|
PHP - Stop User A From Being Able To Access User B's Profile Page
Hi guys,
I am trying to put together a little system that allows users to log onto my website and access there own personal page. I am creating each page myself and uploading content specific to them which cannot be viewed by anyone else. I have got the system to work up as far as: 1/ The user logs in 2/ Once logged in they are re-directed to their own page using 'theirusername.php' Thats all good and working how I need it too. The problem I have is this. If I log onto the website using USER A details - I get taken to USER A's page like I should but - If I then go to my browser and type in USERBdetails.php I can then access USER B's page. This cannot happen!! I need for USER A not to be able to access USER B profile - there is obviously no point in the login otherwise! If you are not logged in you obviously cannot access any secure page. That much is working! Please find below the code I am using: LOGIN <?php session_start(); function dbconnect() { $link = mysql_connect("localhost", "username", "password") or die ("Error: ".mysql_error()); } ?> <?php if(isset($_SESSION['loggedin'])) { header("Location:" . strtolower($username) . ".php"); if(isset($_POST['submit'])) { $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $mysql = mysql_query("SELECT * FROM clients WHERE username = '{$username}' AND password = '{$password}'"); if(mysql_num_rows($mysql) < 1) { die("Password or Username incorrect! Please <a href='login.php'>click here</a> to try again"); } $_SESSION['loggedin'] = "YES"; $_SESSION['username'] = $username; $_SESSION['name'] header("Location:" . strtolower($username) . ".php"); } ?> HEADER ON EACH PHP PAGE <?php session_start(); if(!isset($_SESSION['loggedin'])) { die(Access to this page is restricted without a valid username and password); ?> --------------------------------------------------- Am I right in thinking it is something to do with the "loggedin" part? The system I have here is adapted from a normal login system I have been using for years. The original just checks the details and then does a 'session start'. This one obviously has to re-direct to a user specific page. To do this I used the <<header("Location:" . strtolower($username) . ".php");>> line to redirect to a page such as "usera.php" or "userb.php" Any help would be greatly appreciated! Ta Similar TutorialsHi, I have to ask about profile page for each user like facebook and netlog. As u can see in netlog it is like this http://en.netlog.com/ElegantLeo and i have a site http://cyprussaver.com/merchant.php?id=64 and here each merchant profile can be viewed like this but i need to show them like this http://cyprussaver.com/rocksman please guide me what i have to do in order to achieve this result. Thanks, Hanan ALi Hi, I am making a dating site where I have made the user profile edit page visible to the user when they log in, and I think I can get away with not showing the user their "public" profile view. But I definitely need to show other users on the site the "public" non editing profile page view. But I don't know how to do this. I have yet to create the search, search results, thumbnails with optional descriptions of the possible dating results. But I first want to just get 2 versions of the user profile page view. One that the user sees that I have already done. (The editable one). And the other I need to make which is the page the other users will see, (The public profile) Please if anyone has any idea how to do this I would greatly appreciate it, especially if you have any pseudocode ideas. thank you. Hi, I am getting frustrated beyond belief at the moment with trying to get a very simple script to run, I am using PHP 5.3.3 and MySQL 5.1 on a Win2k8 server with IIS7.5. Basically my script is connecting to a local database, running a single select query, returning those rows and building up a string from them. The problem is that I am receiving complete BS responses from PHP that the access is denied for the user being specified. This is complete rubbish since the user can connect via mysql, sqlyog, ASP.NET MVC without issue but for some bizarre reason it is not working via PHP. The code for the script is here : Code: [Select] <?php $mysql = mysql_connect('127.0.0.1:3306', 'myuser', 'mypass', 'mydatabase'); if (!