oavs Posted June 19, 2003 Share Posted June 19, 2003 Hi, I have a similar problem like earlier posted by \'deki\'. Displaying ediable page as per current user (by sessions) is fine. There is a menu items where user lists his total records. On that total record display page, there is a edit link per items listed. When you click the \'edit\' link takes you to update record page. Update page is shared by multi level users. Such as Members and Admin depending on thier initial login level stage. Problem is on the top of the Update page - browsers URL it has http://www.oavs.com.au/membership/mdbedit....2&username=jack. Now any one can go and change the AlbumId=value on the URL to any value to access other user\'s records even without even removing the rest of the stuff &username=jack AND EDIT !! This is sll I want is, when the member logs on and starts editing he /she can not edit any records but his/hers even if they change the URL . Anotherwords : logged user must be current user equal to the session user who can only access to current user records in the mysql. How can you do this? can someone please help? Here is the code for the \'edit\' link- <?php do { ?> <tr> <td nowrap> </td> <td ><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong> <a href="mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $row_rsReport[\'username\']; ?>">Edit</a></strong></font></td> <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td bgcolor="#FBFDEC"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'username\']; ?></font></td> Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/ Share on other sites More sharing options...
effigy Posted June 19, 2003 Share Posted June 19, 2003 [php:1:f77af074c3]<?php // at the top of mdbedit.php if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; } ?>[/php:1:f77af074c3] Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2039 Share on other sites More sharing options...
oavs Posted June 19, 2003 Author Share Posted June 19, 2003 Thanks but had no affect. Code is now there to use. URL http://www.oavs.com.au/membership/mdbedit....D=171&jack=jack can be change easly changed to this amd record can be seen and edited. URLhttp://www.oavs.com.au/membership/mdbedit.php?AlbumID=174&jack=jack Interestingly AlbumID=174 belongs to fred NOT jack but it still correctly displays it. I\'ve noticed you suggested $_GET[\'username\' , all my codes has POST. and I my server is MySQL 3.23.56 version with Php 4.3.2 Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2040 Share on other sites More sharing options...
effigy Posted June 19, 2003 Share Posted June 19, 2003 $_GET refers to the information supplied in the url. try this: [php:1:90a3fc34ba]<?php // at the top of mdbedit.php if ( !isset($_GET[\'username\']) ) { exit; } if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; } ?>[/php:1:90a3fc34ba] Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2047 Share on other sites More sharing options...
oavs Posted June 20, 2003 Author Share Posted June 20, 2003 Thanks for looking in to this. Now I get a blank page. If any helps for your info - \'edit\' URL link has a URL parameter in the page called report.php which then calls mdbedit.php page (which now has your new code at the top of the page) mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $HTTP_SESSION_VARS[\'username\']; ?> I have also tried without success mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?> Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2048 Share on other sites More sharing options...
oavs Posted June 20, 2003 Author Share Posted June 20, 2003 Recently I\'ve received further suggestions to my problem. Although I would not know how to implement these since I am a newby, they might give you alternative ideas. Here they are - First off, try using POST instead of GET in your form. This way, theparameteres are not passed in the URL. Instead, they are passed in the body of the message. Furthermore, use and IF....THEN clause. Mintyman ..and somewhere on top work out this pseudo code while ($editables){if ($editables==$Albumid){continue($Albumid);}} get the idea ? Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2049 Share on other sites More sharing options...
effigy Posted June 20, 2003 Share Posted June 20, 2003 POST would be better; however, if there is too much code to change, what i had posted previously should work. i will explain it further: first off, keep in mind I am using a simple exit; so no custom error messages will display, you will just get the blank page. this code would work fine: if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; } but, you changed the URL by taking out the &username= portion. so, i backed that up by adding this line before it: if ( !isset($_GET[\'username\']) ) { exit; } which states: if the &username= parameter is left out of the url, stop the page. try changing the exit into a custom error message to your liking, then use this url: http://www.oavs.com.au/membership/mdbedit.php?AlbumID=171&jack=jack and you should get the error message. now try using the original url: http://www.oavs.com.au/membership/mdbedit.php?AlbumID=172&username=jack and it should work let me know how this turns out :shock: Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2051 Share on other sites More sharing options...
