Jump to content


Photo

Blocking un authorised users who attempt via browsers URLs


  • Please log in to reply
11 replies to this topic

#1 oavs

oavs
  • Members
  • PipPipPip
  • Advanced Member
  • 56 posts
  • LocationDownunder

Posted 19 June 2003 - 04:20 AM

Hi,

I have a similar problem like earlier posted by \'deki\'. Displaying ediable page as per current user (by sessions) is fine.

There is a menu items where user lists his total records. On that total record display page, there is a edit link per items listed. When you click the \'edit\' link takes you to update record page.

Update page is shared by multi level users. Such as Members and Admin depending on thier initial login level stage.

Problem is on the top of the Update page - browsers URL it has

http://www.oavs.com....2&username=jack.

Now any one can go and change the AlbumId=value on the URL to any value to access other user\'s records even without even removing the rest of the stuff &username=jack AND EDIT !!

This is sll I want is, when the member logs on and starts editing he /she can not edit any records but his/hers even if they change the URL .

Anotherwords :
logged user must be current user equal to the session user who can only access to current user records in the mysql.

How can you do this? can someone please help?



Here is the code for the \'edit\' link-

<?php do { ?>  <tr>     <td nowrap>&nbsp;</td>    <td ><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong>       <a href="mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $row_rsReport[\'username\']; ?>">Edit</a></strong></font></td>    <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td bgcolor="#FBFDEC"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'username\']; ?></font></td>


#2 effigy

effigy
  • Staff Alumni
  • Advanced Member
  • 3,600 posts
  • LocationIL

Posted 19 June 2003 - 05:04 AM

[php:1:f77af074c3]<?php
// at the top of mdbedit.php
if ( $_GET[\'username\'] != $_SESSION[\'username\'] )
{ exit; }
?>[/php:1:f77af074c3]
Regexp | Unicode Article | Letter Database
/\A(e)?((1)?ff(?:(?:ig)?y)?|f(?:ig)?)\z/

#3 oavs

oavs
  • Members
  • PipPipPip
  • Advanced Member
  • 56 posts
  • LocationDownunder

Posted 19 June 2003 - 05:54 AM

Thanks but had no affect. Code is now there to use.

URL
http://www.oavs.com....D=171&jack=jack

can be change easly changed to this amd record can be seen and edited.

URLhttp://www.oavs.com.au/membership/mdbedit.php?AlbumID=174&jack=jack

Interestingly AlbumID=174 belongs to fred NOT jack but it still correctly displays it.

I\'ve noticed you suggested $_GET[\'username\' , all my codes has POST. and I my server is MySQL 3.23.56 version with Php 4.3.2

#4 effigy

effigy
  • Staff Alumni
  • Advanced Member
  • 3,600 posts
  • LocationIL

Posted 19 June 2003 - 10:55 PM

$_GET refers to the information supplied in the url.

try this:

[php:1:90a3fc34ba]<?php

// at the top of mdbedit.php
if ( !isset($_GET[\'username\']) ) { exit; }
if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }

?>[/php:1:90a3fc34ba]
Regexp | Unicode Article | Letter Database
/\A(e)?((1)?ff(?:(?:ig)?y)?|f(?:ig)?)\z/

#5 oavs

oavs
  • Members
  • PipPipPip
  • Advanced Member
  • 56 posts
  • LocationDownunder

Posted 20 June 2003 - 12:19 AM

Thanks for looking in to this.

Now I get a blank page.

If any helps for your info -

\'edit\' URL link has a URL parameter in the page called report.php which then calls mdbedit.php page (which now has your new code at the top of the page)
mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $HTTP_SESSION_VARS[\'username\']; ?>

I have also tried without success [code=auto:0]mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>

#6 oavs

oavs
  • Members
  • PipPipPip
  • Advanced Member
  • 56 posts
  • LocationDownunder

Posted 20 June 2003 - 12:29 AM

Recently I\'ve received further suggestions to my problem. Although I would not know how to implement these since I am a newby, they might give you alternative ideas. Here they are -


First off, try using POST instead of GET in your form.  This way, the
parameteres are not passed in the URL. Instead, they are passed in the body
of the message.  Furthermore, use and IF....THEN clause.

