|
PHP - How Can I Stop The User From Editing The $_get Variable
I have coded a database and I dont like how the user can edit the titles through the get variable. Is there anyway I could stop that? Wouldnt getting each request from the database slow down the site?
<?php include "config.php"; include "functions.php"; $SITEURL = addSlash($SITEURL); $action = $_GET['action']; $state = $_GET['state']; $city = $_GET['city']; $id = $_GET['id']; echo $SITEURL; switch($action) { case 'cities': include 'templates/cities.php'; break; case 'place': include 'templates/place.php'; break; case 'places': include 'templates/places.php'; break; default: include 'templates/home.php'; break; } ?> #places.php <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title><?php echo $siteTitle; ?></title> </head> <body> <h2><?php echo $SITETOPIC." in ".$city.",".getStateName($state); ?></h2> <?php $query = "SELECT DISTINCT biz_name, biz_id FROM animalshelter WHERE city = '".$city."'"; $result = mysql_query($query) or die(mysql_error()); while ($row = mysql_fetch_array($result)) { echo "<a href=http://".$SITEURL."place/".$state."/".urlencode($city)."/".$row['biz_id'].">".$row['biz_name']."</a><br />"; } ?> </body> </html> #.htaccess # .htaccess mod_rewrite # demo.com Options +FollowSymlinks Options +Indexes RewriteEngine On RewriteBase /databaseSite/ ErrorDocument 404 /templates/404.php RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-l RewriteRule ^([a-zA-Z]+)/([a-zA-Z]+)$ index.php?action=$1&state=$2 [QSA,NC] RewriteRule ^([a-zA-Z]+)/([a-zA-Z]+)/([a-zA-Z\+\_\-]+)$ index.php?action=$1&state=$2&city=$3 [QSA,NC] RewriteRule ^([a-zA-Z]+)/([a-zA-Z]+)/([a-zA-Z\+\_\-]+)/([0-9]+)$ index.php?action=$1&state=$2&city=$3&id=$4 [QSA,NC] Similar TutorialsHi guys, I am trying to put together a little system that allows users to log onto my website and access there own personal page. I am creating each page myself and uploading content specific to them which cannot be viewed by anyone else. I have got the system to work up as far as: 1/ The user logs in 2/ Once logged in they are re-directed to their own page using 'theirusername.php' Thats all good and working how I need it too. The problem I have is this. If I log onto the website using USER A details - I get taken to USER A's page like I should but - If I then go to my browser and type in USERBdetails.php I can then access USER B's page. This cannot happen!! I need for USER A not to be able to access USER B profile - there is obviously no point in the login otherwise! If you are not logged in you obviously cannot access any secure page. That much is working! Please find below the code I am using: LOGIN <?php session_start(); function dbconnect() { $link = mysql_connect("localhost", "username", "password") or die ("Error: ".mysql_error()); } ?> <?php if(isset($_SESSION['loggedin'])) { header("Location:" . strtolower($username) . ".php"); if(isset($_POST['submit'])) { $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $mysql = mysql_query("SELECT * FROM clients WHERE username = '{$username}' AND password = '{$password}'"); if(mysql_num_rows($mysql) < 1) { die("Password or Username incorrect! Please <a href='login.php'>click here</a> to try again"); } $_SESSION['loggedin'] = "YES"; $_SESSION['username'] = $username; $_SESSION['name'] header("Location:" . strtolower($username) . ".php"); } ?> HEADER ON EACH PHP PAGE <?php session_start(); if(!isset($_SESSION['loggedin'])) { die(Access to this page is restricted without a valid username and password); ?> --------------------------------------------------- Am I right in thinking it is something to do with the "loggedin" part? The system I have here is adapted from a normal login system I have been using for years. The original just checks the details and then does a 'session start'. This one obviously has to re-direct to a user specific page. To do this I used the <<header("Location:" . strtolower($username) . ".php");>> line to redirect to a page such as "usera.php" or "userb.php" Any help would be greatly appreciated! Ta Hi, Firstly, I am a complete newcomer to PHP though I am enjoying my first tentative steps into learning the language! I have been searching Google for hours now to try and find a simple solution to a problem I just can't seem