Jump to content
Updating IPB tonight Read more... ×

Archived

This topic is now archived and is closed to further replies.

oavs

Blocking un authorised users who attempt via browsers URLs

Recommended Posts

Hi,

 

I have a similar problem like earlier posted by \'deki\'. Displaying ediable page as per current user (by sessions) is fine.

 

There is a menu items where user lists his total records. On that total record display page, there is a edit link per items listed. When you click the \'edit\' link takes you to update record page.

 

Update page is shared by multi level users. Such as Members and Admin depending on thier initial login level stage.

 

Problem is on the top of the Update page - browsers URL it has

 

http://www.oavs.com.au/membership/mdbedit....2&username=jack.

 

Now any one can go and change the AlbumId=value on the URL to any value to access other user\'s records even without even removing the rest of the stuff &username=jack AND EDIT !!

 

This is sll I want is, when the member logs on and starts editing he /she can not edit any records but his/hers even if they change the URL .

 

Anotherwords :

logged user must be current user equal to the session user who can only access to current user records in the mysql.

 

How can you do this? can someone please help?

 

 

 

Here is the code for the \'edit\' link-

 

<?php do { ?>

 <tr> 

   <td nowrap> </td>

   <td ><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong> 

     <a href="mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $row_rsReport[\'username\']; ?>">Edit</a></strong></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#FBFDEC"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'username\']; ?></font></td>

Share this post


Link to post
Share on other sites

[php:1:f77af074c3]<?php

// at the top of mdbedit.php

if ( $_GET[\'username\'] != $_SESSION[\'username\'] )

{ exit; }

?>[/php:1:f77af074c3]

Share this post


Link to post
Share on other sites

Thanks but had no affect. Code is now there to use.

 

URL

http://www.oavs.com.au/membership/mdbedit....D=171&jack=jack

 

can be change easly changed to this amd record can be seen and edited.

 

URLhttp://www.oavs.com.au/membership/mdbedit.php?AlbumID=174&jack=jack

 

Interestingly AlbumID=174 belongs to fred NOT jack but it still correctly displays it.

 

I\'ve noticed you suggested $_GET[\'username\' , all my codes has POST. and I my server is MySQL 3.23.56 version with Php 4.3.2

Share this post


Link to post
Share on other sites

$_GET refers to the information supplied in the url.

 

try this:

 

[php:1:90a3fc34ba]<?php

 

// at the top of mdbedit.php

if ( !isset($_GET[\'username\']) ) { exit; }

if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }

 

?>[/php:1:90a3fc34ba]

Share this post


Link to post
Share on other sites

Thanks for looking in to this.

 

Now I get a blank page.

 

If any helps for your info -

 

\'edit\' URL link has a URL parameter in the page called report.php which then calls mdbedit.php page (which now has your new code at the top of the page)

mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $HTTP_SESSION_VARS[\'username\']; ?>

 

I have also tried without success

mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>                    

Share this post


Link to post
Share on other sites

Recently I\'ve received further suggestions to my problem. Although I would not know how to implement these since I am a newby, they might give you alternative ideas. Here they are -

 

 

First off, try using POST instead of GET in your form.  This way, the

parameteres are not passed in the URL. Instead, they are passed in the body

of the message.  Furthermore, use and IF....THEN clause.

 

Mintyman

..and

 

 

somewhere on top work out this pseudo code

 

while ($editables){if ($editables==$Albumid){continue($Albumid);}}

 

get the idea ?

Share this post


Link to post
Share on other sites

POST would be better; however, if there is too much code to change, what i had posted previously should work. i will explain it further:

 

first off, keep in mind I am using a simple exit; so no custom error messages will display, you will just get the blank page.

 

this code would work fine:

if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }

but, you changed the URL by taking out the &username= portion.

 

so, i backed that up by adding this line before it:

if ( !isset($_GET[\'username\']) ) { exit; }

which states: if the &username= parameter is left out of the url, stop the page.