Mintyman

..and

somewhere on top work out this pseudo code

while ($editables){if ($editables==$Albumid){continue($Albumid);}}

get the idea ?



#7 effigy

effigy
  • Staff Alumni
  • Advanced Member
  • 3,600 posts
  • LocationIL

Posted 20 June 2003 - 03:40 AM

POST would be better; however, if there is too much code to change, what i had posted previously should work. i will explain it further:

first off, keep in mind I am using a simple exit; so no custom error messages will display, you will just get the blank page.

this code would work fine:
if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }
but, you changed the URL by taking out the &username= portion.

so, i backed that up by adding this line before it:
if ( !isset($_GET[\'username\']) ) { exit; }
which states: if the &username= parameter is left out of the url, stop the page.

try changing the exit into a custom error message to your liking, then use this url:

http://www.oavs.com.au/membership/mdbedit.php?AlbumID=171&jack=jack and you should get the error message.

now try using the original url:

http://www.oavs.com.au/membership/mdbedit.php?AlbumID=172&username=jack and it should work

let me know how this turns out :shock:
Regexp | Unicode Article | Letter Database
/\A(e)?((1)?ff(?:(?:ig)?y)?|f(?:ig)?)\z/

#8 oavs

oavs
  • Members
  • PipPipPip
  • Advanced Member
  • 56 posts
  • LocationDownunder

Posted 20 June 2003 - 05:20 AM

Still no good. I must be doing some thing ??


I have tried
<?php

// at the top of mdbedit.php
if ( !isset($_GET[\'username\']) ) { exit; } WITH and WITHOUT this code
if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }

?>

This takes me to the page fine - Still I can replace 175 with 174 and access to other user records.
http://www.oavs.com....D=175&jack=jack and you should get the error message.

>>now try using the original url:

http://www.oavs.com....2&username=jack and it should work
This does not work if I have both of your lines in your code.