$mysql) { die(mysql_error()); $content = "<nobr></nobr>"; } else { $result = mysql_query('SELECT * FROM tblEventGroup'); $content = "<nobr>"; if ($result) { while($row = mysql_fetch_assoc($result)) { $content .= "<span>"; $content .= $row['GroupName']; $content .= "</span>"; $content .= "<a href=\"../Event/EventSearch?groupid="; $content .= $row['GroupId']; $content .= "\" target=\"_blank\">Book here</a> "; } } mysql_close($mysql); $content .= "</nobr>"; } ?> I cannot for the life of me understand what the problem is, the return error is Access denied for user 'myuser'@'localhost' (using password: YES) Hi, I recently implemented a code to display user profile information. Well, it displays the username and password fine, but the edit function doesn't seem to be working. I edit the information, click submit, get a success message but the username and password didn't change. myprofile.php Code: [Select] <?php session_start(); include('config.php'); $sql = mysql_query( "SELECT * FROM users WHERE id='".$_SESSION['id']."'" ); echo "<h2>Profile</h2> <form method='post' action='editprofile.php'> <table>"; $row = mysql_fetch_array($sql); echo "<tr><th>Name: </th><td>".$row['username']."</td></tr> <tr><th>Password: </th><td><input type='password' value='".$row['password']."' disabled='true' /></td></tr>"; echo "</table><br /> <input type='submit' value='edit profile' /> </form>"; ?> editprofile.php Code: [Select] <?php include('config.php'); if(isset($_POST['btnedit'])){ $username = $_POST['username']; $password = $_POST['password']; $sql = mysql_query( "UPDATE users SET username='".$username."', password='".$password."' WHERE id='".$_SESSION['id']."'" ); if($sql){ echo "<script>alert('profile updated');window.location='myprofile.php'</script>"; }else{ echo "<script>alert('updating profile failed!');</script>"; } } $sql = mysql_query( "SELECT * FROM users WHERE id='".$_SESSION['id']."'" ); $row = mysql_fetch_array($sql); echo "<h2>Edit profile</h2> <form method='post'> <table> <tr><th>registered:</th><td><input type='text' name='username' value='".$row['username']."'/></td></tr> <tr><th>password:</th><td><input type='password' name='password' value='".$row['password']."'/></td></tr> </table><br /> <input type='submit' name='btnedit' value='update' /> </form>"; ?> Hello all, i require some assistance in a bit of PHP/MySql code. I have a website setup with register/login scripts already wrote, i also have a basic members page for now, that has there user ID assigned to it for example members.php?id=$id, which is there ID from the database. I have a members list which shows all members with links to there profiles, now i when i mouse over the link, it will says members.php?id=1 and so on, which is correct but when clicking on any of the members to go to there profile it is my own details that is shown on there profile instead of theres. members.php <?php session_start(); mysql_connect("localhost","root") or die(mysql_error()); mysql_select_db("hireacoder") or die(mysql_error()); $user = $SESSION['username']; $sql = mysql_query("SELECT * FROM users WHERE username='$user'"); $row = mysql_fetch_assoc($sql); echo $row['username']; echo'<br>'; echo $row['fname']; echo'<br>'; echo $row['lname']; echo'<a href="users.php">Users</a>'; ?> users.php <?php session_start(); mysql_connect("localhost","root") or die(mysql_error()); mysql_select_db("hireacoder") or die(mysql_error()); echo "<table border='0'> <tr> <th>UserName</th> </tr>"; $sql = mysql_query("SELECT * FROM users ORDER BY ID"); while($row = mysql_fetch_assoc($sql)) { $id = $row['id']; $username = $row['username']; echo" <tr> <td> <a href='members.php?id=$id'>".$username."</a> </td> </tr>"; } echo "</table>"; ?> Now i know what the problem is, the query is getting the details from the DB with the username = the session user which is me and that is why my details show up on all profiles, but i dont know any other way to do it, any help with be very apprciated thanks you. Good Day PHP world,
I am encountering a problem in php code meant to allow the user to update their profile picture.
I am using jquery.min and jquery.js. The code below runs with no errors reported. The file has been successfully uploaded to upload path using this form.