oavs Posted June 20, 2003 Author Share Posted June 20, 2003 Still no good. I must be doing some thing ?? I have tried <?php // at the top of mdbedit.php if ( !isset($_GET[\'username\']) ) { exit; } WITH and WITHOUT this code if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; } ?> This takes me to the page fine - Still I can replace 175 with 174 and access to other user records. http://www.oavs.com.au/membership/mdbedit....D=175&jack=jack and you should get the error message. >>now try using the original url: http://www.oavs.com.au/membership/mdbedit....2&username=jack and it should work This does not work if I have both of your lines in your code. This time here is the total code for the Page report.php (report.php has the edit link to call mdbedit.php) <?php require_once(\'../Connections/connMDB.php\'); ?> <?php session_start(); ?> <?php ob_start(); ?> <?php # BuildNav for Dreamweaver MX v0.2 starts here # 10-02-2002 # Alessandro Crugnola [TMM] # sephiroth: alessandro@sephiroth.it # http://www.sephiroth.it # # Function for navigation build :: function buildNavigation($pageNum_Recordset1,$totalPages_Recordset1,$prev_Recordset1,$next_Recordset1,$separator=" | ",$max_links=10, $show_page=true) { GLOBAL $maxRows_rsReport,$totalRows_rsReport; $pagesArray = ""; $firstArray = ""; $lastArray = ""; if($max_links<2)$max_links=2; if($pageNum_Recordset1<=$totalPages_Recordset1 && $pageNum_Recordset1>=0) { if ($pageNum_Recordset1 > ceil($max_links/2)) { $fgp = $pageNum_Recordset1 - ceil($max_links/2) > 0 ? $pageNum_Recordset1 - ceil($max_links/2) : 1; $egp = $pageNum_Recordset1 + ceil($max_links/2); if ($egp >= $totalPages_Recordset1) { $egp = $totalPages_Recordset1+1; $fgp = $totalPages_Recordset1 - ($max_links-1) > 0 ? $totalPages_Recordset1 - ($max_links-1) : 1; } } else { $fgp = 0; $egp = $totalPages_Recordset1 >= $max_links ? $max_links : $totalPages_Recordset1+1; } if($totalPages_Recordset1 >= 1) { # ------------------------ # Searching for $_GET vars # ------------------------ $_get_vars = \'\'; if(!empty($_GET) || !empty($HTTP_GET_VARS)){ $_GET = empty($_GET) ? $HTTP_GET_VARS : $_GET; foreach ($_GET as $_get_name => $_get_value) { if ($_get_name != "pageNum_rsReport") { $_get_vars .= "&$_get_name=$_get_value"; } } } $successivo = $pageNum_Recordset1+1; $precedente = $pageNum_Recordset1-1; $firstArray = ($pageNum_Recordset1 > 0) ? "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$precedente$_get_vars">$prev_Recordset1</a>" : "$prev_Recordset1"; # ---------------------- # page numbers # ---------------------- for($a = $fgp+1; $a <= $egp; $a++){ $theNext = $a-1; if($show_page) { $textLink = $a; } else { $min_l = (($a-1)*$maxRows_rsReport) + 1; $max_l = ($a*$maxRows_rsReport >= $totalRows_rsReport) ? $totalRows_rsReport : ($a*$maxRows_rsReport); $textLink = "$min_l - $max_l"; } $_ss_k = floor($theNext/26); if ($theNext != $pageNum_Recordset1) { $pagesArray .= "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$theNext$_get_vars">"; $pagesArray .= "$textLink</a>" . ($theNext < $egp-1 ? $separator : ""); } else { $pagesArray .= "$textLink" . ($theNext < $egp-1 ? $separator : ""); } } $theNext = $pageNum_Recordset1+1; $offset_end = $totalPages_Recordset1; $lastArray = ($pageNum_Recordset1 < $totalPages_Recordset1) ? "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$successivo$_get_vars">$next_Recordset1</a>" : "$next_Recordset1"; } } return array($firstArray,$pagesArray,$lastArray); } # BuildNav for Dreamweaver MX v0.2 ends here ?> // effigy table code actually starts here >>>>>>>>>>> <?php $maxRows_rsReport = 20; $pageNum_rsReport = 0; if (isset($HTTP_GET_VARS[\'pageNum_rsReport\'])) { $pageNum_rsReport = $HTTP_GET_VARS[\'pageNum_rsReport\']; } $startRow_rsReport = $pageNum_rsReport * $maxRows_rsReport; mysql_select_db($database_connMDB, $connMDB); $query_rsReport = "SELECT * FROM mdbTable WHERE mdbTable.username = \'$username\' ORDER BY AlbumArtist ASC"; $query_limit_rsReport = sprintf("%s LIMIT %d, %d", $query_rsReport, $startRow_rsReport, $maxRows_rsReport); $rsReport = mysql_query($query_limit_rsReport, $connMDB) or die(mysql_error()); $row_rsReport = mysql_fetch_assoc($rsReport); if (isset($HTTP_GET_VARS[\'totalRows_rsReport\'])) { $totalRows_rsReport = $HTTP_GET_VARS[\'totalRows_rsReport\']; } else { $all_rsReport = mysql_query($query_rsReport); $totalRows_rsReport = mysql_num_rows($all_rsReport); } $totalPages_rsReport = ceil($totalRows_rsReport/$maxRows_rsReport)-1; ?