This time here is the total code for the
Page report.php (report.php has the edit link to call mdbedit.php)
<?php require_once(\'../Connections/connMDB.php\'); ?><?php session_start();?><?php ob_start(); ?><?php#	BuildNav for Dreamweaver MX v0.2 starts here #              10-02-2002#	Alessandro Crugnola [TMM]#	sephiroth: alessandro@sephiroth.it#	http://www.sephiroth.it#	#	Function for navigation build ::function buildNavigation($pageNum_Recordset1,$totalPages_Recordset1,$prev_Recordset1,$next_Recordset1,$separator=" | ",$max_links=10, $show_page=true){                GLOBAL $maxRows_rsReport,$totalRows_rsReport;	$pagesArray = ""; $firstArray = ""; $lastArray = "";	if($max_links<2)$max_links=2;	if($pageNum_Recordset1<=$totalPages_Recordset1 && $pageNum_Recordset1>=0)	{  if ($pageNum_Recordset1 > ceil($max_links/2))  {  	$fgp = $pageNum_Recordset1 - ceil($max_links/2) > 0 ? $pageNum_Recordset1 - ceil($max_links/2) : 1;  	$egp = $pageNum_Recordset1 + ceil($max_links/2);  	if ($egp >= $totalPages_Recordset1)  	{    $egp = $totalPages_Recordset1+1;    $fgp = $totalPages_Recordset1 - ($max_links-1) > 0 ? $totalPages_Recordset1  - ($max_links-1) : 1;  	}  }  else {  	$fgp = 0;  	$egp = $totalPages_Recordset1 >= $max_links ? $max_links : $totalPages_Recordset1+1;  }  if($totalPages_Recordset1 >= 1) {  	#	------------------------  	#	Searching for $_GET vars  	#	------------------------  	$_get_vars = \'\';  	  	if(!empty($_GET) || !empty($HTTP_GET_VARS)){    $_GET = empty($_GET) ? $HTTP_GET_VARS : $_GET;    foreach ($_GET as $_get_name => $_get_value) {    	if ($_get_name != "pageNum_rsReport") {      $_get_vars .= "&$_get_name=$_get_value";    	}    }  	}  	$successivo = $pageNum_Recordset1+1;  	$precedente = $pageNum_Recordset1-1;  	$firstArray = ($pageNum_Recordset1 > 0) ? "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$precedente$_get_vars">$prev_Recordset1</a>" :  "$prev_Recordset1";  	# ----------------------  	# page numbers  	# ----------------------  	for($a = $fgp+1; $a <= $egp; $a++){    $theNext = $a-1;    if($show_page)    {    	$textLink = $a;    } else {    	$min_l = (($a-1)*$maxRows_rsReport) + 1;    	$max_l = ($a*$maxRows_rsReport >= $totalRows_rsReport) ? $totalRows_rsReport : ($a*$maxRows_rsReport);    	$textLink = "$min_l - $max_l";    }    $_ss_k = floor($theNext/26);    if ($theNext != $pageNum_Recordset1)    {    	$pagesArray .= "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$theNext$_get_vars">";    	$pagesArray .= "$textLink</a>" . ($theNext < $egp-1 ? $separator : "");    } else {    	$pagesArray .= "$textLink"  . ($theNext < $egp-1 ? $separator : "");    }  	}  	$theNext = $pageNum_Recordset1+1;  	$offset_end = $totalPages_Recordset1;  	$lastArray = ($pageNum_Recordset1 < $totalPages_Recordset1) ? "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$successivo$_get_vars">$next_Recordset1</a>" : "$next_Recordset1";  }	}	return array($firstArray,$pagesArray,$lastArray);}#	BuildNav for Dreamweaver MX v0.2  ends here?>// effigy table code actually starts here >>>>>>>>>>><?php$maxRows_rsReport = 20;$pageNum_rsReport = 0;if (isset($HTTP_GET_VARS[\'pageNum_rsReport\'])) {  $pageNum_rsReport = $HTTP_GET_VARS[\'pageNum_rsReport\'];}$startRow_rsReport = $pageNum_rsReport * $maxRows_rsReport;mysql_select_db($database_connMDB, $connMDB);$query_rsReport = "SELECT * FROM mdbTable WHERE mdbTable.username = \'$username\' ORDER BY AlbumArtist ASC";$query_limit_rsReport = sprintf("%s LIMIT %d, %d", $query_rsReport, $startRow_rsReport, $maxRows_rsReport);$rsReport = mysql_query($query_limit_rsReport, $connMDB) or die(mysql_error());$row_rsReport = mysql_fetch_assoc($rsReport);if (isset($HTTP_GET_VARS[\'totalRows_rsReport\'])) {  $totalRows_rsReport = $HTTP_GET_VARS[\'totalRows_rsReport\'];} else {  $all_rsReport = mysql_query($query_rsReport);  $totalRows_rsReport = mysql_num_rows($all_rsReport);}$totalPages_rsReport = ceil($totalRows_rsReport/$maxRows_rsReport)-1;?><html><!-- InstanceBegin template="/Templates/ICI_Template.dwt" codeOutsideHTMLIsLocked="false" --><head><!-- <link rel="shortcut icon" href="favicon.ico" /> --><!-- InstanceBeginEditable name="doctitle" --><title>iCollectIt</title><!-- InstanceEndEditable --><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><!-- InstanceBeginEditable name="head" --><!-- InstanceEndEditable --></head><body topmargin="2"><table width="95%" border="0">  <tr>     <td width="247" height="62" valign="top"><img src="../Logos/ICI-Banner.gif" width="243" height="56"></td>    <td width="527" align="left" valign="middle" nowrap> <blockquote>         <p><font color="#0099CC" size="6" face="Arial, Helvetica, sans-serif"><strong>Rare           and Collectable <br>          CD\'s, DVD\'s and Vinyl\'s</strong></font></p>      </blockquote></td>    <td width="11">&nbsp;</td>  </tr>  <tr>     <td height="3" colspan="2" valign="top" bgcolor="#006699"></td>    <td>&nbsp;</td>  </tr>  <tr>     <td height="18" colspan="2" valign="top"> <div align="center"><em><font color="#CCCCCC" size="5" face="Arial, Helvetica, sans-serif"><strong>.         . . . make us an offer we can\'t refuse</strong></font></em></div></td>    <td>&nbsp;</td>  </tr></table><!-- InstanceBeginEditable name="Body" --> <table width="72%" border="0" align="center" cellpadding="0" cellspacing="0">  <tr>     <td colspan="5" rowspan="5" valign="top"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdblogout.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Logout<br>      </a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbMemberReport.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Admin       Report<br>      <img src="../images/arrow-top.gif" width="19" height="10" border="0">Member       Report <br>      </a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbGenreReport.