|
PHP Gurus HELP!@#!!
Got a page where users can edit their account details ie: useredit.php
That page posts to "do-useredit.php User must be logged in. Here's some code: useredit.php PHP Code:
do-useredit.php PHP Code:
|
No idea
Bump for you though |
$_GET['mn'];
what's that all about? |
session_start() creates a session or resumes the current one. So it wouldn't update anything, every time the script runs it resumes. It doesn't really belong in there without a check, or some more complicated single-entry point stuff.
Explain your "can't pass value into query" problem, it's not clear. |
Nevermind .. I see it's a post, not a get.
|
and for passing sessions, http://fr3.php.net/manual/en/ref.ses...sion.idpassing
|
put a:
var_dump($bill_fname); in there to make sure it's getting set, if not you probably need to: extract($_POST); You also need some error checking and input validation... that is very insecure. |
Quote:
PHP Code:
PHP Code:
PHP Code:
|
hmm, why would the 2nd query be ->
WHERE member_name = 'admin'" ? It would probably make more sense if it was WHERE member_name='$mn' and it should probably be within the "if" statement, since outside of the if statement $mn isn't even set... |
Few tips:
- How are you using sessions? If by sessionid (ie. not in a cookie) you probably need to add a hidden field with its value to your form so it gets passed to the next page, otherwise you are creating a fresh session where ['ID'] wouldn't be assigned. - What is this line for as someone above asked: $_GET['mn']; - Why have this a second time in your IF when it's already included above? require_once('../mysql_connect.php'); - Use $_POST['bill_fname'] instead of $bill_fname for more security andbetter compatibility if your code is used on a server with register_globals off. - A personal recommendation is use AdoDB database abstraction layer to make cleaner more portable apps and also you can do simple stuff to help you debug like, $db->debug = true; etc... :) |
what is it all about??
nevermind........ |
Quote:
If you haven't figured this one out yet, in code snipped #2, where do you set the variable for $bill_fname? I see it from code snippet #1, but you didn't mention if you have 'register_globals' turned off or on in the php.ini. If register_globals is off, then you'll need to use $_POST, $_GET, or $_REQUEST (as varius has mentioned) depending how you receive your data. You may also want to read up on SQL code injection. You'll want to avoid endusers putting extra data into your tables to screw them up, or gain extra privileges, etc. For instance: mysql_query("UPDATE shoppingmembers SET bill_fname = '$bill_fname' WHERE member_name = 'admin'")or die(mysql_error()); your form could become UPDATE shoppingmembers SET bill_fname='firstname',admin_access='1' where member_name='admin' (by entering ',admin_access='1 in the form field) Also, you may wish to drop out of your SQL query with strings and concatenate them in. mysql_query("blah='" . $variable . "' rest of sql statement"); hope this helps. |
MANY thanks! Sorry I lost this thread over the weekend doing stuff with the kids.
Here is my new code. useredit.php: PHP Code:
PHP Code:
1. How secure is the code? Tips appreciated. 2. See #1. ;) Thanks again! Was pulling my hair out on this one for a while. |
Quote:
You only want to be able for authorized users to update the info from a query result to the db. So all you need is.....verify user is logged in by session...then post the form to self. verify data and execute update query and return result.... The whole second part is obsolete......unless I've missed something :winkwink: |
SG: Heh, yep. You are right, BUT I did it that way to help me understand the process better. Originally I had it as one file posting to SELF but as the whole code didn't work at the time, nothing happened. I plan on cleaning it up and using 1 file.
Anything look scary to ya other than that? Thanks in advance! :thumbsup |
Quote:
easy to see where things go wrong without splitting things up and make me to check double the amount of code to look at. If you print a simple comment after a step is completed you can find problems a lot faster. I'll look to your code later if you want as right now I looked at it 2 seconds just to see what you're trying todo.....as mentioned earlier you can improve the way you run the queries to avoid vulnerbilities like mysql injections which currently is 1 of the most popular methods to exploit scripts/servers... and you can also add some better error checks to avoid problems that can happen by users fucking with the data to enter in the fields..... I'll check back later to see if I see something I think could be improved in case nobody else suggested it before me.........the first thing I'd do is get rid of all the double stuff that's not needed........and post your latest result so people can help you don't tell you things about things you already changed :-) |
| All times are GMT -7. The time now is 10:50 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123