PHP Gurus HELP!@#!!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • dirtysouth
    Confirmed User
    • Jul 2003
    • 2613

    #1

    PHP Gurus HELP!@#!!

    Got a page where users can edit their account details ie: useredit.php

    That page posts to "do-useredit.php

    User must be logged in. Here's some code:

    useredit.php

    PHP Code:
    <?php
    require_once('../mysql_connect.php');
    session_start();
    
    if(isset($_SESSION['id']))
    {
        $mn = trim($_SESSION['id']);
        require_once('../mysql_connect.php');
        $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
        $result = mysql_query($query);
        $row = mysql_fetch_array($result, MYSQL_ASSOC);
    }
    
    echo'
    
    
    <form name="form1" method="post" action="do-useredit.php">
    <input type="text" name="bill_fname" value="' . $row['bill_fname'] . '" style="font-size:9px"><br />
    <input type="submit" name="submit" value="Update" />';
    
    ?>
    Here's the second page:

    do-useredit.php

    PHP Code:
    <?php
    require_once('../mysql_connect.php');
    session_start();
    
    
    
    $_GET['mn'];
    
    
    if(isset($_SESSION['id']))
    {
        $mn = trim($_SESSION['id']);
        require_once('../mysql_connect.php');
        $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
        $result = mysql_query($query);
        $row = mysql_fetch_array($result, MYSQL_ASSOC);
    
    
    
    }
    
    
    
    mysql_query("UPDATE shoppingmembers SET bill_fname = '$bill_fname' WHERE member_name = 'admin'")or die(mysql_error());
    
    
    
    echo "Record Updated";
    print $mn;
    
    
    
    ?>
    Problem: When I have session_start in the top of do-useredit.php, it doesn't UPDATE. When I comment it out it works fine. The trouble is, I can't pass the member_name into the query, hence in the above I simply force it to UPDATE WHERE member_name = 'admin' (me). Any ideas? I have paypal funds avail. TIA!
    no sig
  • Angelo22
    Writer
    • Feb 2007
    • 3123

    #2
    No idea

    Bump for you though
    MAKE MORE MONEY FROM YOUR WEB TRAFFIC - 15% BONUS

    And contact me if you need high quality translating and writing work done - angelo22 (AT) gmail (DOT) com

    Comment

    • borked
      Totally Borked
      • Feb 2005
      • 6284

      #3
      $_GET['mn'];

      what's that all about?

      For coding work - hit me up on andy // borkedcoder // com
      (consider figuring out the email as test #1)



      All models are wrong, but some are useful. George E.P. Box. p202

      Comment

      • fluffygrrl
        So Fucking Banned
        • May 2006
        • 2187

        #4
        session_start() creates a session or resumes the current one. So it wouldn't update anything, every time the script runs it resumes. It doesn't really belong in there without a check, or some more complicated single-entry point stuff.

        Explain your "can't pass value into query" problem, it's not clear.

        Comment

        • Brujah
          Beer Money Baron
          • Jan 2001
          • 22157

          #5
          Nevermind .. I see it's a post, not a get.
          Last edited by Brujah; 08-23-2007, 02:45 PM. Reason: nevermind

          Comment

          • borked
            Totally Borked
            • Feb 2005
            • 6284

            #6
            and for passing sessions, http://fr3.php.net/manual/en/ref.ses...sion.idpassing

            For coding work - hit me up on andy // borkedcoder // com
            (consider figuring out the email as test #1)



            All models are wrong, but some are useful. George E.P. Box. p202

            Comment

            • Swish
              Confirmed User
              • Mar 2006
              • 1421

              #7
              put a:

              var_dump($bill_fname);

              in there to make sure it's getting set, if not you probably need to:

              extract($_POST);

              You also need some error checking and input validation... that is very insecure.
              Last edited by Swish; 08-23-2007, 05:14 PM.


              Naughty America - Director of Technology
              It's a CELEBRATION bitches!! For the hottest content promote Naughty America!
              swish at naughtyamerica dot com | ICQ: 226 737 620 | See Who I Am At AdultWhosWho.com!