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Genre       List</a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbTypeReport.php"><br>      <img src="../images/arrow-top.gif" width="19" height="10" border="0">Type       List</a><a href="mdbGenreReport.php"></a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbadd.php"><br>      <img src="../images/arrow-top.gif" width="19" height="10" border="0">Add       Item</a></font></td>    <td>&nbsp;</td>    <td colspan="17"><div align="center"><font color="#990000" size="2" face="Arial, Helvetica, sans-serif"><strong>Admin         Item Report / Update</strong></font></div></td>    <td>&nbsp;</td>  </tr>  <tr>     <td></td>    <td colspan="17" rowspan="2"><?if($_SESSION[\'user_level\'] == 1){	echo "<font face="Arial" size="2"> Members Item Report / Update<br><a href=mdblogout.php>Logout</a><br /><a href=mdbAdd.php>Add Items</a><br /><a href=mdbMemberReport.php>Member Report</a><br /><a href=report.php>Update Items / View Member Report</a><br /></font>";}if($_SESSION[\'user_level\'] == 2){	echo "<font face="Arial" size="2"> Admin Item Report / Update<br><a href=mdblogout.php>Logout</a><br /><a href=mdbadd.php>Add Item</a><br/><a href=mdbadminReport.php>View Master Report</a><br /><a href=report.php>Update Any Item</a><br /></font>";}?>	</td>    <td>&nbsp;</td>  </tr>  <tr>     <td>&nbsp;</td>    <td>&nbsp;</td>  </tr>  <tr>     <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>  </tr>  <tr>     <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td>&nbsp;</td>    <td colspan="7"><div align="right"><strong><font size="2" face="Arial, Helvetica, sans-serif">Total         of <?php echo min($startRow_rsReport + $maxRows_rsReport, $totalRows_rsReport) ?>&nbsp;/&nbsp; <?php echo $totalRows_rsReport ?> records</font></strong></div></td>    <td>&nbsp;</td>  </tr>  <tr>     <td nowrap> </td>    <td bgcolor="#6666FF">&nbsp;</td>    <td bgcolor="#6666FF"><font size="1" face="Arial, Helvetica, sans-serif">&nbsp;</font><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Edit</strong></font></td>    <td bgcolor="#6666FF">&nbsp;</td>    <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>User</strong></font>     </td>    <td bgcolor="#6666FF">&nbsp;</td>    <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>ID</strong></font></td>    <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Number</strong></font></td>    <td bgcolor="#6666FF">&nbsp;</td>    <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Artist</strong></font></td>    <td height="0" bgcolor="#6666FF">&nbsp;</td>    <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Title</strong></font></td>    <td bgcolor="#6666FF">&nbsp;</td>    <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Genre</strong></font></td>    <td bgcolor="#6666FF">&nbsp;</td>    <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Type</strong></font></td>    <td bgcolor="#6666FF">&nbsp;</td>    <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Condition</strong></font></td>    <td bgcolor="#6666FF">&nbsp;</td>    <td bgcolor="#6666FF"><div align="center"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Buy         or Offer</strong></font></div></td>    <td bgcolor="#6666FF">&nbsp;</td>    <td bgcolor="#6666FF"><div align="center"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>QTY</strong></font></div></td>    <td bgcolor="#6666FF">&nbsp;</td>  </tr>  <?php do { ?>  <tr>     <td nowrap>&nbsp;</td>    <td ><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong> <!-- HERE IS THE URL CODE !!! ->      <a href="mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $HTTP_SESSION_VARS[\'username\']; ?>">Edit</a></strong></font></td><!-- HERE IS THE URL CODE !!! ->    <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td bgcolor="#FBFDEC"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'username\']; ?></font></td>    <td bgcolor="">&nbsp;</td>    <td bgcolor="#FBFDEC"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumID\']; ?></font></td>    <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td nowrap bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumCatalogNumber\']; ?></font></td>    <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td nowrap bgcolor="#EAEAFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumArtist\']; ?></font></td>    <td height="0" bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td nowrap bgcolor="#FFEAEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumName\']; ?></font></td>    <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td nowrap bgcolor="#FFEFAE"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'Genre\']; ?></font></td>    <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td bgcolor="#FFFFEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'Type\']; ?></font></td>    <td bgcolor="" ><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td bgcolor="#EAFFEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumCondition\']; ?></font></td>    <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td bgcolor="#FFF7EA"><div align="center"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumPrice\']; ?></font></div></td>    <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif">&nbsp;</font></td>    <td bgcolor="#F1FFEA"><div align="center"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumQty\']; ?></font></div></td>    <td>&nbsp;</td>  </tr>  <tr>     <td nowrap>&nbsp;</td>    <td height="0" colspan="22" ><div align="center">         <hr color=\'lightblue\'>      </div></td>    <td>&nbsp;</td>  </tr><div align="center">  <?php } while ($row_rsReport = mysql_fetch_assoc($rsReport)); ?>  <tr>     <td nowrap>&nbsp;</td>    <td height="0" colspan="22" > <div align="center">         <?php # variable declaration$prev_rsReport = "« previous";$next_rsReport = "next »";$separator = " - ";$max_links = 20;$pages_navigation_rsReport = buildNavigation($pageNum_rsReport,$totalPages_rsReport,$prev_rsReport,$next_rsReport,$separator,$max_links,true); print $pages_navigation_rsReport[0]; ?>        <?php print $pages_navigation_rsReport[1]; ?> <?php print $pages_navigation_rsReport[2]; ?>       </div></td>    <td>&nbsp;</td>  </tr></table><!-- InstanceEndEditable --><p>&nbsp;</p></body><!-- InstanceEnd --></html><?phpmysql_free_result($rsReport);?>
Now the mdbedit.php.. sorry about the code :cry: [code=auto:0]<?php



