dirtysouth

Got a page where users can edit their account details ie: useredit.php

That page posts to "do-useredit.php

User must be logged in. Here's some code:

useredit.php

Here's the second page:

do-useredit.php

Problem: When I have session_start in the top of do-useredit.php, it doesn't UPDATE. When I comment it out it works fine. The trouble is, I can't pass the member_name into the query, hence in the above I simply force it to UPDATE WHERE member_name = 'admin' (me). Any ideas? I have paypal funds avail. TIA!

__________________
no sig

Angelo22

No idea

Bump for you though

__________________
MAKE MORE MONEY FROM YOUR WEB TRAFFIC - 15% BONUS

And contact me if you need high quality translating and writing work done - angelo22 (AT) gmail (DOT) com

borked

$_GET['mn'];

what's that all about?

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

fluffygrrl

session_start() creates a session or resumes the current one. So it wouldn't update anything, every time the script runs it resumes. It doesn't really belong in there without a check, or some more complicated single-entry point stuff.

Explain your "can't pass value into query" problem, it's not clear.

Brujah

Nevermind .. I see it's a post, not a get.

__________________

• Free Premium Domain Lists and Tools at Clickmojo.com
• For Sale: Obscenity.com

borked

and for passing sessions, http://fr3.php.net/manual/en/ref.ses...sion.idpassing

__________________

For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)

Swish

put a:

var_dump($bill_fname);

in there to make sure it's getting set, if not you probably need to:

extract($_POST);

You also need some error checking and input validation... that is very insecure.

__________________


Naughty America - Director of Technology
It's a CELEBRATION bitches!! For the hottest content promote Naughty America!
swish at naughtyamerica dot com | ICQ: 226 737 620 | See Who I Am At AdultWhosWho.com!

testpie

You're running this segment of code:
before the update SQL below, so I'd guess your problem has something to do with trying to dray the session ID out and put it into the SQL query. Try changing:
to:
and see if that gives you an SQL error.

__________________

woj

hmm, why would the 2nd query be ->
WHERE member_name = 'admin'" ?

It would probably make more sense if it was WHERE member_name='$mn'
and it should probably be within the "if" statement, since outside of the if statement $mn isn't even set...

__________________
Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000
Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager
Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager

Varius

Few tips:

- How are you using sessions? If by sessionid (ie. not in a cookie) you probably need to add a hidden field with its value to your form so it gets passed to the next page, otherwise you are creating a fresh session where ['ID'] wouldn't be assigned.

- What is this line for as someone above asked: $_GET['mn'];

- Why have this a second time in your IF when it's already included above? require_once('../mysql_connect.php');

- Use $_POST['bill_fname'] instead of $bill_fname for more security andbetter compatibility if your code is used on a server with register_globals off.

- A personal recommendation is use AdoDB database abstraction layer to make cleaner more portable apps and also you can do simple stuff to help you debug like, $db->debug = true; etc...

__________________
Skype variuscr - Email varius AT gmail

zand_stein

what is it all about??
nevermind........

__________________

Paying Affiliates DAILY by ePassporte!

netpimp

If you haven't figured this one out yet, in code snipped #2, where do you set the variable for $bill_fname? I see it from code snippet #1, but you didn't mention if you have 'register_globals' turned off or on in the php.ini. If register_globals is off, then you'll need to use $_POST, $_GET, or $_REQUEST (as varius has mentioned) depending how you receive your data.

You may also want to read up on SQL code injection. You'll want to avoid endusers putting extra data into your tables to screw them up, or gain extra privileges, etc.

For instance:

mysql_query("UPDATE shoppingmembers SET bill_fname = '$bill_fname' WHERE member_name = 'admin'")or die(mysql_error());


your form could become UPDATE shoppingmembers SET bill_fname='firstname',admin_access='1' where member_name='admin'

(by entering ',admin_access='1 in the form field)

Also, you may wish to drop out of your SQL query with strings and concatenate them in.

mysql_query("blah='" . $variable . "' rest of sql statement");

hope this helps.

dirtysouth

MANY thanks! Sorry I lost this thread over the weekend doing stuff with the kids.

Here is my new code.

useredit.php:


do-useredit.php:

Good news is it's working. Questions below:

1. How secure is the code? Tips appreciated.
2. See #1. ;)

Thanks again! Was pulling my hair out on this one for a while.

__________________
no sig

ServerGenius

I only looked at it very quickly.....so correct me if I'm wrong....

You only want to be able for authorized users to update the info from a query
result to the db.

So all you need is.....verify user is logged in by session...then
post the form to self. verify data and execute update query and return
result....

The whole second part is obsolete......unless I've missed something

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |

dirtysouth

SG: Heh, yep. You are right, BUT I did it that way to help me understand the process better. Originally I had it as one file posting to SELF but as the whole code didn't work at the time, nothing happened. I plan on cleaning it up and using 1 file.

Anything look scary to ya other than that? Thanks in advance!

__________________
no sig

ServerGenius

I always echo some text at each step of the program....that makes it very
easy to see where things go wrong without splitting things up and make
me to check double the amount of code to look at. If you print a simple comment after a step is completed you can find problems a lot faster.

I'll look to your code later if you want as right now I looked at it 2 seconds
just to see what you're trying todo.....as mentioned earlier you can improve
the way you run the queries to avoid vulnerbilities like mysql injections which
currently is 1 of the most popular methods to exploit scripts/servers...

and you can also add some better error checks to avoid problems that
can happen by users fucking with the data to enter in the fields.....
I'll check back later to see if I see something I think could be improved
in case nobody else suggested it before me.........the first thing I'd do
is get rid of all the double stuff that's not needed........and post your
latest result so people can help you don't tell you things about things
you already changed :-)

__________________
| http://www.sinnerscash.com/ | ICQ: 370820 | Skype: SinnersCash | AdultWhosWho |