PHP - Should I Let Users Add Comments Without Logging In?
As long as it's SQL injection proof, would it be alright for me to let non-members add comments to a post and give the Author the ability to delete them?
Similar TutorialsI have this code which logs in a user to my site but it only directs them to the login success page. i need to direct users to 3 different pages depending on their access level eg levels 1,2,4 but i dont know how to do this, can any one help or point me in the right direction?? thanks //Form <form name="form1" method="post" action="checklogin.php"> <strong>Member Login </strong> Username: <input name="UsersID" type="text" id="UsersID" /> Password: <input name="U_Password" type="password" id="U_Password" /> <input type="submit" name="Submit" value="Login" /></form> <?php $host="localhost"; // Host name $username=""; // username $password=""; // password $db_name="test"; // Database name $tbl_name="members"; // Table name // Replace database connect functions depending on database you are using. mysql_connect("$host", "$username", "$password"); mysql_select_db("$db_name"); //submitting query // username and password sent from form //NEVER Remove the mysql_real_escape_string. Else there could be an Sql-Injection! $mUsersIDe=mysql_real_escape_string($_POST['UsersID']); $U_Password=mysql_real_escape_string($_POST['U_Password']); $sql="SELECT * FROM $Users WHERE UsersID='$UsersID' and U_Password='$U_Password'"; $result=mysql_query($sql); //checking results // Replace counting function based on database you are using. $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row //Direct Userbased on result if($count==1){ // Register $UsersID, $U_Password and redirect to file "login_success.php" session_register("UsersID"); session_register("U_Password"); header("location:login_success.php"); } else { echo "Wrong Username or Password"; } CREATE TABLE posts ( postId INT(11) NOT NULL UNIQUE AUTO_INCREMENT, title VARCHAR(255) NOT NULL, author VARCHAR(24) NOT NULL, description TEXT NOT NULL, createdAt TIMESTAMP, PRIMARY KEY (postId) ); CREATE TABLE comments( commentId INT(11) NOT NULL UNIQUE AUTO_INCREMENT, comment TEXT NOT NULL, postId INT(11), userId INT(11), createdAt TIMESTAMP, PRIMARY KEY (commentId), FOREIGN KEY (userId) REFERENCES users(userId), FOREIGN KEY (postId) REFERENCES posts(postId) ); CREATE TABLE replies ( repId INT(11) NOT NULL UNIQUE AUTO_INCREMENT, reply TEXT NOT NULL, userId INT(11), commentId INT(11), createdAt TIMESTAMP, PRIMARY KEY (repId), FOREIGN KEY (userId) REFERENCES users(userId), FOREIGN KEY (commentId) REFERENCES comments(commentId) ); CREATE TABLE users ( userId INT(11) NOT NULL UNIQUE AUTO_INCREMENT, userName VARCHAR(100) NOT NULL,, email VARCHAR(100) NOT NULL, PRIMARY KEY (userId) ); how to retrive userName,comment, and createdAt from users and comments table while I have used userId as a Foreign key on the comment table if it isn't correct, correct me please I have a problem with the "comments count" in the toggle link in my blog: www.albertosotophotography.com
I have this script for show/hide comments in main page:
<script type= "text/javascript"> // Show/Hide Comments jQuery(document).ready(function() { // Get #comments div var uniqueAppend = 1; var tempName = 'comments'; while(jQuery("#comments").length > 0 ){ jQuery("#comments").attr('id',tempName + uniqueAppend++).addClass('commentContainer') } var commentsDiv = jQuery('.commentContainer'); // Only do this work if that div isn't empty if (commentsDiv.length) { // Hide #comments div by default jQuery(commentsDiv).hide(); // Append a link to show/hide jQuery('<a/>') .attr('class', 'toggle-comments') .attr('href', '#') .html('Notes') .insertAfter(commentsDiv); // Encase button in .toggle-comments-container div jQuery('.toggle-comments').wrap(jQuery('<div/>', { class: 'toggle-comments-container' })) // When show/hide is clicked jQuery('.toggle-comments').on('click', function(e) { e.preventDefault(); // Show/hide the div using jQuery's toggle() var commentContainer = jQuery(this).parent('.toggle-comments-container').prev('.commentContainer'); jQuery(commentContainer).slideToggle('slow', function() { // change the text of the anchor var anchor = jQuery(commentContainer).siblings('.toggle-comments-container').children('.toggle-comments'); var anchorText = anchor.text() == 'Notes' ? 'Hide' : 'Notes'; jQuery(anchor).html(anchorText); }); }); } // End of commentsDiv.length }); // End of Show/Hide Comments </script>I use: .html('<?php comments_number( '0 notes', '1 note', '% notes' ); ?>')for name the "comments toggle link" with the count of comments for each single post. The problem is that all posts shows the same count: the comments presents in the first post. Someone can help me? Alberto Hello
I am trying to work out how many regular users I have to my site and how long those users tend to be users..