upload.php
<form id="imageform" method="post" enctype="multipart/form-data" action='ajaximage.php'> <input type="file" name="photoimg" id="photoimg" class="stylesmall"/> </form>ajaximage.php
$path = "uploads/";
$valid_formats = array("jpg", "png", "gif", "bmp","jpeg");
if(isset($_POST) and $_SERVER['REQUEST_METHOD'] == "POST")
{
$name = $_FILES['photoimg']['name'];
$size = $_FILES['photoimg']['size'];
if(strlen($name))
{
list($txt, $ext) = explode(".", $name);
if(in_array($ext,$valid_formats))
{
if($size<(1024*1024)) // Image size max 1 MB
{
$actual_image_name = $name.".".$ext;
$tmp = $_FILES['photoimg']['tmp_name'];
if(move_uploaded_file($tmp, $path.$actual_image_name))
{
$query = "UPDATE users SET profile_image='$actual_image_name' WHERE student_id='{$_SESSION['user_id']}'";
$result = mysqli_query($link_id, $query);
echo "<img src='uploads/".$actual_image_name."' class='preview'>";
}
The problem is the image being uploaded does not display on the
Student_home.php
<div id="about-img">
<img class="profile-photo" align="middle" src='uploads/".$actual_image_name."' />
</div>
But the image uploaded will display when i write directly its filename example
<div id="about-img">
<img class="profile-photo" align="middle" src="uploads/107.jpg" />
</div>
My problem is i wanted to display the uploaded picture of the specific student on Student_Home.php
Right ive got a user profile that i want a add friend button but i coded a little something what i fort wud work but no luck <?php session_start(); include "includes/db_connect.php"; include "includes/functions.php"; include"includes/smile.php"; logincheck(); $username=$_SESSION['username']; $viewuser=$_GET['viewuser']; $fetch=mysql_fetch_object(mysql_query("SELECT * FROM users WHERE username='$viewuser'")); if (!$fetch){ echo "No such user"; $totalf = mysql_num_rows(mysql_query("SELECT * FROM friends WHERE username = '$viewuser' AND active='1'")); $invite_text="<div>$username Has Sent You A Friend Request<br> <input name=Yes_Accept type=submit id=yes value=Accept Invite class=abutton> <input name=No_accept type=submit value=Decline Invite class=abutton></div><input type=hidden name=invite_id value=$bar2>"; if (($_GET['fri'])){ $exicst=mysql_query("SELECT * FROM users WHERE username='$viewuser'"); $nums=mysql_num_rows($exicst); $adding=mysql_fetch_object($exicst); $already=mysql_num_rows(mysql_query("SELECT * FROM friends WHERE type='Friend' AND person='$viewuser' AND username='$username'")); if ($already != "0"){ echo "<center><font color=orange><b><br>This user is already your friend.<br><br></font>"; }elseif ($already == "0"){ mysql_query("INSERT INTO `friends` ( `id` , `username` , `person` , `type` , `active`) VALUES ( '', '$username', '$viewuser', 'Friend' , '0' )"); mysql_query("INSERT INTO `friends` ( `id` , `username` , `person` , `type` , `active`) VALUES ( '', '$viewuser', '$username', 'Friend' , '0' )"); mysql_query("INSERT INTO `inbox` ( `id` , `to` , `from` , `message` , `subject` , `date` , `read`) VALUES ( '', '$viewuser', '$username', '$invite_text' , 'Friend Request' , '$date' , '0' )"); $bar2=mysql_insert_id(); echo "<center><font color=orange><br>Your Friend Invitation Was Sent To $viewuser<br><br></font>"; exit(); } }} ?> <a href=?fri=Yes>Add Friend +</a> It just adds a blank person and comes back with No Such User and Your Friend Invitation Was Sent To I think ive put some things in the wrong place to be honest but as im not a pro i easily miss things Hi All, I am currently struggling with the my user info function which is supposed to display an image on my profile page along with the following parts of information taken from my database. The error is a mysql error stating that the $info = mysql_fetch_assoc($result); is not a valid arguement. Code: [Select] function fetch_user_info($uid) { $uid=(int)$uid; $sql = "SELECT `user_id AS `id` `user_username` AS `username`, `user_firstname` AS `firstname`, `user_lastname` AS `lastname`, `user_email` AS `email`, `user_location` AS `location`, `user_about` AS `about`, `user_gender` AS `gender` FROM `users` WHERE `user_id` = {$uid}"; $result = mysql_query($sql); $info = mysql_fetch_assoc($result); $info['avatar'] = "core/user_avatars/{$info['id']}.jpg"; return $info; } I have looked through the code a few times, but I can tell what is wrong. I have included below the profile page code in case it may be an issue there. Code: [Select] <?php include('core/init.inc.php'); $userinfo = fetch_user_info($_GET['uid']); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title><?php echo $userinfo ['username']; ?>'s Profile</title> </head> <body> <div> <?php if($userinfo == false) { echo 'Sorry, the user does not exist.'; } else { ?> <h1><?php echo $userinfo ['firstname']; ?> <?php echo $userinfo ['lastname']; ?></h1> <img src="<?php echo $userinfo['avatar'];?>" alt="avatar"/> <p>Username: <?php echo $userinfo ['username']; ?