> <html><!-- InstanceBegin template="/Templates/ICI_Template.dwt" codeOutsideHTMLIsLocked="false" --><head> <!-- <link rel="shortcut icon" href="favicon.ico" /> --> <!-- InstanceBeginEditable name="doctitle" --> <title>iCollectIt</title> <!-- InstanceEndEditable --> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <!-- InstanceBeginEditable name="head" --> <!-- InstanceEndEditable --> </head> <body topmargin="2"> <table width="95%" border="0"> <tr> <td width="247" height="62" valign="top"><img src="../Logos/ICI-Banner.gif" width="243" height="56"></td> <td width="527" align="left" valign="middle" nowrap> <blockquote> <p><font color="#0099CC" size="6" face="Arial, Helvetica, sans-serif"><strong>Rare and Collectable <br> CD\'s, DVD\'s and Vinyl\'s</strong></font></p> </blockquote></td> <td width="11"> </td> </tr> <tr> <td height="3" colspan="2" valign="top" bgcolor="#006699"></td> <td> </td> </tr> <tr> <td height="18" colspan="2" valign="top"> <div align="center"><em><font color="#CCCCCC" size="5" face="Arial, Helvetica, sans-serif"><strong>. . . . make us an offer we can\'t refuse</strong></font></em></div></td> <td> </td> </tr> </table> <!-- InstanceBeginEditable name="Body" --> <table width="72%" border="0" align="center" cellpadding="0" cellspacing="0"> <tr> <td colspan="5" rowspan="5" valign="top"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdblogout.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Logout<br> </a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbMemberReport.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Admin Report<br> <img src="../images/arrow-top.gif" width="19" height="10" border="0">Member Report <br> </a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbGenreReport.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Genre List</a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbTypeReport.php"><br> <img src="../images/arrow-top.gif" width="19" height="10" border="0">Type List</a><a href="mdbGenreReport.php"></a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbadd.php"><br> <img src="../images/arrow-top.gif" width="19" height="10" border="0">Add Item</a></font></td> <td> </td> <td colspan="17"><div align="center"><font color="#990000" size="2" face="Arial, Helvetica, sans-serif"><strong>Admin Item Report / Update</strong></font></div></td> <td> </td> </tr> <tr> <td></td> <td colspan="17" rowspan="2"> <? if($_SESSION[\'user_level\'] == 1){ echo "<font face="Arial" size="2"> Members Item Report / Update<br> <a href=mdblogout.php>Logout</a><br /> <a href=mdbAdd.php>Add Items</a><br /> <a href=mdbMemberReport.php>Member Report</a><br /> <a href=report.php>Update Items / View Member Report</a><br /></font>"; } if($_SESSION[\'user_level\'] == 2){ echo "<font face="Arial" size="2"> Admin Item Report / Update<br> <a href=mdblogout.php>Logout</a><br /> <a href=mdbadd.php>Add Item</a><br/> <a href=mdbadminReport.php>View Master Report</a><br /> <a href=report.php>Update Any Item</a><br /></font>"; } ?> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td colspan="7"><div align="right"><strong><font size="2" face="Arial, Helvetica, sans-serif">Total of <?php echo min($startRow_rsReport + $maxRows_rsReport, $totalRows_rsReport) ?> / <?php echo $totalRows_rsReport ?> records</font></strong></div></td> <td> </td> </tr> <tr> <td nowrap> </td> <td bgcolor="#6666FF"> </td> <td bgcolor="#6666FF"><font size="1" face="Arial, Helvetica, sans-serif"> </font><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Edit</strong></font></td> <td bgcolor="#6666FF"> </td> <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>User</strong></font> </td> <td bgcolor="#6666FF"> </td> <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>ID</strong></font></td> <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"> </font></td> <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Number</strong></font></td> <td