So, I have a table that logs every time a user visits my site and logs in, it stores the date / time as a unix timestamp and it logs their user id.
I started by getting the id's of any user who logs in more than 5 times in a specified period, but now I want to extend that...
SELECT userID as user, count(userID) as logins FROM login_history where timestamp > UNIX_TIMESTAMP('2014-06-01 00:00:00') and timestamp < UNIX_TIMESTAMP('2014-07-01 00:00:00') group by user having logins > 5; I just discovered that I have a major security flaw with my website. Anyone who logs in to the website can easily access other users information as well as delete and edit other users information just by changing the ID variable in the address bar. I have user ID Session started on these pages but still people can do anything they like with other users information just by editing the address bar. For example if your logged in in the address bar of www.mywebsite.com/delete_mystuff.php?id=5 and change the "5" say to a "9" then you will have access to user#9 information. Every important page that I have has this code: Code: [Select] session_start(); if (!isset($_SESSION['user_id'])) { // Start defining the URL. $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Check for a trailing slash. if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr ($url, 0, -1); // Chop off the slash. } // Add the page. $url .= '/index.php'; ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { //Else If Logged In Run The Script if((isset($_GET['id'])) && (is_numeric($_GET['id']))) { $id = (int) $_GET['id']; } elseif ((isset($_POST['id'])) && (is_numeric($_POST['id']))) { $id = (int) $_POST['id']; } else { echo ' No valid ID found, passed in url or form element'; exit(); } What am I doing wrong? Please help if you know how to correct this. Many thanks in advance. I can seem to login it tells me to check my password and username but i dont know the username and password are correct
here is my whole code
<?php //start the sessoin session_start(); //connect to db require "scripts/connect.php"; $username = $_POST['username']; $password = $_POST['password']; $username = mysqli_real_escape_string($db,$username); $password = mysqli_real_escape_string($db,$password); if(isset($_POST['loginbtn'])){ if(!empty($username) && !empty($password)){ //sql command $getstaff = "SELECT * FROM `users` WHERE `username` = '$username'"; //execute the query $query = mysqli_query($db,$getstaff); //get the number of rows $num_rows = mysqli_num_rows($query); if($num_rows != 0){ //get the info $rows = mysqli_fetch_assoc($query); //setting the data in indivaul variables $dbusername = $rows['username']; $dbpassword = $rows['password']; //getting the password the user enter and making it hash //in order for it to match in the database $password = md5($password); if($dbusername === $username && $dbpassword === $password){ //create the session $_SESSION['username'] = $username; //redircet them to the control panel header("location: controlpanel.php"); }else $msg = "Please check your username or password"; }else $msg = "User does not exist"; }else $msg = "Please enter your username and password"; } ?>This is where it is giving me a hard time if($dbusername === $username && $dbpassword === $password){ //create the session $_SESSION['username'] = $username; //redircet them to the control panel header("location: controlpanel.php"); }else $msg = "Please check your username or password";Any ideas why its not letting me enter will the following code work to log any php errors i may have on the page this code is included? Code: [Select] ini_set('error_reporting', E_ALL); error_reporting(E_ALL); ini_set('log_errors',TRUE); ini_set('html_errors',FALSE); ini_set('error_log','./error_log.txt'); ini_set('display_errors',FALSE); After getting my site hacked, I'm not really up for learning PhP, so I'm trying to use uMScript.