to figure out, though I thought would be easy to find? I have found a lot of very informative solutions to other questions on this forum so figured it was the best one to join? My question is: I have built and can interact with a simple database and now populate a page with usernames in a list. Each one is a link which, when clicked sends the username to another page. On this page I use the $_GET function and see the username displayed ok. What I can't figure out is how to then display other information about them from the fields in the database identified with that user? Any help would be greatly appreciated as this is driving me nuts! Also can anyone suggest a good book for learning PHP? There are lots out there but the reviews on Amazon seem to always talk about coding errors in print etc. so I really don't know which one to buy? FF Hello all, I am terribly confused about the following code, for some reason $tourn keeps going back to 0 for no reason! This code: <?php include 'header.php'; $tourn = $_GET['extourn']; echo "first ".$tourn."<br />"; if($tourn=0){ echo "tourn1 is ".$tourn."<br />"; } else{ echo "tourn2 is ".$tourn."<br />"; } ?> returns this: Quote first 4 tourn2 is 0 While tourn2 should return 4 as well. I have tried a million different versions, including switches and everything and just can't understand it. Please help! Hello! I was wondering if this could be done... I want to take a variable, and insert it into a URL for a $_GET on a different page? Basically Its a member website, and I want the admin to be able to "accept" or "deny" the application... So i have a page that displays all the applications, and I want it to take him to a different page with all the user's information in detail. Right now it only displays their name, but when the admin presses the link, it takes them to a more detailed page about the applicant, where they can then "accept" or "deny" the application.... Here is what i got so far... Code: [Select] $character_name = "Nightmareinhell"; <a href="admin_evaluate.php?name=$character_name">$character_name</a> Here is the error I get from the code above Quote Parse error: syntax error, unexpected T_STRING in C:\wamp\www\admin_acceptapply.php Thanks to any help!!!! having a problem using get variables to include certain pages. I have a management script for a news feed that uses get variables to display certain parts of the script. here is the template/ main part of the script <?php session_start(); require_once("vars.php"); $username = $_SESSION['username']; $is_admin = $_SESSION['is_admin']; $referer = $_SERVER['HTTP_REFERER']; //check to see if user is logged in and is an administrator if((isset($_SESSION['username'])) && ($_SESSION['is_admin'] == 1)){ //if all session variables are set, display admin panel ?> <html> <head> <title>Administration</title> <link rel="stylesheet" type="text/css" href="/cameo/css/admin.css" media="screen" /> </head> <body> <table cellspacing="0" cellpadding="3" class="layout"> <tr> <td colspan="2"><h3>Administration</h3></td> </tr> <tr> <td valign="top"> <a href="index.php?pg=news">Manage News Feed</a> </td> <td> <?php $id = $_GET['pg']; switch($id){ case news: include("manage_news.php"); case editpost: include('edit_post.php'); break; } ?> </td> </tr> </table> </body> </html> <?php } else { echo("You do not have permission to view this page. <br />"); echo("<a href=\"".$referer."\">Go Back</a>"); } ?> and heres the edit post page that the script refers to <?php require_once("vars.php"); $id = $_GET['id']; $query = "SELECT * FROM news_feed WHERE id=".$id; $result = mysqli_query($dbc,$query); $row = mysqli_fetch_array($result); ?> <form method="post" action="update.php"> <textarea><?php echo $row['post_body']; ?