></p> <p>First Name: <?php echo $userinfo ['firstname']; ?></p> <p>Last Name: <?php echo $userinfo ['lastname']; ?></p> <p>Gender: <?php echo ($userinfo ['gender'] == 1) ? 'Male' : 'Female'; ?></p> <p>Email: <?php echo $userinfo ['email']; ?></p> <p>Location: <?php echo $userinfo ['location']; ?></p> <p>About: <?php echo $userinfo ['about']; ?></p> </div> <?php } ?> </body> </html> Thanks Jamie I am trying to upload files to a user profile system. here is the profile page Code: [Select] <?php include('core/init.inc.php'); if (isset($_POST['email'], $_POST['location'], $_POST['about'])) { $errors = array(); if(filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) === false) { $errors[] = "The email address you entered is not valid"; } if(preg_match('#^[a-z0-9 ]+$#i',$_POST['location'])===0) { $errors[] = 'Your location must only contain A-Z 0-9 and spaces.'; } if (empty($_FILES['avatar']['tmp_name']) === false) { $file_ext = end(explode('.', $_FILES['avatar']['name'])); if(in_array(strtolower($file_ext), array('jpg', 'jpeg', 'gif', 'png')) === false) { $errors[] = 'Your avatar must be an image.'; } } if(empty($errors)) { print_r($_FILES); set_profile_info($_POST['email'],$_POST['location'],$_POST['about'], (empty($_FILES['avatar']['tmp_name'])) ? false : $_FILES['avatar']['tmp_name']); } $userinfo = array( 'email' => htmlentities($_POST['email']), 'location' => htmlentities($_POST['location']), 'about' => htmlentities($_POST['about']) ); } else { $userinfo = fetch_user_info($_SESSION['uid']); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Edit your Profile</title> </head> <body> <div> <?php if(isset($errors) == false) { echo 'Click update to edit your profile.'; } else if(empty($errors)) { echo 'Your profile has been updated.'; } else { echo '<ul><li>', implode('</li><li>', $errors), '</li></ul>'; } ?> </div> <form action="" method="post" enctype="multipart/form-data"> <div> <label for="email">Email: </label> <input type="text" name="email" id="email" value="<?php echo $userinfo['email']; ?>" /> </div> <div> <label for="location">Location: </label> <input type="text" name="location" id="location" value="<?php echo $userinfo['location']; ?>" /> </div> <div> <label for="about">About Me: </label> <textarea name="about" id="about" rows="14" cols="50"><?php echo strip_tags($userinfo['about']); ?></textarea> </div> <div> <label for="avatar">Avatar: </label> <input type="file" name="avatar" id="avatar"/> </div> <div> <input type="submit" value="Update" /> </div> </form> </body> </html> here is the function taken from an external file Code: [Select] function set_profile_info($email, $location,$about,$avatar) { $email = mysql_escape_string(htmlentities($email)); $about = mysql_escape_string(nl2br(htmlentities($about))); $location = mysql_escape_string($location); if (file_exists($avatar)) { $src_size = getimagesize($avatar); if ($src_size['mime'] === 'image/jpeg') { $src_img = imagecreatefromjpeg($avatar); } else if ($src_size['mime'] === 'image/png') { $src_img = imagecreatefrompng($avatar); } else if ($src_size['mime'] === 'image/gif') { $src_img = imagecreatefromgif($avatar); } else { $src_img = false; } if ($src_img !== false) { $thumb_width= 200; if($src_size[0] <= $thumb_width) { $thumb = $src_img; } else { $new_size[0] = $thumb_width; $new_size[1] = ($src_size[1] / $src_size[0]) * $thumb_width; $thumb = imagecreatetruecolor($new_size[0], $new_size[1]); imagecopyresampled($thumb, $src_img, 0, 0, 0, 0, $new_size[0], $new_size[1], $src_size[0], $src_size[1]); } imagejpeg($thumb, "{$GLOBALS['path']}/user_avatars/{$_SESSION['uid']}.jpg"); } } $sql = "UPDATE `users` SET `user_email` = '{$email}', `user_about` = '{$about}', `user_location` = '{$location}' WHERE `user_id` = {$_SESSION['uid']}"; mysql_query($sql); } Below I have returned the array of files to check if its been uploaded correctly. Array ( [avatar] => Array ( [name] => Sonic.jpg [type] => image/jpeg [tmp_name] => /var/tmp/php.waq8n [error] => 0 [size] => 48477 ) ) But I get this error message. Warning: imagecreatefromjpeg() [function.imagecreatefromjpeg]: '/var/tmp/php.waq8n' is not a valid JPEG file in /web/stud/u0963643/userprofilesection/finaluserprofile/core/inc/user.inc.php on line 71 If someone could point out where in this code I have made an error I would be very grateful Thanks Jamie Hello users: I am exploring the delightful world of PHP for web applications. I am in the stage where I need to use SESSIONS and COOKIES and MYSQL for a user/membership/profile structure. I understand most of the grammar behind PHP and am excited to apply this in application. I am searching for recommendations and comments about using: 1. COOKIES 2. SESSIONS 3. MYSQL/SQL Almost every website has an authentication mechanism, profile, and use information. My website required this similar structure, but I have been having some problems completing all of the technical steps for production. If anyone has code samples or