On the demo site, and when I just load up the files on my server, it will redirect upon log in. But when I then use my styling, for some reason the login_submit.php gives me a blank page and does not redirect, nor does it log the user in. I don't change anything except the positioning of the forum and the container around it, no PhP or JS changes, weird? I can not seem to get a hold of the creator, nor can I find a user script that matches what I'm looking for. Heck, I'm so close to going mad, I'm even willing to pay someone to do the user PhP for me haha Has anyone used this script successfully? You can try it out he http://mod-universe.com/index.php Demo: http://www.ventureha.../demo/index.php (I couldn't get the demo credentials to log in, created a new user = Okriani, kieran09) Hi guys, I got a little bit of an issue. I have a register page, which works fine and submits to itsself, however i also have a login page which currently has no errors but doesnt allow any1 to log in. If some1 can see why that will be great, as this is causing so many issues. This is the last step i cant get past. Here is the code Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Forensics E-learning Package</title> <script type="text/javascript" src="start.js"></script> <link rel="stylesheet" type="text/css" href="style.css" /> </head> <body> <div id="wrapper"> <div id="header"> <div id="toplinks"> </div> </div> <div id="menu"> <ul> <li><a class="selected" href="index.html">Home</a></li> <li><a href="index.php">Initial Quiz</a></li> <li><a href="about.php">About</a></li> <li><a href="member.php">Member Section</a></li> </ul> </div> <div id="content"> <div id="main"> <h1>Forensics E-Learning Package</h1><BR /></head> Login to the User Profiled E-Learning Course which is specifically aimed to raise awareness in computer forensics. <?php $submit =&$_POST['submit']; if(isset($submit)) { if($username && sha1($password)) { $username =&$_POST['username']; $password =&$_POST['password']; $_SESSION['$username'] = $username; $_SESSION['$password'] = sha1($password); $connect = mysql_connect("localhost","root", "") or die ("Couldn't Connect!"); mysql_select_db("userlogin", $connect) or die("Couldn't find db"); //$con = mysql_connect('userscores.db.7767668.hostedresource.com','userscores','L3tt3r09'); //mysql_select_db('userscores', $con); $query = mysql_query("SELECT * FROM users WHERE username=' $username'"); $numrows = mysql_num_rows($query); if ($numrows!=0) { //code to login while ($row = mysql_fetch_assoc($query)) { $dbusername = $row['username']; $dbpassword = $row['password']; $dbscore = $row['score']; $dbdclty = $row['dclty']; $dbid = $row['id']; $dbnewdclty = $row['newdclty']; } $_SESSION['id'] = $dbid; $_SESSION['PreviousScore'] = $dbscore; $_SESSION['dclty'] = $dbdclty; $_SESSION['newdclty'] = $dbnewdclty; if ($username==$dbusername&&sha1($password)==$dbpassword) { $username==$dbusername; } else { echo ("Incorrect Password!"); } } else { echo("That user doesn't exist!"); } } else { echo("Please enter a username and password!"); } echo ("You Successfully Logged In!"); } else { ?><BR /><BR /><?php echo("Please Log In!"); } if ($submit) echo "Logged In Successfully!"; ?> <BR /><BR /> <form action='index.php' method='POST'> Username: <input type='text' name='username'><BR /> Password: <input type='password' name='password'><BR /> <input type='submit' value='Log In'> </form> <p><BR /><BR /> <a class="button" href='register.php'><span><button class="button" id="save">Register</button></span></a> </div> <div id="right"> <h2>Right Menu</h2> <div class="rightitem"> <ul> <li><a class="selected" href="index.html">Home</a></li> <li><a href="index.php">Initial Quiz</a></li> <li><a href="about.php">About</a></li> <li><a href="member.php">Members Area</a></li> <li><a href="contact.php">Leave Feedback</a></li> </ul> </div> </div> </div> <div class="clearbottom"></div> <div id="footer"></div></div> </body> </html> Thanks for any help Lance First time poster so please bear with me. Is there a script that will show me the process of my php program as it runs, maybe log it to a log file each step so I can see what is happening. Fairly new to php so there maybe something that I can set there. I can read the code and follow it there but I'd like to see it in a log after each step or after each process completes. I have done this in the old days of dbase and it really helps with the errors that can develop. Thanks in advance and what