · June 19, 2003

Thanks but had no affect. Code is now there to use.

URL

http://www.oavs.com.au/membership/mdbedit....D=171&jack=jack

can be change easly changed to this amd record can be seen and edited.

URLhttp://www.oavs.com.au/membership/mdbedit.php?AlbumID=174&jack=jack

Interestingly AlbumID=174 belongs to fred NOT jack but it still correctly displays it.

I\'ve noticed you suggested $_GET[\'username\' , all my codes has POST. and I my server is MySQL 3.23.56 version with Php 4.3.2

effigy · June 19, 2003

$_GET refers to the information supplied in the url.

try this:

[php:1:90a3fc34ba]<?php

// at the top of mdbedit.php

if ( !isset($_GET[\'username\']) ) { exit; }

if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }

?>[/php:1:90a3fc34ba]

oavs · June 20, 2003

Thanks for looking in to this.

Now I get a blank page.

If any helps for your info -

\'edit\' URL link has a URL parameter in the page called report.php which then calls mdbedit.php page (which now has your new code at the top of the page)

mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $HTTP_SESSION_VARS[\'username\']; ?>

I have also tried without success

mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>

oavs · June 20, 2003

Recently I\'ve received further suggestions to my problem. Although I would not know how to implement these since I am a newby, they might give you alternative ideas. Here they are -

First off, try using POST instead of GET in your form. This way, the
parameteres are not passed in the URL. Instead, they are passed in the body

of the message. Furthermore, use and IF....THEN clause.

Mintyman

..and

somewhere on top work out this pseudo code

while ($editables){if ($editables==$Albumid){continue($Albumid);}}

get the idea ?

effigy · June 20, 2003

POST would be better; however, if there is too much code to change, what i had posted previously should work. i will explain it further:

first off, keep in mind I am using a simple exit; so no custom error messages will display, you will just get the blank page.

this code would work fine:

if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }

but, you changed the URL by taking out the &username= portion.

so, i backed that up by adding this line before it:

if ( !isset($_GET[\'username\']) ) { exit; }

which states: if the &username= parameter is left out of the url, stop the page.

try changing the exit into a custom error message to your liking, then use this url:

http://www.oavs.com.au/membership/mdbedit.php?AlbumID=171&jack=jack and you should get the error message.

now try using the original url:

http://www.oavs.com.au/membership/mdbedit.php?AlbumID=172&username=jack and it should work

let me know how this turns out :shock:

oavs · June 20, 2003

Still no good. I must be doing some thing ??

I have tried

<?php

// at the top of mdbedit.php

if ( !isset($_GET[\'username\']) ) { exit; } WITH and WITHOUT this code

if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }

?>

This takes me to the page fine - Still I can replace 175 with 174 and access to other user records.

http://www.oavs.com.au/membership/mdbedit....D=175&jack=jack and you should get the error message.

>>now try using the original url:

http://www.oavs.com.au/membership/mdbedit....2&username=jack and it should work

This does not work if I have both of your lines in your code.

This time here is the total code for the

Page report.php (report.php has the edit link to call mdbedit.php)

<?php require_once(\'../Connections/connMDB.php\'); ?>

<?php 

session_start();

?>

<?php ob_start(); ?>

<?php

#	BuildNav for Dreamweaver MX v0.2 starts here 

#              10-02-2002

#	Alessandro Crugnola [TMM]

#	sephiroth: alessandro@sephiroth.it

#	http://www.sephiroth.it

#	

#	Function for navigation build ::

function buildNavigation($pageNum_Recordset1,$totalPages_Recordset1,$prev_Recordset1,$next_Recordset1,$separator=" | ",$max_links=10, $show_page=true)

{

               GLOBAL $maxRows_rsReport,$totalRows_rsReport;

$pagesArray = ""; $firstArray = ""; $lastArray = "";

if($max_links<2)$max_links=2;

if($pageNum_Recordset1<=$totalPages_Recordset1 && $pageNum_Recordset1>=0)