places where I can review code on this topic, that would be wonderful. I am specifically searching for more advanced topics in these area for general robustness. Please kindly send me a message or respond to this post. Regards, Diamond Edited by Diamond, 30 December 2014 - 04:27 PM. Okay, I am going to try to explain this the best I can, I appreciate and thank you for your help in advance! Okay, this is what I am wanting to do. I want to create a user area on my website. I don't need a common page that every user see's but each user to have there own unique page that they are brought to once they log-in, where they will have there own content that I will change and update often. As for the usernames and passwords, I will be creating these when needed and giving them to the corresponding user, so I am not in need of a registration option. I am needing assistance on how to setup the MySQL database and the PHP coding for this. Remember, I am going to need to be able to add new users w/ passwords when needed. Thanks for your help! I have just set up MAMP on my new MacBook Pro and I am having trouble getting my MySQL connection working. When I use the following code: Code: [Select] $mysqli = new mysqli('localhost', 'application', 'application', 'dorset'); if ($mysqli->connect_errno) { echo "Failed to connect to MySQL: (".$mysqli-errno.") ".$mysqli->connect_error; } I get this error: Failed to connect to MySQL: () Access denied for user 'application'@'localhost' (using password: YES) However if I use the old mysql_connect() function, it doesnt throw back any errors?! Any ideas? I have coded a database and I dont like how the user can edit the titles through the get variable. Is there anyway I could stop that? Wouldnt getting each request from the database slow down the site? <?php include "config.php"; include "functions.php"; $SITEURL = addSlash($SITEURL); $action = $_GET['action']; $state = $_GET['state']; $city = $_GET['city']; $id = $_GET['id']; echo $SITEURL; switch($action) { case 'cities': include 'templates/cities.php'; break; case 'place': include 'templates/place.php'; break; case 'places': include 'templates/places.php'; break; default: include 'templates/home.php'; break; } ?> #places.php <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title><?php echo $siteTitle; ?></title> </head> <body> <h2><?php echo $SITETOPIC." in ".$city.",".getStateName($state); ?></h2> <?php $query = "SELECT DISTINCT biz_name, biz_id FROM animalshelter WHERE city = '".$city."'"; $result = mysql_query($query) or die(mysql_error()); while ($row = mysql_fetch_array($result)) { echo "<a href=http://".$SITEURL."place/".$state."/".urlencode($city)."/".$row['biz_id'].">".$row['biz_name']."</a><br />"; } ?> </body> </html> #.htaccess # .htaccess mod_rewrite # demo.com Options +FollowSymlinks Options +Indexes RewriteEngine On RewriteBase /databaseSite/ ErrorDocument 404 /templates/404.php RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-l RewriteRule ^([a-zA-Z]+)/([a-zA-Z]+)$ index.php?action=$1&state=$2 [QSA,NC] RewriteRule ^([a-zA-Z]+)/([a-zA-Z]+)/([a-zA-Z\+\_\-]+)$ index.php?action=$1&state=$2&city=$3 [QSA,NC] RewriteRule ^([a-zA-Z]+)/([a-zA-Z]+)/([a-zA-Z\+\_\-]+)/([0-9]+)$ index.php?action=$1&state=$2&city=$3&id=$4 [QSA,NC] Im using the script to let users login in to our site from 9.00 am to 6.00 pm from Monday To friday, timing is working fine but the day part don't, any ideas why, here is the top of the script is on the login.php page Code: [Select] <? $hour = date('H');//hour 1-24 $dayofweek = date('N');//numeric day of week 1=mon, 7=sun if($hour < 6 || $hour > 15 || $dayofweek > 5) { header( "Location:Messages.php?msg=12" ); }else { //login code session_start(); if(isset($_GET['reg'])){ $reg=$_GET['reg']; }else{ $reg=""; } if($reg==1){ $msg1="<font color=\"#FF6600\">Your details have been added, please login</font>"; }elseif($reg==2){ $msg1="<font color=\"#FF6600\">You have been successfully logged out.</font>"; } if(isset($_POST['submit'])){ if( empty($_POST['uname']) && (empty($_POST['upass']))){ header( "Location:Messages.php?msg=1" ); exit(); } //transfer to shorter var $n=$_POST['uname']; $p=$_POST['upass']; //connect to db include('config.php'); $query="SELECT * FROM user WHERE uname = '".$_POST['uname']."' AND pw = PASSWORD('".$_POST[upass]."')"; $result=mysql_query($query); $num=mysql_num_rows($result); if($num>0 ){ //put in session vars $mytime=time(); $mytime=date("H:i:s A",$mytime); $_SESSION['time'] = $mytime; $_SESSION['status'] = 'logged'; $_SESSION['username'] = $n; //goto next page header("location:Welcome.php"); exit; }else{ $_SESSION['status'] = 'not logged'; header( "Location:Messages.php?msg=2" ); exit(); } } } ?> I am working on an application and part of the requirements is to restrict the number of users that can log in based on a license. So on install, I will provide a license that allows for 10 user accounts to be created.