// at the top of mdbedit.php

if ( !isset($_GET[\'username\']) ) { exit; }

if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }



?>

<?php require_once(\'../Connections/connMDB.php\'); ?>



<?php

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

 $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;



 switch ($theType) {

   case "text":

     $theValue = ($theValue != "") ? "\'" . $theValue . "\'" : "NULL";

     break;    

   case "long":

   case "int":

     $theValue = ($theValue != "") ? intval($theValue) : "NULL";

     break;

   case "double":

     $theValue = ($theValue != "") ? "\'" . doubleval($theValue) . "\'" : "NULL";

     break;

   case "date":

     $theValue = ($theValue != "") ? "\'" . $theValue . "\'" : "NULL";

     break;

   case "defined":

     $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

     break;

 }

 return $theValue;

}



$editFormAction = $HTTP_SERVER_VARS[\'PHP_SELF\'];

if (isset($HTTP_SERVER_VARS[\'QUERY_STRING\'])) {

 $editFormAction .= "?" . $HTTP_SERVER_VARS[\'QUERY_STRING\'];

}



if ((isset($HTTP_POST_VARS["MM_update"])) && ($HTTP_POST_VARS["MM_update"] == "updateForm")) {

 $updateSQL = sprintf("UPDATE mdbTable SET AlbumCatalogNumber=%s, AlbumArtist=%s, AlbumName=%s, Genre=%s, AlbumLabel=%s, AlbumYearReleased=%s, Type=%s, AlbumTracks=%s, AlbumCountry=%s, AlbumCondition=%s, AlbumPrice=%s, AlbumNotes=%s, AlbumQty=%s, AlbumCoverURL=%s, AlbumCoverThumbnailURL=%s WHERE AlbumID=%s",