{

 if ($pageNum_Recordset1 > ceil($max_links/2))

 {

 	$fgp = $pageNum_Recordset1 - ceil($max_links/2) > 0 ? $pageNum_Recordset1 - ceil($max_links/2) : 1;

 	$egp = $pageNum_Recordset1 + ceil($max_links/2);

 	if ($egp >= $totalPages_Recordset1)

 	{

   $egp = $totalPages_Recordset1+1;

   $fgp = $totalPages_Recordset1 - ($max_links-1) > 0 ? $totalPages_Recordset1  - ($max_links-1) : 1;

 	}

 }

 else {

 	$fgp = 0;

 	$egp = $totalPages_Recordset1 >= $max_links ? $max_links : $totalPages_Recordset1+1;

 }

 if($totalPages_Recordset1 >= 1) {

 	#	------------------------

 	#	Searching for $_GET vars

 	#	------------------------

 	$_get_vars = \'\';  	

 	if(!empty($_GET) || !empty($HTTP_GET_VARS)){

   $_GET = empty($_GET) ? $HTTP_GET_VARS : $_GET;

   foreach ($_GET as $_get_name => $_get_value) {

   	if ($_get_name != "pageNum_rsReport") {

     $_get_vars .= "&$_get_name=$_get_value";

   	}

   }

 	}

 	$successivo = $pageNum_Recordset1+1;

 	$precedente = $pageNum_Recordset1-1;

 	$firstArray = ($pageNum_Recordset1 > 0) ? "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$precedente$_get_vars">$prev_Recordset1</a>" :  "$prev_Recordset1";

 	# ----------------------

 	# page numbers

 	# ----------------------

 	for($a = $fgp+1; $a <= $egp; $a++){

   $theNext = $a-1;

   if($show_page)

   {

   	$textLink = $a;

   } else {

   	$min_l = (($a-1)*$maxRows_rsReport) + 1;

   	$max_l = ($a*$maxRows_rsReport >= $totalRows_rsReport) ? $totalRows_rsReport : ($a*$maxRows_rsReport);

   	$textLink = "$min_l - $max_l";

   }

   $_ss_k = floor($theNext/26);

   if ($theNext != $pageNum_Recordset1)

   {

   	$pagesArray .= "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$theNext$_get_vars">";

   	$pagesArray .= "$textLink</a>" . ($theNext < $egp-1 ? $separator : "");

   } else {

   	$pagesArray .= "$textLink"  . ($theNext < $egp-1 ? $separator : "");

   }

 	}

 	$theNext = $pageNum_Recordset1+1;

 	$offset_end = $totalPages_Recordset1;

 	$lastArray = ($pageNum_Recordset1 < $totalPages_Recordset1) ? "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$successivo$_get_vars">$next_Recordset1</a>" : "$next_Recordset1";

 }

}

return array($firstArray,$pagesArray,$lastArray);

}

#	BuildNav for Dreamweaver MX v0.2  ends here



?>

// effigy table code actually starts here >>>>>>>>>>>

<?php

$maxRows_rsReport = 20;

$pageNum_rsReport = 0;

if (isset($HTTP_GET_VARS[\'pageNum_rsReport\'])) {

 $pageNum_rsReport = $HTTP_GET_VARS[\'pageNum_rsReport\'];

}

$startRow_rsReport = $pageNum_rsReport * $maxRows_rsReport;



mysql_select_db($database_connMDB, $connMDB);

$query_rsReport = "SELECT * FROM mdbTable WHERE mdbTable.username = \'$username\' ORDER BY AlbumArtist ASC";

$query_limit_rsReport = sprintf("%s LIMIT %d, %d", $query_rsReport, $startRow_rsReport, $maxRows_rsReport);

$rsReport = mysql_query($query_limit_rsReport, $connMDB) or die(mysql_error());