If the client requires 50, a different license will be provided that allows 50.
Regards Hi, I found a tutorial in building a poll, however it detects IP, so people can't vote multiple times, so I dissected the code into sections while removing the IP blocking, while still inserting the IP address into the database, the problem is that I get: Access denied for user 'ODBC'@'localhost' for the second page, I don't know where I went wrong, could anyone help me? I also attached the code and .sql file so that people can hack it and check where it got wrong. Thanks here is the original poll code <link rel="stylesheet" href="css/style.css" type="text/css" media="screen" /> <?php //database settings $hostname = 'localhost'; $username = 'root'; $password = ''; $dbname = 'poll1'; $connect = mysql_connect($hostname, $username, $password); mysql_select_db($dbname); //Validation to check if the user has voted or not. If not yet voted, then insert the data to the database, otherwise //tell the user they voted if(isset($_POST['vote']) && isset($_POST['questions'])){ $query = mysql_query("SELECT questions.pid FROM responses, questions WHERE responses.qid=questions.id AND responses.ip='".$_SERVER['REMOTE_ADDR']."' AND pid=(SELECT pid FROM questions WHERE id='".$_POST['questions']."' LIMIT 1)"); if(mysql_num_rows($query) == 0){ $query = mysql_query("INSERT INTO responses (qid, ip) VALUES ('".$_POST['questions']."', '".$_SERVER['REMOTE_ADDR']."')"); } else { $error = 'You Already Voted'; } } else if(!isset($_POST['questions']) && isset($_POST['vote'])){ $error = 'Please select a response'; } ?> <?php //The poll script $query = mysql_query("SELECT * FROM poll ORDER BY id DESC LIMIT 1"); $rows = mysql_num_rows($query); if($rows > 0){ $poll = mysql_fetch_array($query); $title = $poll['name']; } else { $title = 'No Poll Yet'; } $me=array(); $query = mysql_query("SELECT COUNT(id) as hits FROM responses GROUP BY qid"); while($row = mysql_fetch_array($query)){ $me[] = $row['hits']; } $max = max($me); //echo "SELECT questions.pid FROM responses, questions WHERE responses.qid=questions.id AND responses.ip='".$_SERVER['REMOTE_ADDR']."' AND pid='".$poll['id']."'"; $query = mysql_query("SELECT questions.pid FROM responses, questions WHERE responses.qid=questions.id AND responses.ip='".$_SERVER['REMOTE_ADDR']."' AND pid='".$poll['id']."'"); if(mysql_num_rows($query) > 0){ $total = mysql_query("SELECT questions.pid FROM responses, questions WHERE responses.qid=questions.id AND pid='".$poll['id']."'"); $total = mysql_num_rows($total); ?> <table width="300" cellpadding="0" cellspacing="0" border="0" class="maintable" align="center"> <tr> <td valign="top" align="center" class="title"><h1><?php echo $title; ?></h1></td> </tr> <?php $query = mysql_query("SELECT * FROM questions WHERE pid='".$poll['id']."' ORDER BY id"); $questions = mysql_num_rows($query); if($questions > 0){ ?> <tr> <td valign="top" style="padding: 5px;"> <table width="100%" cellpadding="0" cellspacing="0" border="0" class="question"> <?php while($question = mysql_fetch_array($query)){ $responses = mysql_query("SELECT count(id) as total FROM responses WHERE qid='".$question['id']."'"); $responses = mysql_fetch_array($responses); if($total > 0 && $responses['total'] > 0){ $percentage = round(($responses['total'] / $max) * 100); } else { $percentage = 0; } $percentage2 = 100 - $percentage; ?> <tr> <td valign="top" nowrap="nowrap"><?php echo $question['question']; ?></td> <td valign="top" height="10" width="100%" style="padding: 0px 10px;"> <table width="100%" cellpadding="0" cellspacing="0" border="0"> <tr> <td valign="top" width="<?php echo $percentage ; ?>%" <?php if($percentage > 0){?>style="background: url('images/bar.jpg') repeat-x;"<?php } ?>><img src="images/dot.gif" width="1" height="19" /></td> <td valign="top" width="<?php echo $percentage2; ?>%"></td> </tr> </table> </td> <td valign="top"><?php echo $responses['total']; ?></td> </tr> <?php } ?> <tr> <td valign="top" colspan="3" align="center" style="padding: 10px 0px 0px 0px;">Total Votes: <?php echo $total; ?