              Comment

              • testpie
                Mostly retired
                • Apr 2006
                • 3231

                #8
                Originally posted by dirtysouth
                Got a page where users can edit their account details ie: useredit.php

                That page posts to "do-useredit.php

                User must be logged in. Here's some code:

                useredit.php

                PHP Code:
                <?php
                require_once('../mysql_connect.php');
                session_start();
                
                if(isset($_SESSION['id']))
                {
                    $mn = trim($_SESSION['id']);
                    require_once('../mysql_connect.php');
                    $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
                    $result = mysql_query($query);
                    $row = mysql_fetch_array($result, MYSQL_ASSOC);
                }
                
                echo'
                
                
                <form name="form1" method="post" action="do-useredit.php">
                <input type="text" name="bill_fname" value="' . $row['bill_fname'] . '" style="font-size:9px"><br />
                <input type="submit" name="submit" value="Update" />';
                
                ?>
                Here's the second page:

                do-useredit.php

                PHP Code:
                <?php
                require_once('../mysql_connect.php');
                session_start();
                
                
                
                $_GET['mn'];
                
                
                if(isset($_SESSION['id']))
                {
                    $mn = trim($_SESSION['id']);
                    require_once('../mysql_connect.php');
                    $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
                    $result = mysql_query($query);
                    $row = mysql_fetch_array($result, MYSQL_ASSOC);
                
                
                
                }
                
                
                
                mysql_query("UPDATE shoppingmembers SET bill_fname = '$bill_fname' WHERE member_name = 'admin'")or die(mysql_error());
                
                
                
                echo "Record Updated";
                print $mn;
                
                
                
                ?>
                Problem: When I have session_start in the top of do-useredit.php, it doesn't UPDATE. When I comment it out it works fine. The trouble is, I can't pass the member_name into the query, hence in the above I simply force it to UPDATE WHERE member_name = 'admin' (me). Any ideas? I have paypal funds avail. TIA!
                You're running this segment of code:
                PHP Code:
                if(isset($_SESSION['id']))
                {
                    $mn = trim($_SESSION['id']);
                    require_once('../mysql_connect.php');
                    $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
                    $result = mysql_query($query);
                    $row = mysql_fetch_array($result, MYSQL_ASSOC);
                
                
                
                } 
                
                before the update SQL below, so I'd guess your problem has something to do with trying to dray the session ID out and put it into the SQL query. Try changing:
                PHP Code:
                $result = mysql_query($query); 
                
                to:
                PHP Code:
                $result = mysql_query($query) or die("Error: ".mysql_error()); 
                
                and see if that gives you an SQL error.

                Affiliates: DogFart ~ Domain parking: NameDrive ~ Traffic broker: Traffic Holder

                Comment

                • woj
                  <&(©¿©)&>
                  • Jul 2002
                  • 47882

                  #9
                  hmm, why would the 2nd query be ->
                  WHERE member_name = 'admin'" ?

                  It would probably make more sense if it was WHERE member_name='$mn'
                  and it should probably be within the "if" statement, since outside of the if statement $mn isn't even set...
                  Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000
                  Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager
                  Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager

                  Comment

                  • Varius
                    Confirmed User
                    • Jun 2004
                    • 6890

                    #10
                    Few tips:

                    - How are you using sessions? If by sessionid (ie. not in a cookie) you probably need to add a hidden field with its value to your form so it gets passed to the next page, otherwise you are creating a fresh session where ['ID'] wouldn't be assigned.

                    - What is this line for as someone above asked: $_GET['mn'];

                    - Why have this a second time in your IF when it's already included above? require_once('../mysql_connect.php');

                    - Use $_POST['bill_fname'] instead of $bill_fname for more security andbetter compatibility if your code is used on a server with register_globals off.

                    - A personal recommendation is use AdoDB database abstraction layer to make cleaner more portable apps and also you can do simple stuff to help you debug like, $db->debug = true; etc...
                    Skype variuscr - Email varius AT gmail

                    Comment

                    • zand_stein
                      Confirmed User
                      • Jul 2007
                      • 1438

                      #11
                      what is it all about??
                      nevermind........

                      Paying Affiliates DAILY by ePassporte!

                      Comment

                      • netpimp
                        Registered User
                        • Jan 2005
                        • 66

                        #12
                        Originally posted by dirtysouth
                        Got a page where users can edit their account details ie: useredit.php

                        That page posts to "do-useredit.php

                        User must be logged in. Here's some code:

                        useredit.php

                        PHP Code:
                        <?php
                        require_once('../mysql_connect.php');
                        session_start();
                        
                        if(isset($_SESSION['id']))
                        {
                            $mn = trim($_SESSION['id']);
                            require_once('../mysql_connect.php');
                            $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
                            $result = mysql_query($query);
                            $row = mysql_fetch_array($result, MYSQL_ASSOC);
                        }
                        
                        echo'
                        
                        
                        <form name="form1" method="post" action="do-useredit.php">
                        <input type="text" name="bill_fname" value="' . $row['bill_fname'] . '" style="font-size:9px"><br />
                        <input type="submit" name="submit" value="Update" />';
                        