$row_rsReport = mysql_fetch_assoc($rsReport);



if (isset($HTTP_GET_VARS[\'totalRows_rsReport\'])) {

 $totalRows_rsReport = $HTTP_GET_VARS[\'totalRows_rsReport\'];

} else {

 $all_rsReport = mysql_query($query_rsReport);

 $totalRows_rsReport = mysql_num_rows($all_rsReport);

}

$totalPages_rsReport = ceil($totalRows_rsReport/$maxRows_rsReport)-1;

?>

<html><!-- InstanceBegin template="/Templates/ICI_Template.dwt" codeOutsideHTMLIsLocked="false" --><head>

<!-- <link rel="shortcut icon" href="favicon.ico" /> -->

<!-- InstanceBeginEditable name="doctitle" -->

<title>iCollectIt</title>

<!-- InstanceEndEditable -->



<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<!-- InstanceBeginEditable name="head" -->

<!-- InstanceEndEditable -->

</head>



<body topmargin="2">

<table width="95%" border="0">

 <tr> 

   <td width="247" height="62" valign="top"><img src="../Logos/ICI-Banner.gif" width="243" height="56"></td>

   <td width="527" align="left" valign="middle" nowrap> <blockquote> 

       <p><font color="#0099CC" size="6" face="Arial, Helvetica, sans-serif"><strong>Rare 

         and Collectable <br>

         CD\'s, DVD\'s and Vinyl\'s</strong></font></p>

     </blockquote></td>

   <td width="11"> </td>

 </tr>

 <tr> 

   <td height="3" colspan="2" valign="top" bgcolor="#006699"></td>

   <td> </td>

 </tr>

 <tr> 

   <td height="18" colspan="2" valign="top"> <div align="center"><em><font color="#CCCCCC" size="5" face="Arial, Helvetica, sans-serif"><strong>. 

       . . . make us an offer we can\'t refuse</strong></font></em></div></td>

   <td> </td>

 </tr>

</table>

<!-- InstanceBeginEditable name="Body" --> 

<table width="72%" border="0" align="center" cellpadding="0" cellspacing="0">

 <tr> 

   <td colspan="5" rowspan="5" valign="top"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdblogout.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Logout<br>

     </a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbMemberReport.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Admin 

     Report<br>

     <img src="../images/arrow-top.gif" width="19" height="10" border="0">Member 

     Report <br>

     </a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbGenreReport.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Genre 

     List</a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbTypeReport.php"><br>

     <img src="../images/arrow-top.gif" width="19" height="10" border="0">Type 

     List</a><a href="mdbGenreReport.php"></a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbadd.php"><br>

     <img src="../images/arrow-top.gif" width="19" height="10" border="0">Add 

     Item</a></font></td>

   <td> </td>

   <td colspan="17"><div align="center"><font color="#990000" size="2" face="Arial, Helvetica, sans-serif"><strong>Admin 

       Item Report / Update</strong></font></div></td>

   <td> </td>

 </tr>

 <tr> 

   <td></td>

   <td colspan="17" rowspan="2">

<?

if($_SESSION[\'user_level\'] == 1){

echo "<font face="Arial" size="2"> Members Item Report / Update<br>

<a href=mdblogout.php>Logout</a><br />

<a href=mdbAdd.php>Add Items</a><br />

<a href=mdbMemberReport.php>Member Report</a><br />

<a href=report.php>Update Items / View Member Report</a><br /></font>";

}

if($_SESSION[\'user_level\'] == 2){

echo "<font face="Arial" size="2"> Admin Item Report / Update<br>

<a href=mdblogout.php>Logout</a><br />

<a href=mdbadd.php>Add Item</a><br/>

<a href=mdbadminReport.php>View Master Report</a><br />

<a href=report.php>Update Any Item</a><br /></font>";