bgcolor="#6666FF"> </td> <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Artist</strong></font></td> <td height="0" bgcolor="#6666FF"> </td> <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Title</strong></font></td> <td bgcolor="#6666FF"> </td> <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Genre</strong></font></td> <td bgcolor="#6666FF"> </td> <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Type</strong></font></td> <td bgcolor="#6666FF"> </td> <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Condition</strong></font></td> <td bgcolor="#6666FF"> </td> <td bgcolor="#6666FF"><div align="center"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Buy or Offer</strong></font></div></td> <td bgcolor="#6666FF"> </td> <td bgcolor="#6666FF"><div align="center"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>QTY</strong></font></div></td> <td bgcolor="#6666FF"> </td> </tr> <?php do { ?> <tr> <td nowrap> </td> <td ><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong> <!-- HERE IS THE URL CODE !!! -> <a href="mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $HTTP_SESSION_VARS[\'username\']; ?>">Edit</a></strong></font></td> <!-- HERE IS THE URL CODE !!! -> <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td bgcolor="#FBFDEC"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'username\']; ?></font></td> <td bgcolor=""> </td> <td bgcolor="#FBFDEC"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumID\']; ?></font></td> <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td nowrap bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumCatalogNumber\']; ?></font></td> <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td nowrap bgcolor="#EAEAFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumArtist\']; ?></font></td> <td height="0" bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td nowrap bgcolor="#FFEAEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumName\']; ?></font></td> <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td nowrap bgcolor="#FFEFAE"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'Genre\']; ?></font></td> <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td bgcolor="#FFFFEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'Type\']; ?></font></td> <td bgcolor="" ><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td bgcolor="#EAFFEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumCondition\']; ?></font></td> <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td bgcolor="#FFF7EA"><div align="center"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumPrice\']; ?></font></div></td> <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td> <td bgcolor="#F1FFEA"><div align="center"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumQty\']; ?></font></div></td> <td> </td> </tr> <tr> <td nowrap> </td> <td height="0" colspan="22" ><div align="center"> <hr color=\'lightblue\'> </div></td> <td> </td> </tr><div align="center"> <?php } while ($row_rsReport = mysql_fetch_assoc($rsReport)); ?> <tr> <td nowrap> </td> <td height="0" colspan="22" > <div align="center"> <?php # variable declaration $prev_rsReport = "« previous"; $next_rsReport = "next »"; $separator = " - "; $max_links = 20; $pages_navigation_rsReport = buildNavigation($pageNum_rsReport,$totalPages_rsReport,$prev_rsReport,$next_rsReport,$separator,$max_links,true); print $pages_navigation_rsReport[0]; ?> <?php print $pages_navigation_rsReport[1]; ?> <?php print $pages_navigation_rsReport[2]; ?> </div></td> <td> </td> </tr> </table> <!-- InstanceEndEditable --> <p> </p> </body> <!-- InstanceEnd --></html> <?php mysql_free_result($rsReport); ?> Now the mdbedit.php.. sorry about the code <?php // at the top of mdbedit.php if ( !isset($_GET[\'username\']) ) { exit; } if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; } ?> <?php require_once(\'../Connections/connMDB.php\'); ?> <?php function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue; switch ($theType) { case "text": $theValue = ($theValue != "") ? "\'" . $theValue . "\'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "\'" . doubleval($theValue) . "\'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "\'" . $theValue . "\'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } $editFormAction = $HTTP_SERVER_VARS[\'PHP_SELF\']; if (isset($HTTP_SERVER_VARS[\'QUERY_STRING\'])) { $editFormAction .