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumCatalogNumber\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumArtist\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumName\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'selectGenre\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumLabel\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumYearReleased\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'selectType\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumTracks\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumCountry\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumCondition\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumPrice\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumNotes\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumQty\'], "int"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumCoverURL\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumCoverThumbnailURL\'], "text"),

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumID\'], "int"));



 mysql_select_db($database_connMDB, $connMDB);

 $Result1 = mysql_query($updateSQL, $connMDB) or die(mysql_error());



 $updateGoTo = "report.php";

 if (isset($HTTP_SERVER_VARS[\'QUERY_STRING\'])) {

   $updateGoTo .= (strpos($updateGoTo, \'?\')) ? "&" : "?";

   $updateGoTo .= $HTTP_SERVER_VARS[\'QUERY_STRING\'];

 }

 header(sprintf("Location: %s", $updateGoTo));

}



$colname_rsUpdate = "1";

if (isset($HTTP_GET_VARS[\'AlbumID\'])) {

 $colname_rsUpdate = (get_magic_quotes_gpc()) ? $HTTP_GET_VARS[\'AlbumID\'] : addslashes($HTTP_GET_VARS[\'AlbumID\']);

}

mysql_select_db($database_connMDB, $connMDB);

$query_rsUpdate = sprintf("SELECT * FROM mdbTable WHERE AlbumID = %s", $colname_rsUpdate);

$rsUpdate = mysql_query($query_rsUpdate, $connMDB) or die(mysql_error());

$row_rsUpdate = mysql_fetch_assoc($rsUpdate);

$totalRows_rsUpdate = mysql_num_rows($rsUpdate);



mysql_select_db($database_connMDB, $connMDB);

$query_rsGenre = "SELECT * FROM mdbGenre";

$rsGenre = mysql_query($query_rsGenre, $connMDB) or die(mysql_error());

$row_rsGenre = mysql_fetch_assoc($rsGenre);

$totalRows_rsGenre = mysql_num_rows($rsGenre);



mysql_select_db($database_connMDB, $connMDB);

$query_rsType = "SELECT * FROM mdbType";

$rsType = mysql_query($query_rsType, $connMDB) or die(mysql_error());

$row_rsType = mysql_fetch_assoc($rsType);

$totalRows_rsType = mysql_num_rows($rsType);

?>

<html><!-- InstanceBegin template="/Templates/ICI_Template.dwt" codeOutsideHTMLIsLocked="false" --><head>

<!-- <link rel="shortcut icon" href="favicon.ico" /> -->

<!-- InstanceBeginEditable name="doctitle" -->

<title>iCollectIt</title>

<!-- InstanceEndEditable -->



<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<!-- InstanceBeginEditable name="head" -->

<!-- InstanceEndEditable -->

</head>



<body topmargin="2">



<table width="95%" border="0">

 <tr>

   <td width="247" height="62" valign="top"><img src="../Logos/ICI-Banner.gif" width="243" height="56"></td>

   <td width="527" align="left" valign="middle" nowrap> <blockquote>

       <p><font color="#0099CC" size="6" face="Arial, Helvetica, sans-serif"><strong>Rare

         and Collectable <br>

         CD\'s, DVD\'s and Vinyl\'s</strong></font></p>

     </blockquote></td>

   <td width="11">&nbsp;</td>

 </tr>

 <tr>

   <td height="3" colspan="2" valign="top" bgcolor="#006699"></td>

   <td>&nbsp;</td>

 </tr>

 <tr>

   <td height="18" colspan="2" valign="top"> <div align="center"><em><font color="#CCCCCC" size="5" face="Arial, Helvetica, sans-serif"><strong>.