 

try changing the exit into a custom error message to your liking, then use this url:

 

http://www.oavs.com.au/membership/mdbedit.php?AlbumID=171&jack=jack and you should get the error message.

 

now try using the original url:

 

http://www.oavs.com.au/membership/mdbedit.php?AlbumID=172&username=jack and it should work

 

let me know how this turns out :shock:

Share this post


Link to post
Share on other sites

Still no good. I must be doing some thing ??

 

 

I have tried

<?php

 

// at the top of mdbedit.php

if ( !isset($_GET[\'username\']) ) { exit; } WITH and WITHOUT this code

if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }

 

?>

 

This takes me to the page fine - Still I can replace 175 with 174 and access to other user records.

http://www.oavs.com.au/membership/mdbedit....D=175&jack=jack and you should get the error message.

 

>>now try using the original url:

 

http://www.oavs.com.au/membership/mdbedit....2&username=jack and it should work

This does not work if I have both of your lines in your code.

 

 

This time here is the total code for the

Page report.php (report.php has the edit link to call mdbedit.php)

<?php require_once(\'../Connections/connMDB.php\'); ?>

<?php 

session_start();

?>

<?php ob_start(); ?>

<?php

#	BuildNav for Dreamweaver MX v0.2 starts here 

#              10-02-2002

#	Alessandro Crugnola [TMM]

#	sephiroth: alessandro@sephiroth.it

#	http://www.sephiroth.it

#	

#	Function for navigation build ::

function buildNavigation($pageNum_Recordset1,$totalPages_Recordset1,$prev_Recordset1,$next_Recordset1,$separator=" | ",$max_links=10, $show_page=true)

{

               GLOBAL $maxRows_rsReport,$totalRows_rsReport;

$pagesArray = ""; $firstArray = ""; $lastArray = "";

if($max_links<2)$max_links=2;

if($pageNum_Recordset1<=$totalPages_Recordset1 && $pageNum_Recordset1>=0)

{

 if ($pageNum_Recordset1 > ceil($max_links/2))

 {

 	$fgp = $pageNum_Recordset1 - ceil($max_links/2) > 0 ? $pageNum_Recordset1 - ceil($max_links/2) : 1;

 	$egp = $pageNum_Recordset1 + ceil($max_links/2);

 	if ($egp >= $totalPages_Recordset1)

 	{

   $egp = $totalPages_Recordset1+1;

   $fgp = $totalPages_Recordset1 - ($max_links-1) > 0 ? $totalPages_Recordset1  - ($max_links-1) : 1;

 	}

 }

 else {

 	$fgp = 0;

 	$egp = $totalPages_Recordset1 >= $max_links ? $max_links : $totalPages_Recordset1+1;

 }

 if($totalPages_Recordset1 >= 1) {

 	#	------------------------

 	#	Searching for $_GET vars

 	#	------------------------

 	$_get_vars = \'\';  	

 	if(!empty($_GET) || !empty($HTTP_GET_VARS)){

   $_GET = empty($_GET) ? $HTTP_GET_VARS : $_GET;

   foreach ($_GET as $_get_name => $_get_value) {

   	if ($_get_name != "pageNum_rsReport") {

     $_get_vars .= "&$_get_name=$_get_value";

   	}

   }

 	}

 	$successivo = $pageNum_Recordset1+1;

 	$precedente = $pageNum_Recordset1-1;

 	$firstArray = ($pageNum_Recordset1 > 0) ? "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$precedente$_get_vars">$prev_Recordset1</a>" :  "$prev_Recordset1";

 	# ----------------------

 	# page numbers

 	# ----------------------

 	for($a = $fgp+1; $a <= $egp; $a++){

   $theNext = $a-1;

   if($show_page)

   {

   	$textLink = $a;

   } else {

   	$min_l = (($a-1)*$maxRows_rsReport) + 1;

   	$max_l = ($a*$maxRows_rsReport >= $totalRows_rsReport) ? $totalRows_rsReport : ($a*$maxRows_rsReport);