></textarea> </form> now, for some reason, the edit post form is showing up under the main news feed listing, even though the get id does not match the one in the switch statement. thanks in advance for any help The code below works echo '<script language="javascript">'; echo 'top.location.href = "/breaking-news/bsnewsstorygoeshere/";'; echo '</script>'; this also works echo '<script language="javascript">'; echo 'top.location.href = "http://anywebsite.com";'; echo '</script>'; the problem, is I have a URL listed in a url variable that can be retreived via $_GET['url'] my question is how to get that variable into the above code? I've tried echo '<script language="javascript">'; echo "top.location.href = \"$_GET['url']\";"; echo '</script>'; but that doesnt seem to work, can anyone advise? User clicks on a url, ie: example.com/AEQ438J When I perform this in the code below: Code: [Select] $referrer = $_GET['_url']; // echo $referrer displays the referrer ID contents correctly as "AEQ438J" if ( ! empty($referrer)) { $mysqli->query("UPDATE coming_soon_emails SET clicks = clicks + 1 WHERE code='" . $referrer ."'"); } // this also updates the database correctly as it should if (!empty($_POST['email'])){ // echo $referrer displays the referrer ID contents as BLANK. It should display "AEQ438J"! ..... $referrer displays correctly BEFORE if($_POST['form']), however during the if($_POST['form']) $referrer is empty. How can I fix my code so that $referrer is not empty during the time the user posts their email address in the form? Thank you! Complete PHP and HTML Code: [Select] <?php require "includes/connect.php"; //var_dump($_GET);die; function gen_code($codeLen = 7) { $code = ''; for ($i=0; $i<$codeLen; $i++) { $d=rand(1,30)%2; $code .= $d ? chr(rand(65,90)) : chr(rand(48,57)); } return $code; } function add_code($email_id) { global $mysqli; $code = gen_code(7); $mysqli->query("UPDATE coming_soon_emails SET code='" . $code ."' WHERE email_id='" . $email_id . "'"); if($mysqli->affected_rows != 1) { add_code($email_id); } else return $code; } $msg = ''; $referrer = $_GET['_url']; // echo $referrer displays the referrer ID contents correctly if ( ! empty($referrer)) { $mysqli->query("UPDATE coming_soon_emails SET clicks = clicks + 1 WHERE code='" . $referrer ."'"); } if (!empty($_POST['email'])){ // echo $referrer displays the referrer ID contents as BLANK // Requested with AJAX: $ajax = ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'); try{ if(!filter_input(INPUT_POST,'email',FILTER_VALIDATE_EMAIL)){ throw new Exception('Invalid Email!'); } $mysqli->query("INSERT INTO coming_soon_emails SET email='".$mysqli->real_escape_string($_POST['email'])."'"); if($mysqli->affected_rows != 1){ throw new Exception('This email already exists in the database.'); } else { $email_code = add_code($mysqli->insert_id); } $msg = "http://www.example.com/" . $email_code; //the following doesn't work as referrer is now empty :( if ( ! empty($referrer)) { $mysqli->query("UPDATE coming_soon_emails SET signup = signup + 1 WHERE code='" . $referrer ."'"); } if($ajax){ die(json_encode(array('msg' => $msg))); } } catch (Exception $e){ if($ajax){ die(json_encode(array('error'=>$e->getMessage()))); } $msg = $e->getMessage(); } } ?> <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> <link rel="stylesheet" type="text/css" href="css/styles.css" /> </head> <body> <div id="launch"> <form id="form" method="post" action=""> <input type="text" id="email" name="email" value="<?php echo $msg;?>" /> <input type="submit" value="Submit" id="submitButton" /> </form> <div id="invite"> <p style="margin-top:20px;">The ID of who referred you: <?php echo $referrer; //this displays correctly?>)</p> <p style="margin-top:20px;"><span id="code" style="font-weight:bold;"> </span></p> </div> </div> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.min.js"></script> <script src="js/script.js"></script> </body> </html> script.js Code: [Select] $(document).ready(function(){ // Binding event listeners for the form on document ready $('#email').defaultText('Your Email Address'); // 'working' prevents multiple submissions var working = false; $('#form').submit(function(){ if(working){ return false; } working = true; $.post("./index.php",{email:$('#email').val()},function(r){ if(r.error){ $('#email').val(r.error); } else { $('#email').val(r.msg); // not needed but gets hidden anyways... $('#launch form').hide(); $("#code").html(r.msg); $("#invite").fadeIn('slow'); } working = false; },'json'); return false; }); }); // A custom jQuery method for placeholder text: $.fn.defaultText = function(value){ var element = this.eq(0); element.data('defaultText',value); element.focus(function(){ if(element.val() == value){ element.val('').removeClass('defaultText'); } }).blur(function(){ if(element.val() == '' || element.val() == value){ element.addClass('defaultText').val(value); } }); return element.blur(); } htaccess Code: [Select] RewriteEngine on RewriteCond %{HTTP_HOST} ^my-url.com RewriteRule (.