       . . . make us an offer we can\'t refuse</strong></font></em></div></td>

   <td>&nbsp;</td>

 </tr>

</table>

<!-- InstanceBeginEditable name="Body" -->

<table width="97%" border="0" align="center">

 <tr>

   <td colspan="7">

 

     <form action="<?php echo $editFormAction; ?>" method="post" name="updateForm" id="updateForm">

       <div align="center">

         <table width="398" border="0" cellspacing="0" cellpadding="0" align="center">

           <tr>

             <td bgcolor="#CCCCCC"> <table width="100%" border="0" cellspacing="1" cellpadding="2">

                 <tr bgcolor="#CCCCCC">

                   <td align="left" bgcolor="#ffe566"><div align="center"><b><font face="Arial" size="2"><b>&nbsp;U

                       p d a t e / &nbsp;E d i t &nbsp;&nbsp;&nbsp;I t e m </b></font></b></div></td>

                 </tr>

                 <tr>

                   <td valign="top" bgcolor="#FFFFFF"> <div align="center">

                       <table align="center">

                         <tr valign="baseline">

                           <td width="117" align="right" nowrap bgcolor="#999999"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif">Item

                             ID:</font></td>

                           <td width="240" bgcolor="#999999"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif">&nbsp;<?php echo $row_rsUpdate[\'AlbumID\']; ?></font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#CCCCCC">

                           <td height="17" align="right" nowrap><font color="#999999" size="2" face="Arial, Helvetica, sans-serif">User

                             Name:</font></td>

                           <td> <font color="#999999" size="2" face="Arial, Helvetica, sans-serif">

                             &nbsp;<?php echo $row_rsUpdate[\'username\']; ?></font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Catalog

                             Number:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumCatalogNumber" value="<?php echo $row_rsUpdate[\'AlbumCatalogNumber\']; ?>" size="32">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

                             Artist:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumArtist" value="<?php echo $row_rsUpdate[\'AlbumArtist\']; ?>" size="32">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

                             Name:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumName" value="<?php echo $row_rsUpdate[\'AlbumName\']; ?>" size="32">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Genre:</font></td>

                           <td> <font size="2" face="Arial, Helvetica, sans-serif">

                             <select name="selectGenre" id="select">

                               <?php

do {  

?>

                               <option value="<?php echo $row_rsGenre[\'Genre\']?>"<?php if (!(strcmp($row_rsGenre[\'Genre\'], $row_rsUpdate[\'Genre\']))) {echo "SELECTED";} ?>><?php echo $row_rsGenre[\'Genre\']?></option>

                               <?php

} while ($row_rsGenre = mysql_fetch_assoc($rsGenre));

 $rows = mysql_num_rows($rsGenre);

 if($rows > 0) {

     mysql_data_seek($rsGenre, 0);

  $row_rsGenre = mysql_fetch_assoc($rsGenre);

 }

?>

                             </select>

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

                             Label:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumLabel" value="<?php echo $row_rsUpdate[\'AlbumLabel\']; ?>" size="32">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Year

                             Released:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumYearReleased" value="<?php echo $row_rsUpdate[\'AlbumYearReleased\']; ?>" size="10">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Type:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <select name="selectType" id="select2">

                               <?php

do {  

?>

                               <option value="<?php echo $row_rsType[\'Type\']?>"<?php if (!(strcmp($row_rsType[\'Type\'], $row_rsUpdate[\'Type\']))) {echo "SELECTED";} ?>><?php echo $row_rsType[\'Type\']?></option>

                               <?php

} while ($row_rsType = mysql_fetch_assoc($rsType));

 $rows = mysql_num_rows($rsType);

 if($rows > 0) {

     mysql_data_seek($rsType, 0);

  $row_rsType = mysql_fetch_assoc($rsType);

 }

?>

                             </select>

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Tracks:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumTracks" value="<?php echo $row_rsUpdate[\'AlbumTracks\']; ?>" size="2">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">

                             Country of Origin:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumCountry" value="<?php echo $row_rsUpdate[\'AlbumCountry\']; ?>" size="32">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Condition:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumCondition" value="<?php echo $row_rsUpdate[\'AlbumCondition\']; ?>" size="32">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Price:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumPrice" value="<?php echo $row_rsUpdate[\'AlbumPrice\']; ?>" size="32">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