></td> </tr> </table> </td> </tr> <?php } ?> </table> <?php } else { ?> <table width="400" cellpadding="0" cellspacing="0" border="0" class="maintable" align="center"> <th>Declaration of Faith</th> <tr> <td valign="top" align="center" class="title"><?php echo $title; ?></td> </tr> <?php $query = mysql_query("SELECT * FROM questions WHERE pid='".$poll['id']."' ORDER BY id"); $questions = mysql_num_rows($query); if($questions > 0){ ?> <tr> <td valign="top" style="padding: 5px;"> <form name="poll" method="post" action=""> <table width="100%" cellpadding="0" cellspacing="0" border="0" class="question"> <?php if(isset($error)){ ?> <tr> <td valign="top" colspan="2" align="center" style="padding: 0px 0px 10px 0px;"><?php echo $error; ?></td> </tr> <?php } ?> <?php $x=0; while($question = mysql_fetch_array($query)){ ?> <tr> <?php if ($x==0){ ?> <td width="43%" rowspan=2 align="center"><span style="padding: 10px 0px 0px 0px;"> <input type="submit" id="submit" name="vote" value="Declare" /> </span></td> <?php }//if statement closing ?> <td valign="top" width="56%"><input type="radio" name="questions" value="<?php echo $question['id']; ?>" /><?php echo $question['question']; ?></td> </tr> <?php $x=$x+1; } ?> <tr> <td valign="top" align="center" style="padding: 10px 0px 0px 0px;"><br /></td> <td width="1%"> </td> </tr> <tr> <td colspan="2" align="center" id="note">Please answer only once per person</td> </tr> </table> </form> </td> </tr> <?php } ?> </table> <?php } ?> Here are the sectioned codes insert.php <link rel="stylesheet" href="css/style.css" type="text/css" media="screen" /> <?php include('config.php'); //Validation to check if the user has voted or not. If not yet voted, then insert the data to the database, otherwise //tell the user they voted if(isset($_POST['vote']) && isset($_POST['questions'])) { //insert the vote to the database $query = mysql_query("INSERT INTO responses (qid, ip) VALUES ('".$_POST['questions']."', '".$_SERVER['REMOTE_ADDR']."')"); } else if(!isset($_POST['questions']) && isset($_POST['vote'])) { echo 'Please select a response'; } include('results.php'); ?> results.php <?php //The poll script $query = mysql_query("SELECT * FROM poll ORDER BY id DESC LIMIT 1"); $rows = mysql_num_rows($query); if($rows > 0){ $poll = mysql_fetch_array($query); $title = $poll['name']; } else { $title = 'No Poll Yet'; } $me=array(); $query = mysql_query("SELECT COUNT(id) as hits FROM responses GROUP BY qid"); while($row = mysql_fetch_array($query)){ $me[] = $row['hits']; } $max = max($me); $query = mysql_query("SELECT questions.pid FROM responses, questions WHERE responses.qid=questions.id AND responses.ip='".$_SERVER['REMOTE_ADDR']."' AND pid='".$poll['id']."'"); if(mysql_num_rows($query) > 0){ $total = mysql_query("SELECT questions.pid FROM responses, questions WHERE responses.qid=questions.id AND pid='".$poll['id']."'"); $total = mysql_num_rows($total); ?> <table width="300" cellpadding="0" cellspacing="0" border="0" class="maintable" align="center"> <tr> <td valign="top" align="center" class="title"><h1><?php echo $title; ?></h1></td> </tr> <?php $query = mysql_query("SELECT * FROM questions WHERE pid='".$poll['id']."' ORDER BY id"); $questions = mysql_num_rows($query); //vote results ?> <tr> <td valign="top" style="padding: 5px;"> <table width="100%" cellpadding="0" cellspacing="0" border="0" class="question"> <?php while($question = mysql_fetch_array($query)){ $responses = mysql_query("SELECT count(id) as total FROM responses WHERE qid='".$question['id']."'"); $responses = mysql_fetch_array($responses); if($total > 0 && $responses['total'] > 0){ $percentage = round(($responses['total'] / $max) * 100); } else { $percentage = 0; } $percentage2 = 100 - $percentage; ?> <tr> <td valign="top" nowrap="nowrap"><?php echo $question['question']; ?></td> <td valign="top" height="10" width="100%" style="padding: 0px 10px;"> <table width="100%" cellpadding="0" cellspacing="0" border="0"> <tr> <td valign="top" width="<?php echo $percentage ; ?>%" <?php if($percentage > 0){?>style="background: url('images/bar.jpg') repeat-x;"<?php } ?