   	$textLink = "$min_l - $max_l";

   }

   $_ss_k = floor($theNext/26);

   if ($theNext != $pageNum_Recordset1)

   {

   	$pagesArray .= "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$theNext$_get_vars">";

   	$pagesArray .= "$textLink</a>" . ($theNext < $egp-1 ? $separator : "");

   } else {

   	$pagesArray .= "$textLink"  . ($theNext < $egp-1 ? $separator : "");

   }

 	}

 	$theNext = $pageNum_Recordset1+1;

 	$offset_end = $totalPages_Recordset1;

 	$lastArray = ($pageNum_Recordset1 < $totalPages_Recordset1) ? "<a href="$_SERVER[PHP_SELF]?pageNum_rsReport=$successivo$_get_vars">$next_Recordset1</a>" : "$next_Recordset1";

 }

}

return array($firstArray,$pagesArray,$lastArray);

}

#	BuildNav for Dreamweaver MX v0.2  ends here



?>

// effigy table code actually starts here >>>>>>>>>>>

<?php

$maxRows_rsReport = 20;

$pageNum_rsReport = 0;

if (isset($HTTP_GET_VARS[\'pageNum_rsReport\'])) {

 $pageNum_rsReport = $HTTP_GET_VARS[\'pageNum_rsReport\'];

}

$startRow_rsReport = $pageNum_rsReport * $maxRows_rsReport;



mysql_select_db($database_connMDB, $connMDB);

$query_rsReport = "SELECT * FROM mdbTable WHERE mdbTable.username = \'$username\' ORDER BY AlbumArtist ASC";

$query_limit_rsReport = sprintf("%s LIMIT %d, %d", $query_rsReport, $startRow_rsReport, $maxRows_rsReport);

$rsReport = mysql_query($query_limit_rsReport, $connMDB) or die(mysql_error());

$row_rsReport = mysql_fetch_assoc($rsReport);



if (isset($HTTP_GET_VARS[\'totalRows_rsReport\'])) {

 $totalRows_rsReport = $HTTP_GET_VARS[\'totalRows_rsReport\'];

} else {

 $all_rsReport = mysql_query($query_rsReport);

 $totalRows_rsReport = mysql_num_rows($all_rsReport);

}

$totalPages_rsReport = ceil($totalRows_rsReport/$maxRows_rsReport)-1;

?>

<html><!-- InstanceBegin template="/Templates/ICI_Template.dwt" codeOutsideHTMLIsLocked="false" --><head>

<!-- <link rel="shortcut icon" href="favicon.ico" /> -->

<!-- InstanceBeginEditable name="doctitle" -->

<title>iCollectIt</title>

<!-- InstanceEndEditable -->



<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<!-- InstanceBeginEditable name="head" -->

<!-- InstanceEndEditable -->

</head>



<body topmargin="2">

<table width="95%" border="0">

 <tr> 

   <td width="247" height="62" valign="top"><img src="../Logos/ICI-Banner.gif" width="243" height="56"></td>

   <td width="527" align="left" valign="middle" nowrap> <blockquote> 

       <p><font color="#0099CC" size="6" face="Arial, Helvetica, sans-serif"><strong>Rare 

         and Collectable <br>

         CD\'s, DVD\'s and Vinyl\'s</strong></font></p>

     </blockquote></td>

   <td width="11"> </td>

 </tr>

 <tr> 

   <td height="3" colspan="2" valign="top" bgcolor="#006699"></td>

   <td> </td>

 </tr>

 <tr> 

   <td height="18" colspan="2" valign="top"> <div align="center"><em><font color="#CCCCCC" size="5" face="Arial, Helvetica, sans-serif"><strong>. 