                        ?>
                        Here's the second page:

                        do-useredit.php

                        PHP Code:
                        <?php
                        require_once('../mysql_connect.php');
                        session_start();
                        
                        
                        
                        $_GET['mn'];
                        
                        
                        if(isset($_SESSION['id']))
                        {
                            $mn = trim($_SESSION['id']);
                            require_once('../mysql_connect.php');
                            $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
                            $result = mysql_query($query);
                            $row = mysql_fetch_array($result, MYSQL_ASSOC);
                        
                        
                        
                        }
                        
                        
                        
                        mysql_query("UPDATE shoppingmembers SET bill_fname = '$bill_fname' WHERE member_name = 'admin'")or die(mysql_error());
                        
                        
                        
                        echo "Record Updated";
                        print $mn;
                        
                        
                        
                        ?>
                        Problem: When I have session_start in the top of do-useredit.php, it doesn't UPDATE. When I comment it out it works fine. The trouble is, I can't pass the member_name into the query, hence in the above I simply force it to UPDATE WHERE member_name = 'admin' (me). Any ideas? I have paypal funds avail. TIA!

                        If you haven't figured this one out yet, in code snipped #2, where do you set the variable for $bill_fname? I see it from code snippet #1, but you didn't mention if you have 'register_globals' turned off or on in the php.ini. If register_globals is off, then you'll need to use $_POST, $_GET, or $_REQUEST (as varius has mentioned) depending how you receive your data.

                        You may also want to read up on SQL code injection. You'll want to avoid endusers putting extra data into your tables to screw them up, or gain extra privileges, etc.

                        For instance:

                        mysql_query("UPDATE shoppingmembers SET bill_fname = '$bill_fname' WHERE member_name = 'admin'")or die(mysql_error());


                        your form could become UPDATE shoppingmembers SET bill_fname='firstname',admin_access='1' where member_name='admin'

                        (by entering ',admin_access='1 in the form field)

                        Also, you may wish to drop out of your SQL query with strings and concatenate them in.

                        mysql_query("blah='" . $variable . "' rest of sql statement");

                        hope this helps.

                        Comment

                        • dirtysouth
                          Confirmed User
                          • Jul 2003
                          • 2613

                          #13
                          MANY thanks! Sorry I lost this thread over the weekend doing stuff with the kids.

                          Here is my new code.

                          useredit.php:


                          PHP Code:
                          <?php
                          require_once('../mysql_connect.php');
                          session_start();
                          
                          if(isset($_SESSION['id']))
                          {
                              $mn = trim($_SESSION['id']);
                              $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
                              $result = mysql_query($query) or die("Error: ".mysql_error());  
                              $row = mysql_fetch_array($result, MYSQL_ASSOC);
                          
                          
                          echo'
                          
                          
                          <form name="form1" method="post" action="do-useredit.php?member_name=' . $row['member_name'] . '">
                          <input type="text" name="bill_fname" value="' . $row['bill_fname'] . '" style="font-size:9px"><br />
                          <input type="submit" name="submit" value="Update" />
                          
                          <br /><br />';
                          echo $mn;
                          
                          
                              }
                          
                          
                          else
                          {
                              echo '<table width="100%" align="left" cellpadding="10"><tr><td>
                                      <img src="images/my_account_graphic.gif" border="0" />
                                      <br /><br /><span class="arial12graydarkBold">You must be logged into your account to view this page.<br /><a href="account_login.php">Click 
                                      here to log on.</a><br /><br />
                                      <a href="account_signup_page.php">If you don\'t have an account and wish to create one, click here</a>.</span></td></tr></table>';
                                      
                                      }
                          
                          
                          
                          
                          ?>
                          do-useredit.php:

                          PHP Code:
                          <?php
                          require_once('../mysql_connect.php');
                          session_start();
                          
                          
                          
                          extract($_POST);
                          
                          
                          if(isset($_SESSION['id']))
                          {
                              $mn = trim($_SESSION['id']);
                              $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
                              $result = mysql_query($query) or die("Error: ".mysql_error());  
                              $row = mysql_fetch_array($result, MYSQL_ASSOC);
                          
                          
                          mysql_query("UPDATE shoppingmembers SET bill_fname = '$bill_fname' WHERE member_name = '$mn'")or die(mysql_error());
                          
                          
                          echo "Record Updated";
                          echo $mn;
                          
                          }
                          
                          ?>
                          Good news is it's working. Questions below:

                          1. How secure is the code? Tips appreciated.
                          2. See #1. ;)

                          Thanks again! Was pulling my hair out on this one for a while.
                          no sig

                          Comment

                          • ServerGenius
                            Confirmed User
                            • Feb 2002
                            • 9377

                            #14
                            Originally posted by dirtysouth
                            MANY thanks! Sorry I lost this thread over the weekend doing stuff with the kids.