= "?" . $HTTP_SERVER_VARS[\'QUERY_STRING\']; } if ((isset($HTTP_POST_VARS["MM_update"])) && ($HTTP_POST_VARS["MM_update"] == "updateForm")) { $updateSQL = sprintf("UPDATE mdbTable SET AlbumCatalogNumber=%s, AlbumArtist=%s, AlbumName=%s, Genre=%s, AlbumLabel=%s, AlbumYearReleased=%s, Type=%s, AlbumTracks=%s, AlbumCountry=%s, AlbumCondition=%s, AlbumPrice=%s, AlbumNotes=%s, AlbumQty=%s, AlbumCoverURL=%s, AlbumCoverThumbnailURL=%s WHERE AlbumID=%s", GetSQLValueString($HTTP_POST_VARS[\'AlbumCatalogNumber\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumArtist\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumName\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'selectGenre\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumLabel\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumYearReleased\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'selectType\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumTracks\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumCountry\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumCondition\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumPrice\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumNotes\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumQty\'], "int"), GetSQLValueString($HTTP_POST_VARS[\'AlbumCoverURL\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumCoverThumbnailURL\'], "text"), GetSQLValueString($HTTP_POST_VARS[\'AlbumID\'], "int")); mysql_select_db($database_connMDB, $connMDB); $Result1 = mysql_query($updateSQL, $connMDB) or die(mysql_error()); $updateGoTo = "report.php"; if (isset($HTTP_SERVER_VARS[\'QUERY_STRING\'])) { $updateGoTo .= (strpos($updateGoTo, \'?\')) ? "&" : "?"; $updateGoTo .= $HTTP_SERVER_VARS[\'QUERY_STRING\']; } header(sprintf("Location: %s", $updateGoTo)); } $colname_rsUpdate = "1"; if (isset($HTTP_GET_VARS[\'AlbumID\'])) { $colname_rsUpdate = (get_magic_quotes_gpc()) ? $HTTP_GET_VARS[\'AlbumID\'] : addslashes($HTTP_GET_VARS[\'AlbumID\']); } mysql_select_db($database_connMDB, $connMDB); $query_rsUpdate = sprintf("SELECT * FROM mdbTable WHERE AlbumID = %s", $colname_rsUpdate); $rsUpdate = mysql_query($query_rsUpdate, $connMDB) or die(mysql_error()); $row_rsUpdate = mysql_fetch_assoc($rsUpdate); $totalRows_rsUpdate = mysql_num_rows($rsUpdate); mysql_select_db($database_connMDB, $connMDB); $query_rsGenre = "SELECT * FROM mdbGenre"; $rsGenre = mysql_query($query_rsGenre, $connMDB) or die(mysql_error()); $row_rsGenre = mysql_fetch_assoc($rsGenre); $totalRows_rsGenre = mysql_num_rows($rsGenre); mysql_select_db($database_connMDB, $connMDB); $query_rsType = "SELECT * FROM mdbType"; $rsType = mysql_query($query_rsType, $connMDB) or die(mysql_error()); $row_rsType = mysql_fetch_assoc($rsType); $totalRows_rsType = mysql_num_rows($rsType); ?> <html><!-- InstanceBegin template="/Templates/ICI_Template.dwt" codeOutsideHTMLIsLocked="false" --><head> <!-- <link rel="shortcut icon" href="favicon.ico" /> --> <!-- InstanceBeginEditable name="doctitle" --> <title>iCollectIt</title> <!-- InstanceEndEditable --> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <!-- InstanceBeginEditable name="head" --> <!-- InstanceEndEditable --> </head> <body topmargin="2"> <table width="95%" border="0"> <tr> <td width="247" height="62" valign="top"><img src="../Logos/ICI-Banner.gif" width="243" height="56"></td> <td width="527" align="left" valign="middle" nowrap> <blockquote> <p><font color="#0099CC" size="6" face="Arial, Helvetica, sans-serif"><strong>Rare and Collectable <br> CD\'s, DVD\'s and Vinyl\'s</strong></font></p> </blockquote></td> <td width="11"> </td> </tr> <tr> <td height="3" colspan="2" valign="top" bgcolor="#006699"></td> <td> </td> </tr> <tr> <td height="18" colspan="2" valign="top"> <div align="center"><em><font color="#CCCCCC" size="5" face="Arial, Helvetica, sans-serif"><strong>. . . . make us an offer we can\'t refuse</strong></font></em></div></td> <td> </td> </tr> </table> <!