*) http://www.my-url.com/$1 [R=301,L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^([a-z0-9]+)$ /index.php?_url=$1 [NC,L,QSA] table.sql Code: [Select] CREATE TABLE IF NOT EXISTS `coming_soon_emails` ( `email_id` int(11) NOT NULL auto_increment, `email` varchar(64) collate utf8_unicode_ci NOT NULL, `code` char(7) collate utf8_unicode_ci DEFAULT NULL, `clicks` int(64) collate utf8_unicode_ci DEFAULT 0, `signup` int(64) collate utf8_unicode_ci DEFAULT 0, `ts` timestamp NOT NULL default CURRENT_TIMESTAMP, PRIMARY KEY (`email_id`), UNIQUE KEY `email` (`email`), UNIQUE KEY `code` (`code`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; I am trying to allow the user to update a variable he chooses by radio buttons, which they will then input text into a box, and submit, to change some attributes. I really need some help here. It works just fine until I add the second layer of variables on top of it, and I can't find the answer to this question anywhere. <?PHP require('connect.php'); ?> <form action ='' method='post'> <select name="id"> <?php $extract = mysql_query("SELECT * FROM cars"); while($row=mysql_fetch_assoc($extract)){ $id = $row['id']; $make= $row['make']; $model= $row['model']; $year= $row['year']; $color= $row['color']; echo "<option value=$id>$color $year $make $model</option> ";}?> </select> Which attribute would you like to change?<br /> <input type="radio" name="getchanged" value="make"/>Make<br /> <input type="radio" name="getchanged" value="model"/>Model<br /> <input type="radio" name="getchanged" value="year" />Year<br /> <input type="radio" name="getchanged" value="color" />Color<br /><br /> <br /><input type='text' value='' name='tochange'> <input type='submit' value='Change' name='submit'> </form> //This is where I need help... <?PHP if(isset($_POST['submit'])&&($_POST['tochange'])){ mysql_query(" UPDATE cars SET '$_POST[getchanged]'='$_POST[tochange]' where id = '$_POST[id]' ");}?> Hi, I think this is probably a logical error rather than a syntax one I have a function that displays the first image in a photo album in large and all the photos in it as thumbnails. I have a next and previous button that allows you to scroll through them (in large) and by clicking a specific thumbnail you can load that picture in large. My problem is that the pictures are stored in an array and the one to be shown large is selected by $keyid. My problem is that selecting a thumbnail resets the $keyid so that clicking next doesn't load the next image but the second. i.e. if you press the next arrow then click the 4th thumbnail and then click the next arrow again it loads the 2nd picture rather than the 5th as it should. How can I avoid this happening? This is my code: generateThumbnails(); $act = 0; $keyid = (isset($_GET['keyid']) ? $_GET['keyid']:'0'); $Picturecount = (count(glob("" . $dir . "*.jpg")))/2; $thumb_selected = (isset($_GET['thumb']) ? $_GET['thumb']:''); $picture_array = glob("$dir*"); if ($thumb_selected !==""){ $dirName = substr($thumb_selected,0,strpos($thumb_selected,basename($thumb_selected))); $thumbName = basename($thumb_selected); $thumbFile = $dirName.$thumbName; $selected = str_replace('_th.jpg','.jpg',$thumbFile); foreach ($picture_array as $search){ $keyid = array_search($selected,$picture_array); $large = $picture_array[$keyid]; }} else{ if($keyid > (2*$Picturecount-1)){ $keyid = ($keyid - (2*$Picturecount));} if($keyid < 0){ $keyid = (2*$Picturecount+$keyid);} $large = $picture_array[$keyid];} echo " <tr><td><a href='?album=$album&keyid=" . ($_GET['keyid']-2) . "'>Previous</a></td><td></td><td align='right'><a href='?album=$album&keyid=" . ($_GET['keyid']+2) . "'>Next</a></td></tr> <tr><td colspan='3' height='300' width='400' align='center'><img src='$large' alt=''></td></tr><tr><td height='50'></td></tr>"; Any help would be massively appreciated. Thanks very much! Hi, i need to run this past you guy's. I need a way to effectivly check if a user has entered correct "real" details in my registeration form and check if email is already in my database to prevent the user from registering twice? I need