Dada78 Posted January 26, 2008 Share Posted January 26, 2008 I have a form that when you update it it is suppose to show "Display Updated" which it does do. Problem is, is it shows "Display Updated" as soon as you enter the page without even having to update the page. Below is a screen shot and the code for the entire file. I am not sure why this is happening. Here is the code <?php require ('session.php'); include ('db_connect.php'); $email = $_SESSION['email']; if(isset($_POST['submit'])) { $displayname = $_POST['displayname']; $displaytype = $_POST['displaytype']; $description = $_POST['description']; $address = $_POST['address']; $address2 = $_POST['address2']; $city = $_POST['city']; $state = $_POST['state']; $postal = $_POST['postal']; $country = $_POST['country']; $website = $_POST['website']; mysql_query("UPDATE users SET displayname = '$displayname', displaytype = '$displaytype', description = '$description', address = '$address', address2 = '$address2', city = '$city', state = '$state', postal = '$postal', country = '$country', website = '$website' WHERE email='$email'"); } $sql = "SELECT * FROM users WHERE email='$email'"; if ($result = mysql_query($sql)) { if (mysql_num_rows($result)) { $row = mysql_fetch_array($result); $id = $row["id"]; $displayname = $row['displayname']; $displaytype = $row['displaytype']; $description = $row['description']; $address = $row['address']; $address2 = $row['address2']; $city = $row['city']; $state = $row['state']; $postal = $row['postal']; $country = $row['country']; $website = $row['website']; } else { die("No user found"); } } else { die(mysql_error()); } ?> -Thanks Quote Link to comment Share on other sites More sharing options...
Lumio Posted January 26, 2008 Share Posted January 26, 2008 Where is the line that outputs "Display Updated"? Quote Link to comment Share on other sites More sharing options...
Dada78 Posted January 27, 2008 Author Share Posted January 27, 2008 Its embedded in the HTML. <?php require ('session.php'); include ('db_connect.php'); $email = $_SESSION['email']; if(isset($_POST['submit'])) { $displayname = $_POST['displayname']; $displaytype = $_POST['displaytype']; $description = $_POST['description']; $address = $_POST['address']; $address2 = $_POST['address2']; $city = $_POST['city']; $state = $_POST['state']; $postal = $_POST['postal']; $country = $_POST['country']; $website = $_POST['website']; mysql_query("UPDATE users SET displayname = '$displayname', displaytype = '$displaytype', description = '$description', address = '$address', address2 = '$address2', city = '$city', state = '$state', postal = '$postal', country = '$country', website = '$website' WHERE email='$email'"); } $sql = "SELECT * FROM users WHERE email='$email'"; if ($result = mysql_query($sql)) { if (mysql_num_rows($result)) { $row = mysql_fetch_array($result); $id = $row["id"]; $displayname = $row['displayname']; $displaytype = $row['displaytype']; $description = $row['description']; $address = $row['address']; $address2 = $row['address2']; $city = $row['city']; $state = $row['state']; $postal = $row['postal']; $country = $row['country']; $website = $row['website']; } else { die("No user found"); } } else { die(mysql_error()); } ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <table width="100%" border="0" align="left" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC"> <tr> <td> <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF"> <td><a href="user.php?action=editprofile">Edit Profile</a> | <a href="submit.php">Add Entry</a> | <a href="user.php?action=edit">Edit Display</a> | <a href="user.php?action=images">Edit Images</a> | <a href="logout.php">Log Out</a></td> </tr> </table> </td> </tr> </table> </td> </tr> <tr> <td class="errorText"> <div align="center"><?php echo "Display Updated"; ?></div></td> <tr> <td> <form action="user.php?action=edit&id=<?php echo $id; ?>" method="post"> <input type="hidden" name="email" value=""> <table> <tr> <td>Display Name*</td><td><input name="displayname" value="<?php echo $displayname; ?>" size="40" type="text"></td></tr> <tr> <td>Display Type*</td><td><select name="displaytype"><option value="<?php echo $displaytype; ?>"><?php echo $displaytype; ?></option><option value="Residential">Residential</option><option value="Neighborhood">Neighborhood</option><option value="Commercial">Commercial</option><option value="City/Government">City/Government</option><option value="Sponsored">Sponsored</option></select></td></tr> <tr><td>Description*</td><td><textarea name="description" cols="30" rows="5"><?php echo $description; ?></textarea></td></tr> <tr><td>Address*</td><td><input name="address" value="<?php echo $address; ?>" size="40" type="text"></td></tr> <tr><td>Address 2</td><td><input name="address2" value="<?php echo $address2; ?>" size="40" type="text"></td></tr> <tr><td>City*</td><td><input name="city" size="30" type="text" value="Mesquite"></td></tr> <tr><td>State/Province*</td><td><input name="state" size="30" type="text" value="Texas"></td></tr> <tr><td>Postal Code*</td><td><select name="postal"><option value="<?php echo $postal; ?>"><?php echo $postal; ?></option><option value="75149">75149</option><option value="75150">75150</option><option value="75180">75180</option><option value="75181">75181</option><option value="75185">75185</option><option value="75187">75187</option></select></td></tr> <tr><td>Country*</td><td><input name="country" size="30" type="text" value="United States"></td></tr> <tr><td>Website</td><td><input name="website" size="50" value="<?php echo $website; ?>" type="text"></td></tr> <tr><td> </td></tr> <tr> <td colspan="2" style="border-top: 1px solid black;" align="left"> <br /> * Fields are required.</td> <td colspan="2" style="border-top: 1px solid black;" align="right"> <br /> <input type='submit' name='submit' value='Update'></td></tr> </tbody> </table></form> </td> </tr> </table> Quote Link to comment Share on other sites More sharing options...