>><img src="images/dot.gif" width="1" height="19" /></td> <td valign="top" width="<?php echo $percentage2; ?>%"></td> </tr> </table> </td> <td valign="top"><?php echo $responses['total']; ?></td> </tr> <?php } ?> <tr> <td valign="top" colspan="3" align="center" style="padding: 10px 0px 0px 0px;">Total Votes: <?php echo $total; ?></td> </tr> </table> </td> </tr> <?php } ?> </table> vote.php <?php include('config.php'); //vote starts here ?> <table width="400" cellpadding="0" cellspacing="0" border="0" class="maintable" align="center"> <th>Declaration of Faith</th> <tr> <td valign="top" align="center" class="title"><?php echo $title; ?></td> </tr> <?php $query = mysql_query("SELECT * FROM questions WHERE pid='".$poll['id']."' ORDER BY id"); $questions = mysql_num_rows($query); ?> <tr> <td valign="top" style="padding: 5px;"> <form name="poll" method="post" action="results.php"> <table width="100%" cellpadding="0" cellspacing="0" border="0" class="question"> <?php $x=0; while($question = mysql_fetch_array($query)){ ?> <tr> <?php if ($x==0){ ?> <td width="43%" rowspan=2 align="center"><span style="padding: 10px 0px 0px 0px;"> <input type="submit" id="submit" name="vote" value="Declare" /> </span></td> <?php }//if statement closing ?> <td valign="top" width="56%"><input type="radio" name="questions" value="<?php echo $question['id']; ?>" /><?php echo $question['question']; ?></td> </tr> <?php $x=$x+1; } ?> <tr> <td valign="top" align="center" style="padding: 10px 0px 0px 0px;"><br /></td> <td width="1%"> </td> </tr> <tr> <td colspan="2" align="center" id="note">Please answer only once per person</td> </tr> </table> </form> </td> </tr> </table> config.php <link rel="stylesheet" href="css/style.css" type="text/css" media="screen" /> <?php //database settings $hostname = 'localhost'; $username = 'root'; $password = ''; $dbname = 'poll1'; $connect = mysql_connect($hostname, $username, $password); mysql_select_db($dbname); $query = mysql_query("SELECT * FROM poll ORDER BY id DESC LIMIT 1"); $rows = mysql_num_rows($query); $poll = mysql_fetch_array($query); $title = $poll['name']; ?> is this a good way of doing a simple admin different rights e.g if secret word then go to adminpage.php Code: [Select] session_start(); $captcha = $_POST["captcha"] ; $secretword = $_SESSION["secretword"] ; if (strcmp( $captcha, $secretword )) { // it's a bot } else { // matched -- it's a human } Hi guys, in my database i have the table called users, where i have 5 fields (id, username, email, password, user_level) - for the user_level field i have 2 options administrator and editor.
What i want to do is that when the user who is logged in have administrator in the user_level field to see all the pages from backend, and the user who have in the user_level field editor to see only some of the pages from the backend such as newsletter, or messages.
I hope you understand what i'm asking if not fell free to ask me if you need more specific details.
I tried to make a php page called access.php wher i put the following code, but not working
<?php
session_start();
$sql = $mysqli->query("SELECT user_level FROM imobiliare_users WHERE id=$id");
$user_level = $mysqli->query($sql);
echo $user_level;
if ($user_level !="administrator") {
echo "You are not the proper user type to view this page";
die();
}
?>
Hope you can help me. Thx in advance for help.
Hi everyone! I'm getting the error "Access denied for user ''@'localhost' to database 'crystalair'" (crystalair is the name of my database) whenever I submit my form which inserts a new row to the database table "order". The same happens when I try to retrieve data from the table using select query. However, I can successfully perform operations (select, insert) in my other pages which involves another database table "user". If this is a connection error, how can I successfully perform operations with another table? Also, my connection query does not return an error. I have also checked to make sure my user has been granted "All Privileges" in the phpmyadmin. I've run out of ideas. Can you please help? Thanks a lot. |
|||||||