this as some unknown person is using the form and entering there details like this: Username: 1 Password: 1 email: 1 It's really annoying as they are doing this several times so i have around 13 rows of just "1" in my table now! grr!! so far ive got: Form: <input name="upassword" type="password" class="style7" id="upassword"> <span class="style7">Email</span> <span class="style7">:</span> <input name="email" type="text" class="style7" id="email"> <span class="style7"></span> <span class="style7"></span> <input name="Submit" type="submit" class="style7" value="Register" /> </form> Script: Code: [Select] <?php if ($db_found) { $SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')"; $result = mysql_query($SQL); header( 'Location: http://www.removalspace.com/index.php' ); exit(); } else { print "Database NOT Found "; mysql_close($db_handle); } ?> But i need it to perform the checks aswell as drop the "real" data in to MySQL? Any ideas please? So i have this CMS that is used by lots of users and generally they do have rights to edit each others article. So now i'm thinking how can i at least warn them that somebody else is already editing it. Just that. maybe with sessions? but what happens when a user just closes the windows, will it destroy it. i taught about storing the value to mySQL but again what if the user closes the windows and so on. i never did this and i could use a boost. thanks guys A few months ago, and a good amount of time before that, I had people telling me to use isset() instead of performing to see if the variable is empty, such as: !$_GET[''] I know the differences in the function and what they do, but when could isset() be used in a situation where it's better/more efficient then: !$_GET[''] I do use isset(), though. Well this may sound confusing. I tried to findways to allow users to input an integer value and then assign it to a variable called $quantity, but all I could find from the internet was the usage of forms. Do I have to use forms, or can I just try this this simple syntax: $quantity = "<input name='quantity' type='text' id='quantity' size='3' maxlength='3'>"; If I do have to use forms, then how can I ever assign user's input value to a variable? Please help. Quote Hi guys, I have a question, I have a fairly large site wich we have resellers for, but in certain circumstances for admin purposes, we need to be able to login under the same credentials EG: I might be doing something on one machine and i need to log in on another machine to do something else but with my user name and pass At the moment when i try to to this It will log out the session already logged in when i try to log in from the other machine Is there away around this,, i suspect that when i log in from the other machine its ending the first session Any Idears Guys and Gals..... really stuck so the user is reading a story, to finish reading he has to click a link that redirects them to the signup page. Code: [Select] <?php session_start(); $beginurl = $_SERVER['HTTP_REFERER']; $_SESSION['beginurl'] = $beginurl; echo $_SESSION['beginurl']; ?> <html> <head> </head> <body> <script type="text/javascript"><!-- location.replace("http://www.mysite.com/members/"); //--></script> </body> </html> When they get to the second page, they have to click a link that opens up a modal. this is the code that runs when they hit the register button Code: [Select] session_start(); $beginurl = $_SESSION['beginurl']; $beginurl= (isset($_SESSION['beginurl'])) ? $_SESSION['beginurl'] : 'Error'; if( $_SESSION['status'] ='authorized') $_SESSION['$makemodal'] = 0; //sends the user to the page upon successful password credential if(!isset($_SESSION['SESS_USERID'])||(trim($_SESSION['SESS_USERID']=='admin'))) { echo '<script language="javascript">'; echo "top.location.href = $beginurl"; echo '</script>'; exit(); } Am I passing this variable correctly? and I'm not sure if the top.location.href towards the bottom is correct either, right now after I hit the register button I'm redirected to a blank page where the url is, "http://www.mysite.com/function Error() { [native code]}" Unless buffer overflows or breaking out of code to perform a new command are problems that have been solved.... I am trying to figure out the proper PHP method for setting a