                             Notes:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <textarea name="AlbumNotes" cols="32"><?php echo $row_rsUpdate[\'AlbumNotes\']; ?></textarea>

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Qty:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumQty" value="<?php echo $row_rsUpdate[\'AlbumQty\']; ?>" size="2">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

                             Image URL:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumCoverURL" value="<?php echo $row_rsUpdate[\'AlbumCoverURL\']; ?>" size="32">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

                             Thumbnail URL:</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="text" name="AlbumCoverThumbnailURL" value="<?php echo $row_rsUpdate[\'AlbumCoverThumbnailURL\']; ?>" size="32">

                             </font></td>

                         </tr>

                         <tr valign="baseline" bgcolor="#FFFFEC">

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">&nbsp;</font></td>

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

                             <input type="reset" name="Reset" value="Undo Changes">

                             <input name="submit" type="submit" value="Update Item">

                             </font></td>

                         </tr>

      &nbs

#9 pallevillesen

pallevillesen
  • Members
  • PipPipPip
  • Advanced Member
  • 135 posts
  • LocationDenmark

Posted 20 June 2003 - 08:42 AM

You\'re not restoring the session in the mdbedit.php page...

But I don\'t get it, if you\'re using sessions, why not just keep the username from the session, and forget about GETting it or POSTing the username...

Otherwise you should get the cd owners username back from sql as well, do the check in php (against $_SESSION[\'username\']) and output an errormessage like \"Not your cd!\"...

My 5 cents. (And I would recommend using POST all places anyway, just for making the URLs nicer... if your system have a login anyway, it won\'t be usable to have GET variables (they won\'t be bookmarkable, unless you\'re in a session).

P.
Palle Villesen, www.birc.dk [br]Bioinformatics Research Center

#10 oavs

oavs
  • Members
  • PipPipPip
  • Advanced Member
  • 56 posts
  • LocationDownunder

Posted 20 June 2003 - 08:57 AM

Thanks Palle,

Thanks for your time to look at it. As I have said , I am a novice, how ever I have come thios far in a week. There are lots I still do not know.

Can you please give some examples of how you would
restore the session in the mdbedit.php page...

as for
Otherwise you should get the cd owners username back from sql as well, do the check in php (against $_SESSION[\'username\']) and output an errormessage like \"Not your cd!\"...
-------------
..you are right. I do have concerns about this. How should I code this page so that if you change the AlbumID174 to say AlbumID172 you will get an errormessage like \"Not your cd!\"...

Although I am using them with DWMX, sessions are still a mistery to me.

Thankyou again

#11 pallevillesen

pallevillesen
  • Members
  • PipPipPip
  • Advanced Member
  • 135 posts
  • LocationDenmark

Posted 20 June 2003 - 09:19 AM

Edited mdbedit.php

<?php// at the top of mdbedit.phpsession_start(); // restore session$username = $_SESSION[\'username\'];?># THE ABOVE WILL RESTORE THE SESSION, AND PUT THE CONTENT OF THE SESSION VARIABLE USERNAME into the variable $username.<?php require_once(\'../Connections/connMDB.php\'); ?><?phpfunction GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = ""){  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;  switch ($theType) {    case "text":

P.
Palle Villesen, www.birc.dk [br]Bioinformatics Research Center

#12 oavs

oavs
  • Members
  • PipPipPip
  • Advanced Member
  • 56 posts
  • LocationDownunder

Posted 20 June 2003 - 11:17 PM

Thanks again Pell,

OK I get this , but

<?php
// at the top of mdbedit.php
session_start(); // restore session
$username = $_SESSION[\'username\'];
?>
# THE ABOVE WILL RESTORE THE SESSION, AND PUT THE CONTENT OF THE SESSION VARIABLE USERNAME into the variable $username.

<?php require_once(\'../Connections/connMDB.php\'); ?>
----------------- and thankyou for the explanation.

but what is this -$theValue / $theDefinedValue / $theNotDefinedValue

and
case \"text\":

should I be changing any of these or add anything ? or that is it ?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users