       . . . make us an offer we can\'t refuse</strong></font></em></div></td>

   <td> </td>

 </tr>

</table>

<!-- InstanceBeginEditable name="Body" --> 

<table width="72%" border="0" align="center" cellpadding="0" cellspacing="0">

 <tr> 

   <td colspan="5" rowspan="5" valign="top"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdblogout.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Logout<br>

     </a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbMemberReport.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Admin 

     Report<br>

     <img src="../images/arrow-top.gif" width="19" height="10" border="0">Member 

     Report <br>

     </a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbGenreReport.php"><img src="../images/arrow-top.gif" width="19" height="10" border="0">Genre 

     List</a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbTypeReport.php"><br>

     <img src="../images/arrow-top.gif" width="19" height="10" border="0">Type 

     List</a><a href="mdbGenreReport.php"></a></font><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><a href="mdbadd.php"><br>

     <img src="../images/arrow-top.gif" width="19" height="10" border="0">Add 

     Item</a></font></td>

   <td> </td>

   <td colspan="17"><div align="center"><font color="#990000" size="2" face="Arial, Helvetica, sans-serif"><strong>Admin 

       Item Report / Update</strong></font></div></td>

   <td> </td>

 </tr>

 <tr> 

   <td></td>

   <td colspan="17" rowspan="2">

<?

if($_SESSION[\'user_level\'] == 1){

echo "<font face="Arial" size="2"> Members Item Report / Update<br>

<a href=mdblogout.php>Logout</a><br />

<a href=mdbAdd.php>Add Items</a><br />

<a href=mdbMemberReport.php>Member Report</a><br />

<a href=report.php>Update Items / View Member Report</a><br /></font>";

}

if($_SESSION[\'user_level\'] == 2){

echo "<font face="Arial" size="2"> Admin Item Report / Update<br>

<a href=mdblogout.php>Logout</a><br />

<a href=mdbadd.php>Add Item</a><br/>

<a href=mdbadminReport.php>View Master Report</a><br />

<a href=report.php>Update Any Item</a><br /></font>";



}

?>

</td>

   <td> </td>

 </tr>

 <tr> 

   <td> </td>

   <td> </td>

 </tr>

 <tr> 

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

 </tr>

 <tr> 

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td> </td>

   <td colspan="7"><div align="right"><strong><font size="2" face="Arial, Helvetica, sans-serif">Total 

       of <?php echo min($startRow_rsReport + $maxRows_rsReport, $totalRows_rsReport) ?> /  <?php echo $totalRows_rsReport ?> records</font></strong></div></td>

   <td> </td>

 </tr>

 <tr> 

   <td nowrap> </td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font size="1" face="Arial, Helvetica, sans-serif"> </font><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Edit</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>User</strong></font> 

   </td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>ID</strong></font></td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Number</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Artist</strong></font></td>

   <td height="0" bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Title</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Genre</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Type</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Condition</strong></font></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><div align="center"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>Buy 

       or Offer</strong></font></div></td>

   <td bgcolor="#6666FF"> </td>

   <td bgcolor="#6666FF"><div align="center"><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><strong>QTY</strong></font></div></td>

   <td bgcolor="#6666FF"> </td>

 </tr>

 <?php do { ?>

 <tr> 

   <td nowrap> </td>

   <td ><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong> 



<!-- HERE IS THE URL CODE !!! ->



     <a href="mdbedit.php?AlbumID=<?php echo $row_rsReport[\'AlbumID\']; ?>&username=<?php echo $HTTP_SESSION_VARS[\'username\']; ?>">Edit</a></strong></font></td>



<!-- HERE IS THE URL CODE !!! ->





   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#FBFDEC"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'username\']; ?></font></td>

   <td bgcolor=""> </td>

   <td bgcolor="#FBFDEC"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumID\']; ?></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td nowrap bgcolor="#EAFEFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumCatalogNumber\']; ?></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td nowrap bgcolor="#EAEAFF"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumArtist\']; ?></font></td>

   <td height="0" bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td nowrap bgcolor="#FFEAEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumName\']; ?></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td nowrap bgcolor="#FFEFAE"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'Genre\']; ?></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#FFFFEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'Type\']; ?></font></td>