}

?>

</td>

   <td> </td>

 </tr>

 <tr> 

   <td> </td>

   <td> </td>

 </tr>

 <tr> 

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

 </tr>

 <tr> 

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td colspan="7"><div align="right"><strong><font size="2" face="Arial, Helvetica, sans-serif">Total 

       of <?php echo min($startRow_rsReport + $maxRows_rsReport, $totalRows_rsReport) ?> /  <?php echo $totalRows_rsReport ?> records</font></strong></div></td>

   <td> </td>

 </tr>

 <tr> 

   <td nowrap> </td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font size="1" face="Arial, Helvetica, sans-serif"> </font><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Edit</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>User</strong></font> 

   </td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>ID</strong></font></td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Number</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Artist</strong></font></td>

   <td height="0" bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Title</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Genre</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Type</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Condition</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><div align="center"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Buy 

       or Offer</strong></font></div></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><div align="center"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>QTY</strong></font></div></td>

   <td bgcolor="#6666FF"> </td>

 </tr>

 <?php do { ?>

 <tr> 

   <td nowrap> </td>

   <td ><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong> 



<!-- HERE IS THE URL CODE !!! ->



     <a href="mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $HTTP_SESSION_VARS[\'username\']; ?>">Edit</a></strong></font></td>



<!-- HERE IS THE URL CODE !!! ->





   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#FBFDEC"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'username\']; ?></font></td>

   <td bgcolor=""> </td>

   <td bgcolor="#FBFDEC"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumID\']; ?></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td nowrap bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumCatalogNumber\']; ?></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td nowrap bgcolor="#EAEAFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumArtist\']; ?></font></td>

   <td height="0" bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td nowrap bgcolor="#FFEAEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumName\']; ?></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td nowrap bgcolor="#FFEFAE"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'Genre\']; ?></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#FFFFEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'Type\']; ?></font></td>

   <td bgcolor="" ><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#EAFFEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumCondition\']; ?></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#FFF7EA"><div align="center"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumPrice\']; ?></font></div></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#F1FFEA"><div align="center"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumQty\']; ?></font></div></td>

   <td> </td>

 </tr>

 <tr> 

   <td nowrap> </td>

   <td height="0" colspan="22" ><div align="center"> 

       <hr color=\'lightblue\'>

     </div></td>

   <td> </td>

 </tr><div align="center">

 <?php } while ($row_rsReport = mysql_fetch_assoc($rsReport)); ?>

 <tr> 

   <td nowrap> </td>

   <td height="0" colspan="22" > <div align="center"> 

       <?php 

# variable declaration

$prev_rsReport = "« previous";

$next_rsReport = "next »";

$separator = " - ";

$max_links = 20;

$pages_navigation_rsReport = buildNavigation($pageNum_rsReport,$totalPages_rsReport,$prev_rsReport,$next_rsReport,$separator,$max_links,true); 



print $pages_navigation_rsReport[0]; 

?>

       <?php print $pages_navigation_rsReport[1]; ?> <?php print $pages_navigation_rsReport[2]; ?> 

     </div></td>

   <td> </td>

 </tr>

</table>

<!-- InstanceEndEditable -->

<p> </p>

</body>

<!-- InstanceEnd --></html>

<?php

mysql_free_result($rsReport);

?>

Now the mdbedit.php.. sorry about the code :cry:

<?php

// at the top of mdbedit.php

if ( !isset($_GET[\'username\']) ) { exit; }

if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }

?>

<?php require_once(\'../Connections/connMDB.php\'); ?>

<?php

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

$theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "\'" . $theValue . "\'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? "\'" . doubleval($theValue) . "\'" : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "\'" . $theValue . "\'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

$editFormAction = $HTTP_SERVER_VARS[\'PHP_SELF\'];

if (isset($HTTP_SERVER_VARS[\'QUERY_STRING\'])) {

$editFormAction .= "?" . $HTTP_SERVER_VARS[\'QUERY_STRING\'];

}

if ((isset($HTTP_POST_VARS["MM_update"])) && ($HTTP_POST_VARS["MM_update"] == "updateForm")) {