Lumio Posted January 27, 2008 Share Posted January 27, 2008 Hm... you already solved it. For everyone: There is no if-statement. So the echo ouputs everytime. Also your code is open for XSS. Use htmlspecialchars or htmlentities before outputing it directly. For example echo htmlentities($website); What if $website contains "><script>alert('XSS!');</script> Quote Link to comment Share on other sites More sharing options...
Dada78 Posted January 27, 2008 Author Share Posted January 27, 2008 Hm... you already solved it. For everyone: There is no if-statement. So the echo ouputs everytime. Also your code is open for XSS. Use htmlspecialchars or htmlentities before outputing it directly. For example echo htmlentities($website); What if $website contains "><script>alert('XSS!');</script> That was not the problem but nice try. Also I have no idea what XSS is nor do I care. This is a hobby site that will have probably no more then 20 users so if someone wants to hack it go for. They have no life to attack such a small fish in the sea. Quote Link to comment Share on other sites More sharing options...
Lumio Posted January 27, 2008 Share Posted January 27, 2008 http://en.wikipedia.org/wiki/Cross-site_scripting = XSS Also if it's an hobby-page please secure your page. Quote Link to comment Share on other sites More sharing options...
Dada78 Posted January 27, 2008 Author Share Posted January 27, 2008 http://en.wikipedia.org/wiki/Cross-site_scripting = XSS Also if it's an hobby-page please secure your page. I appreciate your concern but I don't care. This is a seasonal web site with very few users and the HTML is fair secured so I really don't go because my server does hourly backups and if someone wanted to take a hack it have at it. It you want to make it hack proof then go for it. I don't have the time nor the knowledge to learn about it right now. Quote Link to comment Share on other sites More sharing options...
Lumio Posted January 27, 2008 Share Posted January 27, 2008 If you leave it out, someone could steal private information of your users. Quote Link to comment Share on other sites More sharing options...
Dada78 Posted January 27, 2008 Author Share Posted January 27, 2008 If you leave it out, someone could steal private information of your users. People are displaying their personal address and pictures of their house. How much more private information can they steal that they are not voluntarily listing for people to see. Like I said, I really don't care, if people want to hack such a small site more power to them. They won't be stealing anything that they can not already view on the site. Quote Link to comment Share on other sites More sharing options...
Lumio Posted January 27, 2008 Share Posted January 27, 2008 They can output cookies and passwords and send them to another page. Quote Link to comment Share on other sites More sharing options...
Dada78 Posted January 28, 2008 Author Share Posted January 28, 2008 Good for them, get over it, you don't get it. Quote Link to comment Share on other sites More sharing options...
herghost Posted January 28, 2008 Share Posted January 28, 2008 You need a php if statement, ie if form submitted then echo form updated else nothing Unfortantly I am at the same level as understanding as yourself, im sure one of the other guys on the forum will be able to help you out with this Quote Link to comment Share on other sites More sharing options...
Dada78 Posted January 28, 2008 Author Share Posted January 28, 2008 Did you notice the this has been resolved as of yesterday? This other guy seems to want to tell me how to build my site. Quote Link to comment Share on other sites More sharing options...
kickassamd Posted January 28, 2008 Share Posted January 28, 2008 He wants to help make your site better and more secure, If you dont care dont do it, If you dont have time, dont do it.... "We dont care that the wheels of the car we just made dont stay on" just bogus that is whats wrong with developers today, they dont care to take the time to things the correct way the first time around. Quote Link to comment Share on other sites More sharing options...
Dada78 Posted January 28, 2008 Author Share Posted January 28, 2008 that is whats wrong with developers today, they dont care to take the time to things the correct way the first time around. This is sad, my resolved threads get more response then my threads still needing help. I am not a developer, I do not use PHP on regular basis. This is the first time in 3 yrs I have used it and I wasn't suppose to do the PHP on this. I work with HTML XHTML and CSS. This site doesn't hide anything and the passwords are protected in MD and Salt which is the only information they can steal. So if they steal that then woo freaking do. Not to mention I have stated this several times. I will probably only have 20 users at the most ever. The rest of the site is just HTML informational pages. So this is just a personal seasonal hobby site and their is nothing they can steal that they can not already view by browsing the site. If they want to hack such a small site then so be it, they have no life. I will just run a back up and be back to normal. So before I am told what to do again and explain myself which I shouldn't have to do. Their is no need nor do I need to take extra measures to secure anything. The rest of the site is secure enough as it is which YOU and others do know about. So drop it and leave it alone. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.