   <td bgcolor="" ><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#EAFFEA"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumCondition\']; ?></font></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#FFF7EA"><div align="center"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumPrice\']; ?></font></div></td>

   <td bgcolor=""><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> </font></td>

   <td bgcolor="#F1FFEA"><div align="center"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><?php echo $row_rsReport[\'AlbumQty\']; ?></font></div></td>

   <td> </td>

 </tr>

 <tr> 

   <td nowrap> </td>

   <td height="0" colspan="22" ><div align="center"> 

       <hr color=\'lightblue\'>

     </div></td>

   <td> </td>

 </tr><div align="center">

 <?php } while ($row_rsReport = mysql_fetch_assoc($rsReport)); ?>

 <tr> 

   <td nowrap> </td>

   <td height="0" colspan="22" > <div align="center"> 

       <?php 

# variable declaration

$prev_rsReport = "« previous";

$next_rsReport = "next »";

$separator = " - ";

$max_links = 20;

$pages_navigation_rsReport = buildNavigation($pageNum_rsReport,$totalPages_rsReport,$prev_rsReport,$next_rsReport,$separator,$max_links,true); 



print $pages_navigation_rsReport[0]; 

?>

       <?php print $pages_navigation_rsReport[1]; ?> <?php print $pages_navigation_rsReport[2]; ?> 

     </div></td>

   <td> </td>

 </tr>

</table>

<!-- InstanceEndEditable -->

<p> </p>

</body>

<!-- InstanceEnd --></html>

<?php

mysql_free_result($rsReport);

?>



Now the mdbedit.php.. sorry about the code :cry:

<?php 

 

 

 

// at the top of mdbedit.php

 

if ( !isset($_GET[\'username\']) ) { exit; }

 

if ( $_GET[\'username\'] != $_SESSION[\'username\'] ) { exit; }

 

 

 

?>

 

<?php require_once(\'../Connections/connMDB.php\'); ?>

 

 

 

<?php

 

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

 

{

 

 $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

 

 

 

 switch ($theType) {

 

   case "text":

 

     $theValue = ($theValue != "") ? "\'" . $theValue . "\'" : "NULL";

 

     break;    

 

   case "long":

 

   case "int":

 

     $theValue = ($theValue != "") ? intval($theValue) : "NULL";

 

     break;

 

   case "double":

 

     $theValue = ($theValue != "") ? "\'" . doubleval($theValue) . "\'" : "NULL";

 

     break;

 

   case "date":

 

     $theValue = ($theValue != "") ? "\'" . $theValue . "\'" : "NULL";

 

     break;

 

   case "defined":

 

     $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

 

     break;

 

 }

 

 return $theValue;

 

}

 

 

 

$editFormAction = $HTTP_SERVER_VARS[\'PHP_SELF\'];

 

if (isset($HTTP_SERVER_VARS[\'QUERY_STRING\'])) {

 

 $editFormAction .= "?" . $HTTP_SERVER_VARS[\'QUERY_STRING\'];

 

}

 

 

 

if ((isset($HTTP_POST_VARS["MM_update"])) && ($HTTP_POST_VARS["MM_update"] == "updateForm")) {

 

 $updateSQL = sprintf("UPDATE mdbTable SET AlbumCatalogNumber=%s, AlbumArtist=%s, AlbumName=%s, Genre=%s, AlbumLabel=%s, AlbumYearReleased=%s, Type=%s, AlbumTracks=%s, AlbumCountry=%s, AlbumCondition=%s, AlbumPrice=%s, AlbumNotes=%s, AlbumQty=%s, AlbumCoverURL=%s, AlbumCoverThumbnailURL=%s WHERE AlbumID=%s",

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumCatalogNumber\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumArtist\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumName\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'selectGenre\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumLabel\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumYearReleased\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'selectType\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumTracks\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumCountry\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumCondition\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumPrice\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumNotes\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumQty\'], "int"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumCoverURL\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumCoverThumbnailURL\'], "text"),

 

                      GetSQLValueString($HTTP_POST_VARS[\'AlbumID\'], "int"));