boundary on a variable within a script. I have this variable $name which is fed a value from $_POST['name'] from a form field. Now this form field is limited in the HTML to accept only 20 characters, but someone could easily edit the form or outgoing post data. So I want to know how to limit the variable size in the script. In other languages it could be something like this: var name(20). So how do I do that in PHP? I would appreciate your assistance, there are tons of login scripts and they work just fine. However I need my operators to login and then list their activities for the other operators who are logged in to see and if desired send their clients on the desired activity. I have the login working like a charm and the activities are listed just beautifully. How do I combine the two tables in the MySQL with PHP so the operator Logged in can only make changes to his listing but see the others. FIRST THE ONE script the member logges in here to the one table in MSQL: <?php session_start(); require_once('config.php'); $errmsg_arr = array(); $errflag = false; $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } $login = clean($_POST['login']); $password = clean($_POST['password']); if($login == '') { $errmsg_arr[] = 'Login ID missing'; $errflag = true; } if($password == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: login-form.php"); exit(); } $qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'"; $result=mysql_query($qry); if($result) { if(mysql_num_rows($result) == 1) { session_regenerate_id(); $member = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $member['member_id']; $_SESSION['SESS_FIRST_NAME'] = $member['firstname']; $_SESSION['SESS_LAST_NAME'] = $member['lastname']; session_write_close(); header("location: member-index.php"); exit(); }else { header("location: login-failed.php"); exit(); } }else { die("Query failed"); } ?> ................................................. ................................ Now I need the person who logged in to the table above to be able to make multiple entries to the table below <? $ID=$_POST['ID']; $title=$_POST['title']; $cost=$_POST['cost']; $activity=$_POST['activity']; $ayear=$_POST['aday']; $aday=$_POST['ayear']; $seats=$_POST['special']; $special=$_POST['seats']; mysql_connect("xxxxxx", "xxx350234427", "========") or die(mysql_error()); mysql_select_db("xxxx") or die(mysql_error()); mysql_query("INSERT INTO `activity` VALUES ('ID','$title', '$cost','$activity', '$aday', '$ayear', '$special', '$seats')"); Print "Your information has been successfully added to the database!" ?> Click <a href="member-profile.php">HERE</a> to return to the main menu <?php ?> hi, i have made a website where people resgister their details of them and products. they have to enter the following details in form Name of company name of the product company address email id password mobile number contact and brief details about their company
user can then login with email id and pwd. now after login ..user will get a page where he can upload the photos of products images and their price, so now my question is that when he finishes uploading (|by clicking on upload button) the product images and price text box ..then on final uploaded webspage it should show all other things which he registerd before (company name , mobile number etc) along with images and price...hence the main question that user does not need to enter mobile and address while uploading images and filling proce ..but on the final page it should show mobile and address along with price and images..as user is not going to enter mobile and address again and again as he will have multiple products to upload.
Hi, so far I have managed to set up a somewhat basic login website with a mysql database backend. Once they have logged on they go to a "main menu" page. What I need to define is that user A sees button A but only that button, etc. (Then of course that same rule would have to apply if they tried to directly go to the page, but I am guessing I can do that in the same way that I currently do to force a login). If anyone has any tutorials or sample code I would much appreciate it. Thanks, Actually, what i want to do is to use the email to fetch the $email,$password and $randomnumber from database after |
|||||||