$updateSQL = sprintf("UPDATE mdbTable SET AlbumCatalogNumber=%s, AlbumArtist=%s, AlbumName=%s, Genre=%s, AlbumLabel=%s, AlbumYearReleased=%s, Type=%s, AlbumTracks=%s, AlbumCountry=%s, AlbumCondition=%s, AlbumPrice=%s, AlbumNotes=%s, AlbumQty=%s, AlbumCoverURL=%s, AlbumCoverThumbnailURL=%s WHERE AlbumID=%s",

GetSQLValueString($HTTP_POST_VARS[\'AlbumCatalogNumber\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumArtist\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumName\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'selectGenre\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumLabel\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumYearReleased\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'selectType\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumTracks\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumCountry\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumCondition\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumPrice\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumNotes\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumQty\'], "int"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumCoverURL\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumCoverThumbnailURL\'], "text"),

GetSQLValueString($HTTP_POST_VARS[\'AlbumID\'], "int"));

mysql_select_db($database_connMDB, $connMDB);

$Result1 = mysql_query($updateSQL, $connMDB) or die(mysql_error());

$updateGoTo = "report.php";

if (isset($HTTP_SERVER_VARS[\'QUERY_STRING\'])) {

$updateGoTo .= (strpos($updateGoTo, \'?\')) ? "&" : "?";

$updateGoTo .= $HTTP_SERVER_VARS[\'QUERY_STRING\'];

}

header(sprintf("Location: %s", $updateGoTo));

}

$colname_rsUpdate = "1";

if (isset($HTTP_GET_VARS[\'AlbumID\'])) {

$colname_rsUpdate = (get_magic_quotes_gpc()) ? $HTTP_GET_VARS[\'AlbumID\'] : addslashes($HTTP_GET_VARS[\'AlbumID\']);

}

mysql_select_db($database_connMDB, $connMDB);

$query_rsUpdate = sprintf("SELECT * FROM mdbTable WHERE AlbumID = %s", $colname_rsUpdate);

$rsUpdate = mysql_query($query_rsUpdate, $connMDB) or die(mysql_error());

$row_rsUpdate = mysql_fetch_assoc($rsUpdate);

$totalRows_rsUpdate = mysql_num_rows($rsUpdate);

mysql_select_db($database_connMDB, $connMDB);

$query_rsGenre = "SELECT * FROM mdbGenre";

$rsGenre = mysql_query($query_rsGenre, $connMDB) or die(mysql_error());

$row_rsGenre = mysql_fetch_assoc($rsGenre);

$totalRows_rsGenre = mysql_num_rows($rsGenre);

mysql_select_db($database_connMDB, $connMDB);

$query_rsType = "SELECT * FROM mdbType";

$rsType = mysql_query($query_rsType, $connMDB) or die(mysql_error());

$row_rsType = mysql_fetch_assoc($rsType);

$totalRows_rsType = mysql_num_rows($rsType);

?>

<title>iCollectIt</title>

</head>

<tr>

<p><font color="#0099CC" size="6" face="Arial, Helvetica, sans-serif"><strong>Rare

and Collectable <br>

CD\'s, DVD\'s and Vinyl\'s</strong></font></p>

</blockquote></td>

</tr>

<tr>

</tr>

<tr>

<td height="18" colspan="2" valign="top"> <div align="center"><em><font color="#CCCCCC" size="5" face="Arial, Helvetica, sans-serif"><strong>.