 

 

 

 mysql_select_db($database_connMDB, $connMDB);

 

 $Result1 = mysql_query($updateSQL, $connMDB) or die(mysql_error());

 

 

 

 $updateGoTo = "report.php";

 

 if (isset($HTTP_SERVER_VARS[\'QUERY_STRING\'])) {

 

   $updateGoTo .= (strpos($updateGoTo, \'?\')) ? "&" : "?";

 

   $updateGoTo .= $HTTP_SERVER_VARS[\'QUERY_STRING\'];

 

 }

 

 header(sprintf("Location: %s", $updateGoTo));

 

}

 

 

 

$colname_rsUpdate = "1";

 

if (isset($HTTP_GET_VARS[\'AlbumID\'])) {

 

 $colname_rsUpdate = (get_magic_quotes_gpc()) ? $HTTP_GET_VARS[\'AlbumID\'] : addslashes($HTTP_GET_VARS[\'AlbumID\']);

 

}

 

mysql_select_db($database_connMDB, $connMDB);

 

$query_rsUpdate = sprintf("SELECT * FROM mdbTable WHERE AlbumID = %s", $colname_rsUpdate);

 

$rsUpdate = mysql_query($query_rsUpdate, $connMDB) or die(mysql_error());

 

$row_rsUpdate = mysql_fetch_assoc($rsUpdate);

 

$totalRows_rsUpdate = mysql_num_rows($rsUpdate);

 

 

 

mysql_select_db($database_connMDB, $connMDB);

 

$query_rsGenre = "SELECT * FROM mdbGenre";

 

$rsGenre = mysql_query($query_rsGenre, $connMDB) or die(mysql_error());

 

$row_rsGenre = mysql_fetch_assoc($rsGenre);

 

$totalRows_rsGenre = mysql_num_rows($rsGenre);

 

 

 

mysql_select_db($database_connMDB, $connMDB);

 

$query_rsType = "SELECT * FROM mdbType";

 

$rsType = mysql_query($query_rsType, $connMDB) or die(mysql_error());

 

$row_rsType = mysql_fetch_assoc($rsType);

 

$totalRows_rsType = mysql_num_rows($rsType);

 

?>

 

<html><!-- InstanceBegin template="/Templates/ICI_Template.dwt" codeOutsideHTMLIsLocked="false" --><head>

 

<!-- <link rel="shortcut icon" href="favicon.ico" /> -->

 

<!-- InstanceBeginEditable name="doctitle" -->

 

<title>iCollectIt</title>

 

<!-- InstanceEndEditable -->

 

 

 

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

 

<!-- InstanceBeginEditable name="head" -->

 

<!-- InstanceEndEditable -->

 

</head>

 

 

 

<body topmargin="2">

 

 

 

<table width="95%" border="0">

 

 <tr>

 

   <td width="247" height="62" valign="top"><img src="../Logos/ICI-Banner.gif" width="243" height="56"></td>

 

   <td width="527" align="left" valign="middle" nowrap> <blockquote>

 

       <p><font color="#0099CC" size="6" face="Arial, Helvetica, sans-serif"><strong>Rare

 

         and Collectable <br>

 

         CD\'s, DVD\'s and Vinyl\'s</strong></font></p>

 

     </blockquote></td>

 

   <td width="11"> </td>

 

 </tr>

 

 <tr>

 

   <td height="3" colspan="2" valign="top" bgcolor="#006699"></td>

 

   <td> </td>

 

 </tr>

 

 <tr>

 

   <td height="18" colspan="2" valign="top"> <div align="center"><em><font color="#CCCCCC" size="5" face="Arial, Helvetica, sans-serif"><strong>.