-- InstanceBeginEditable name="Body" --> <table width="97%" border="0" align="center"> <tr> <td colspan="7"> <form action="<?php echo $editFormAction; ?>" method="post" name="updateForm" id="updateForm"> <div align="center"> <table width="398" border="0" cellspacing="0" cellpadding="0" align="center"> <tr> <td bgcolor="#CCCCCC"> <table width="100%" border="0" cellspacing="1" cellpadding="2"> <tr bgcolor="#CCCCCC"> <td align="left" bgcolor="#ffe566"><div align="center"><b><font face="Arial" size="2"><b> U p d a t e / E d i t I t e m </b></font></b></div></td> </tr> <tr> <td valign="top" bgcolor="#FFFFFF"> <div align="center"> <table align="center"> <tr valign="baseline"> <td width="117" align="right" nowrap bgcolor="#999999"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif">Item ID:</font></td> <td width="240" bgcolor="#999999"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif"> <?php echo $row_rsUpdate[\'AlbumID\']; ?></font></td> </tr> <tr valign="baseline" bgcolor="#CCCCCC"> <td height="17" align="right" nowrap><font color="#999999" size="2" face="Arial, Helvetica, sans-serif">User Name:</font></td> <td> <font color="#999999" size="2" face="Arial, Helvetica, sans-serif"> <?php echo $row_rsUpdate[\'username\']; ?></font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Catalog Number:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumCatalogNumber" value="<?php echo $row_rsUpdate[\'AlbumCatalogNumber\']; ?>" size="32"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item Artist:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumArtist" value="<?php echo $row_rsUpdate[\'AlbumArtist\']; ?>" size="32"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item Name:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumName" value="<?php echo $row_rsUpdate[\'AlbumName\']; ?>" size="32"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Genre:</font></td> <td> <font size="2" face="Arial, Helvetica, sans-serif"> <select name="selectGenre" id="select"> <?php do { ?> <option value="<?php echo $row_rsGenre[\'Genre\']?>"<?php if (!(strcmp($row_rsGenre[\'Genre\'], $row_rsUpdate[\'Genre\']))) {echo "SELECTED";} ?>><?php echo $row_rsGenre[\'Genre\']?></option> <?php } while ($row_rsGenre = mysql_fetch_assoc($rsGenre)); $rows = mysql_num_rows($rsGenre); if($rows > 0) { mysql_data_seek($rsGenre, 0); $row_rsGenre = mysql_fetch_assoc($rsGenre); } ?> </select> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item Label:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumLabel" value="<?php echo $row_rsUpdate[\'AlbumLabel\']; ?>" size="32"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Year Released:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumYearReleased" value="<?php echo $row_rsUpdate[\'AlbumYearReleased\']; ?>" size="10"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Type:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <select name="selectType" id="select2"> <?php do { ?> <option value="<?php echo $row_rsType[\'Type\']?>"<?php if (!(strcmp($row_rsType[\'Type\'], $row_rsUpdate[\'Type\']))) {echo "SELECTED";} ?>><?php echo $row_rsType[\'Type\']?></option> <?php } while ($row_rsType = mysql_fetch_assoc($rsType)); $rows = mysql_num_rows($rsType); if($rows > 0) { mysql_data_seek($rsType, 0); $row_rsType = mysql_fetch_assoc($rsType); } ?> </select> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Tracks:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumTracks" value="<?php echo $row_rsUpdate[\'AlbumTracks\']; ?>" size="2"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif"> Country of Origin:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumCountry" value="<?php echo $row_rsUpdate[\'AlbumCountry\']; ?>" size="32"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Condition:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumCondition" value="<?php echo $row_rsUpdate[\'AlbumCondition\']; ?>" size="32"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Price:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumPrice" value="<?php echo $row_rsUpdate[\'AlbumPrice\']; ?>" size="32"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item Notes:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <textarea name="AlbumNotes" cols="32"><?php echo $row_rsUpdate[\'AlbumNotes\']; ?