. . . make us an offer we can\'t refuse</strong></font></em></div></td>

</tr>

</table>

<tr>

<form action="<?php echo $editFormAction; ?>" method="post" name="updateForm" id="updateForm">

<tr>

<td align="left" bgcolor="#ffe566"><div align="center"><b><font face="Arial" size="2"><b> U

p d a t e / E d i t I t e m </b></font></b></div></td>

</tr>

<tr>

<td width="117" align="right" nowrap bgcolor="#999999"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif">Item

ID:</font></td>

</tr>

<td height="17" align="right" nowrap><font color="#999999" size="2" face="Arial, Helvetica, sans-serif">User

Name:</font></td>

<?php echo $row_rsUpdate[\'username\']; ?></font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Catalog

Number:</font></td>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

Artist:</font></td>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

Name:</font></td>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Genre:</font></td>

<?php

do {

?>

<?php

} while ($row_rsGenre = mysql_fetch_assoc($rsGenre));

$rows = mysql_num_rows($rsGenre);

if($rows > 0) {

mysql_data_seek($rsGenre, 0);

$row_rsGenre = mysql_fetch_assoc($rsGenre);

}

?>

</select>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

Label:</font></td>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Year

Released:</font></td>

</font></td>

</tr>

<?php

do {

?>

<?php

} while ($row_rsType = mysql_fetch_assoc($rsType));

$rows = mysql_num_rows($rsType);

if($rows > 0) {

mysql_data_seek($rsType, 0);

$row_rsType = mysql_fetch_assoc($rsType);

}

?>

</select>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Tracks:</font></td>

</font></td>

</tr>

Country of Origin:</font></td>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Condition:</font></td>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Price:</font></td>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

Notes:</font></td>

</font></td>

</tr>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

Image URL:</font></td>

</font></td>

</tr>

<td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

Thumbnail URL:</font></td>

</font></td>

</tr>

</font></td>

</tr>

&nbs

pallevillesen · June 20, 2003

You\'re not restoring the session in the mdbedit.php page...

But I don\'t get it, if you\'re using sessions, why not just keep the username from the session, and forget about GETting it or POSTing the username...

Otherwise you should get the cd owners username back from sql as well, do the check in php (against $_SESSION[\'username\']) and output an errormessage like \"Not your cd!\"...

My 5 cents. (And I would recommend using POST all places anyway, just for making the URLs nicer... if your system have a login anyway, it won\'t be usable to have GET variables (they won\'t be bookmarkable, unless you\'re in a session).

P.

oavs · June 20, 2003

Thanks Palle,

Thanks for your time to look at it. As I have said , I am a novice, how ever I have come thios far in a week. There are lots I still do not know.

Can you please give some examples of how you would

restore the session in the mdbedit.php page...

as for

Otherwise you should get the cd owners username back from sql as well, do the check in php (against $_SESSION[\'username\']) and output an errormessage like \"Not your cd!\"...

-------------

..you are right. I do have concerns about this. How should I code this page so that if you change the AlbumID174 to say AlbumID172 you will get an errormessage like \"Not your cd!\"...

Although I am using them with DWMX, sessions are still a mistery to me.

Thankyou again

pallevillesen · June 20, 2003

Edited mdbedit.php


<?php

// at the top of mdbedit.php

session_start(); // restore session

$username = $_SESSION[\'username\'];

?>

# THE ABOVE WILL RESTORE THE SESSION, AND PUT THE CONTENT OF THE SESSION VARIABLE USERNAME into the variable $username.



<?php require_once(\'../Connections/connMDB.php\'); ?>



<?php

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

 $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;



 switch ($theType) {

   case "text":

P.

oavs · June 20, 2003

Thanks again Pell,

OK I get this , but

<?php

// at the top of mdbedit.php

session_start(); // restore session

$username = $_SESSION[\'username\'];

?>

# THE ABOVE WILL RESTORE THE SESSION, AND PUT THE CONTENT OF THE SESSION VARIABLE USERNAME into the variable $username.

<?php require_once(\'../Connections/connMDB.php\'); ?>

----------------- and thankyou for the explanation.

but what is this -$theValue / $theDefinedValue / $theNotDefinedValue

and

case \"text\":

should I be changing any of these or add anything ? or that is it ?

Sign In

Blocking un authorised users who attempt via browsers URLs

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information