 

       . . . make us an offer we can\'t refuse</strong></font></em></div></td>

 

   <td> </td>

 

 </tr>

 

</table>

 

<!-- InstanceBeginEditable name="Body" -->

 

<table width="97%" border="0" align="center">

 

 <tr>

 

   <td colspan="7">

 

 

 

     <form action="<?php echo $editFormAction; ?>" method="post" name="updateForm" id="updateForm">

 

       <div align="center">

 

         <table width="398" border="0" cellspacing="0" cellpadding="0" align="center">

 

           <tr>

 

             <td bgcolor="#CCCCCC"> <table width="100%" border="0" cellspacing="1" cellpadding="2">

 

                 <tr bgcolor="#CCCCCC">

 

                   <td align="left" bgcolor="#ffe566"><div align="center"><b><font face="Arial" size="2"><b> U

 

                       p d a t e /  E d i t    I t e m </b></font></b></div></td>

 

                 </tr>

 

                 <tr>

 

                   <td valign="top" bgcolor="#FFFFFF"> <div align="center">

 

                       <table align="center">

 

                         <tr valign="baseline">

 

                           <td width="117" align="right" nowrap bgcolor="#999999"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif">Item

 

                             ID:</font></td>

 

                           <td width="240" bgcolor="#999999"><font color="#CCCCCC" size="2" face="Arial, Helvetica, sans-serif"> <?php echo $row_rsUpdate[\'AlbumID\']; ?></font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#CCCCCC">

 

                           <td height="17" align="right" nowrap><font color="#999999" size="2" face="Arial, Helvetica, sans-serif">User

 

                             Name:</font></td>

 

                           <td> <font color="#999999" size="2" face="Arial, Helvetica, sans-serif">

 

                              <?php echo $row_rsUpdate[\'username\']; ?></font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Catalog

 

                             Number:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumCatalogNumber" value="<?php echo $row_rsUpdate[\'AlbumCatalogNumber\']; ?>" size="32">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

 

                             Artist:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumArtist" value="<?php echo $row_rsUpdate[\'AlbumArtist\']; ?>" size="32">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

 

                             Name:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumName" value="<?php echo $row_rsUpdate[\'AlbumName\']; ?>" size="32">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Genre:</font></td>

 

                           <td> <font size="2" face="Arial, Helvetica, sans-serif">

 

                             <select name="selectGenre" id="select">

 

                               <?php

 

do {  

 

?>

 

                               <option value="<?php echo $row_rsGenre[\'Genre\']?>"<?php if (!(strcmp($row_rsGenre[\'Genre\'], $row_rsUpdate[\'Genre\']))) {echo "SELECTED";} ?>><?php echo $row_rsGenre[\'Genre\']?></option>

 

                               <?php

 

} while ($row_rsGenre = mysql_fetch_assoc($rsGenre));

 

 $rows = mysql_num_rows($rsGenre);

 

 if($rows > 0) {

 

     mysql_data_seek($rsGenre, 0);

 

  $row_rsGenre = mysql_fetch_assoc($rsGenre);

 

 }

 

?>

 

                             </select>

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

 

                             Label:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumLabel" value="<?php echo $row_rsUpdate[\'AlbumLabel\']; ?>" size="32">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Year

 

                             Released:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumYearReleased" value="<?php echo $row_rsUpdate[\'AlbumYearReleased\']; ?>" size="10">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Type:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <select name="selectType" id="select2">

 

                               <?php

 

do {  

 

?>

 

                               <option value="<?php echo $row_rsType[\'Type\']?>"<?php if (!(strcmp($row_rsType[\'Type\'], $row_rsUpdate[\'Type\']))) {echo "SELECTED";} ?>><?php echo $row_rsType[\'Type\']?></option>

 

                               <?php

 

} while ($row_rsType = mysql_fetch_assoc($rsType));

 

 $rows = mysql_num_rows($rsType);

 

 if($rows > 0) {

 

     mysql_data_seek($rsType, 0);

 

  $row_rsType = mysql_fetch_assoc($rsType);

 

 }

 

?>

 

                             </select>

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Tracks:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumTracks" value="<?php echo $row_rsUpdate[\'AlbumTracks\']; ?>" size="2">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">

 