></textarea> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Qty:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumQty" value="<?php echo $row_rsUpdate[\'AlbumQty\']; ?>" size="2"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item Image URL:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumCoverURL" value="<?php echo $row_rsUpdate[\'AlbumCoverURL\']; ?>" size="32"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item Thumbnail URL:</font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="text" name="AlbumCoverThumbnailURL" value="<?php echo $row_rsUpdate[\'AlbumCoverThumbnailURL\']; ?>" size="32"> </font></td> </tr> <tr valign="baseline" bgcolor="#FFFFEC"> <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif"> </font></td> <td><font size="2" face="Arial, Helvetica, sans-serif"> <input type="reset" name="Reset" value="Undo Changes"> <input name="submit" type="submit" value="Update Item"> </font></td> </tr> &nbs Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2052 Share on other sites More sharing options...
pallevillesen Posted June 20, 2003 Share Posted June 20, 2003 You\'re not restoring the session in the mdbedit.php page... But I don\'t get it, if you\'re using sessions, why not just keep the username from the session, and forget about GETting it or POSTing the username... Otherwise you should get the cd owners username back from sql as well, do the check in php (against $_SESSION[\'username\']) and output an errormessage like \"Not your cd!\"... My 5 cents. (And I would recommend using POST all places anyway, just for making the URLs nicer... if your system have a login anyway, it won\'t be usable to have GET variables (they won\'t be bookmarkable, unless you\'re in a session). P. Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2053 Share on other sites More sharing options...
oavs Posted June 20, 2003 Author Share Posted June 20, 2003 Thanks Palle, Thanks for your time to look at it. As I have said , I am a novice, how ever I have come thios far in a week. There are lots I still do not know. Can you please give some examples of how you would restore the session in the mdbedit.php page... as for Otherwise you should get the cd owners username back from sql as well, do the check in php (against $_SESSION[\'username\']) and output an errormessage like \"Not your cd!\"... ------------- ..you are right. I do have concerns about this. How should I code this page so that if you change the AlbumID174 to say AlbumID172 you will get an errormessage like \"Not your cd!\"... Although I am using them with DWMX, sessions are still a mistery to me. Thankyou again Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2054 Share on other sites More sharing options...
pallevillesen Posted June 20, 2003 Share Posted June 20, 2003 Edited mdbedit.php <?php // at the top of mdbedit.php session_start(); // restore session $username = $_SESSION[\'username\']; ?> # THE ABOVE WILL RESTORE THE SESSION, AND PUT THE CONTENT OF THE SESSION VARIABLE USERNAME into the variable $username. <?php require_once(\'../Connections/connMDB.php\'); ?> <?php function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue; switch ($theType) { case "text": P. Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2055 Share on other sites More sharing options...
oavs Posted June 20, 2003 Author Share Posted June 20, 2003 Thanks again Pell, OK I get this , but <?php // at the top of mdbedit.php session_start(); // restore session $username = $_SESSION[\'username\']; ?> # THE ABOVE WILL RESTORE THE SESSION, AND PUT THE CONTENT OF THE SESSION VARIABLE USERNAME into the variable $username. <?php require_once(\'../Connections/connMDB.php\'); ?> ----------------- and thankyou for the explanation. but what is this -$theValue / $theDefinedValue / $theNotDefinedValue and case \"text\": should I be changing any of these or add anything ? or that is it ? Quote Link to comment https://forums.phpfreaks.com/topic/610-blocking-un-authorised-users-who-attempt-via-browsers-urls/#findComment-2061 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.