                            Here is my new code.

                            useredit.php:


                            PHP Code:
                            <?php
                            require_once('../mysql_connect.php');
                            session_start();
                            
                            if(isset($_SESSION['id']))
                            {
                                $mn = trim($_SESSION['id']);
                                $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
                                $result = mysql_query($query) or die("Error: ".mysql_error());  
                                $row = mysql_fetch_array($result, MYSQL_ASSOC);
                            
                            
                            echo'
                            
                            
                            <form name="form1" method="post" action="do-useredit.php?member_name=' . $row['member_name'] . '">
                            <input type="text" name="bill_fname" value="' . $row['bill_fname'] . '" style="font-size:9px"><br />
                            <input type="submit" name="submit" value="Update" />
                            
                            <br /><br />';
                            echo $mn;
                            
                            
                                }
                            
                            
                            else
                            {
                                echo '<table width="100%" align="left" cellpadding="10"><tr><td>
                                        <img src="images/my_account_graphic.gif" border="0" />
                                        <br /><br /><span class="arial12graydarkBold">You must be logged into your account to view this page.<br /><a href="account_login.php">Click 
                                        here to log on.</a><br /><br />
                                        <a href="account_signup_page.php">If you don\'t have an account and wish to create one, click here</a>.</span></td></tr></table>';
                                        
                                        }
                            
                            
                            
                            
                            ?>
                            do-useredit.php:

                            PHP Code:
                            <?php
                            require_once('../mysql_connect.php');
                            session_start();
                            
                            
                            
                            extract($_POST);
                            
                            
                            if(isset($_SESSION['id']))
                            {
                                $mn = trim($_SESSION['id']);
                                $query = "SELECT * FROM shoppingmembers WHERE member_name = '$mn'";
                                $result = mysql_query($query) or die("Error: ".mysql_error());  
                                $row = mysql_fetch_array($result, MYSQL_ASSOC);
                            
                            
                            mysql_query("UPDATE shoppingmembers SET bill_fname = '$bill_fname' WHERE member_name = '$mn'")or die(mysql_error());
                            
                            
                            echo "Record Updated";
                            echo $mn;
                            
                            }
                            
                            ?>
                            Good news is it's working. Questions below:

                            1. How secure is the code? Tips appreciated.
                            2. See #1. ;)

                            Thanks again! Was pulling my hair out on this one for a while.
                            I only looked at it very quickly.....so correct me if I'm wrong....

                            You only want to be able for authorized users to update the info from a query
                            result to the db.

                            So all you need is.....verify user is logged in by session...then
                            post the form to self. verify data and execute update query and return
                            result....

                            The whole second part is obsolete......unless I've missed something
                            | http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

                            Comment

                            • dirtysouth
                              Confirmed User
                              • Jul 2003
                              • 2613

                              #15
                              SG: Heh, yep. You are right, BUT I did it that way to help me understand the process better. Originally I had it as one file posting to SELF but as the whole code didn't work at the time, nothing happened. I plan on cleaning it up and using 1 file.

                              Anything look scary to ya other than that? Thanks in advance!
                              no sig

                              Comment

                              • ServerGenius
                                Confirmed User
                                • Feb 2002
                                • 9377

                                #16
                                Originally posted by dirtysouth
                                SG: Heh, yep. You are right, BUT I did it that way to help me understand the process better. Originally I had it as one file posting to SELF but as the whole code didn't work at the time, nothing happened. I plan on cleaning it up and using 1 file.

                                Anything look scary to ya other than that? Thanks in advance!
                                I always echo some text at each step of the program....that makes it very
                                easy to see where things go wrong without splitting things up and make
                                me to check double the amount of code to look at. If you print a simple comment after a step is completed you can find problems a lot faster.

                                I'll look to your code later if you want as right now I looked at it 2 seconds
                                just to see what you're trying todo.....as mentioned earlier you can improve
                                the way you run the queries to avoid vulnerbilities like mysql injections which
                                currently is 1 of the most popular methods to exploit scripts/servers...

                                and you can also add some better error checks to avoid problems that
                                can happen by users fucking with the data to enter in the fields.....
                                I'll check back later to see if I see something I think could be improved
                                in case nobody else suggested it before me.........the first thing I'd do
                                is get rid of all the double stuff that's not needed........and post your
                                latest result so people can help you don't tell you things about things
                                you already changed :-)
                                | http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

                                Comment

                                Working...