                             Country of Origin:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumCountry" value="<?php echo $row_rsUpdate[\'AlbumCountry\']; ?>" size="32">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Condition:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumCondition" value="<?php echo $row_rsUpdate[\'AlbumCondition\']; ?>" size="32">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Price:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumPrice" value="<?php echo $row_rsUpdate[\'AlbumPrice\']; ?>" size="32">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

 

                             Notes:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <textarea name="AlbumNotes" cols="32"><?php echo $row_rsUpdate[\'AlbumNotes\']; ?></textarea>

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Qty:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumQty" value="<?php echo $row_rsUpdate[\'AlbumQty\']; ?>" size="2">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

 

                             Image URL:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumCoverURL" value="<?php echo $row_rsUpdate[\'AlbumCoverURL\']; ?>" size="32">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif">Item

 

                             Thumbnail URL:</font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="text" name="AlbumCoverThumbnailURL" value="<?php echo $row_rsUpdate[\'AlbumCoverThumbnailURL\']; ?>" size="32">

 

                             </font></td>

 

                         </tr>

 

                         <tr valign="baseline" bgcolor="#FFFFEC">

 

                           <td align="right" nowrap><font size="2" face="Arial, Helvetica, sans-serif"> </font></td>

 

                           <td><font size="2" face="Arial, Helvetica, sans-serif">

 

                             <input type="reset" name="Reset" value="Undo Changes">

 

                             <input name="submit" type="submit" value="Update Item">

 

                             </font></td>

 

                         </tr>

 

      &nbs

Share this post


Link to post
Share on other sites

You\'re not restoring the session in the mdbedit.php page...

 

But I don\'t get it, if you\'re using sessions, why not just keep the username from the session, and forget about GETting it or POSTing the username...

 

Otherwise you should get the cd owners username back from sql as well, do the check in php (against $_SESSION[\'username\']) and output an errormessage like \"Not your cd!\"...

 

My 5 cents. (And I would recommend using POST all places anyway, just for making the URLs nicer... if your system have a login anyway, it won\'t be usable to have GET variables (they won\'t be bookmarkable, unless you\'re in a session).

 

P.

Share this post


Link to post
Share on other sites

Thanks Palle,

 

Thanks for your time to look at it. As I have said , I am a novice, how ever I have come thios far in a week. There are lots I still do not know.

 

Can you please give some examples of how you would

restore the session in the mdbedit.php page...

 

as for

Otherwise you should get the cd owners username back from sql as well, do the check in php (against $_SESSION[\'username\']) and output an errormessage like \"Not your cd!\"...

-------------

..you are right. I do have concerns about this. How should I code this page so that if you change the AlbumID174 to say AlbumID172 you will get an errormessage like \"Not your cd!\"...

 

Although I am using them with DWMX, sessions are still a mistery to me.

 

Thankyou again

Share this post


Link to post
Share on other sites

Edited mdbedit.php

 


<?php

// at the top of mdbedit.php

session_start(); // restore session

$username = $_SESSION[\'username\'];

?>

# THE ABOVE WILL RESTORE THE SESSION, AND PUT THE CONTENT OF THE SESSION VARIABLE USERNAME into the variable $username.



<?php require_once(\'../Connections/connMDB.php\'); ?>



<?php

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

 $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;



 switch ($theType) {

   case "text": 



 

P.

Share this post


Link to post
Share on other sites

Thanks again Pell,

 

OK I get this , but

 

<?php

// at the top of mdbedit.php

session_start(); // restore session

$username = $_SESSION[\'username\'];

?>

# THE ABOVE WILL RESTORE THE SESSION, AND PUT THE CONTENT OF THE SESSION VARIABLE USERNAME into the variable $username.

 

<?php require_once(\'../Connections/connMDB.php\'); ?>

----------------- and thankyou for the explanation.

 

but what is this -$theValue / $theDefinedValue / $theNotDefinedValue

 

and

case \"text\":

 

should I be changing any of these or add anything ? or that is it ?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.