a great forum. I have built a simple website to share photos with people at work. And it is based on code - known to work - from a larger website that I built a few years ago. When you land on the site, you have a login screen, and if the username/password match what is hardcoded, then I set $_SESSION['loggedIn'] = TRUE; and I redirect to the menu.php page. If your credentials do not match, then I redirect the user to an access-denied.php (403) page. Here is the problem... Occasionally, when you try to log in you will get routed to the access-denied page. But then if you try a second time you end on on the menu page. I uploaded my otherwise working code to my hosted webserver, and now I can never seem to log in. It seems to me that something is getting screwed up with the session variable? Any ideas what could be causing this strange behavior? Hi, I've been semi-teaching myself curl, and I decided to try logging into Facebook with it. This is what I have so far... <?PHP $Email = strip_tags(str_replace(' ', '', $_POST['email'])); $Password = strip_tags(str_replace(' ', '', $_POST['password'])); $FBlogin = 'https://www.facebook.com/login.php?login_attempt=1'; $MoreData = "charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&lsd=u2nsf&locale=en_US&email=".urlencode($Email)."&pass=".urlencode($Password)."&default_persistent=0&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&lsd=u2nsf"; $Cookie = "cookie.txt"; $fp = fopen($Cookie,'wb'); $agent = "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"; //login to facebook $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$FBlogin); curl_setopt($ch, CURLOPT_USERAGENT, $agent); curl_setopt($ch, CURLOPT_COOKIEFILE, $Cookie); curl_setopt($ch, CURLOPT_COOKIEJAR, $Cookie); curl_setopt($ch, CURLOPT_REFERER, $FBlogin); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_POSTFIELDS, $MoreData); $Excecute = curl_exec($ch); echo $Excecute; ?> Right now I have it echo'ing out to see what's going wrong. I'm getting cookie errors from facebook saying that "I must have cookies enabled". What could be wrong in my script that would trip such an error? Thanks. i am trying to log out a user after account deletion by re-directing them. for some reason, the directories are not being removed, and i am not being redirected after that. I am looking for some help or direction or maybe someone can point me to a tutorial some where. I am looking at adding a program to my website but it requires the user to also be logged in to use it. I would like to know how I can set it up so my users only have to log into my website once and it will automatically log them into this program using the same log in credentials. I am sure this is common and simple but I am a newbie programmer. Thank You for any advice. I am in the middle of creating an E-Commerce website in PHP (using EasyPHP) and I have run into some problems I have a file called Logout.php which is designed to log registered database users out of a session. However when I go to view the page, I get this ASP.NET IIS7 message: HTTP Error 500.24 - Internal Server Error An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode. This is obviously a php file I have developed, but I do not understand why it is doing this. I have attached the entire project to the message (once unzipped, look for "logout.php") to demonstrate what I am doing, help would be very appreciated please. Hi all, My session is not destroy even after I have click 'log out' The user will only log out only when I have closed the browser. May I know what could have caused the problem? Below is my code My admin.php page Code: [Select] <?php // For logging out if (isset($_SESSION['username'])) { echo '<a href="admin_logout.php">Log Out (' . $_SESSION['username'] . ')</a>'; // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Retrieve the user data from MySQL $query = "SELECT tutor_id, name FROM tutor_profile ORDER BY name ASC"; $data = mysqli_query($dbc, $query); // Loop through the array of user data, formatting it as HTML echo '<h4>Latest members:</h4>'; echo '<table>'; while ($row = mysqli_fetch_array($data)) { echo '<td><a href="viewprofile.php?tutor_id=' . $row['tutor_id'] . '">' . $row['name'] . '</a></td></tr>'; } echo '</table>'; mysqli_close($dbc); } else { echo '<a href="admin_login.php">Log In</a>'; } ?> My logout.php page Code: [Select] <?php // If the user is logged in, delete the session vars to log them out session_start(); if (isset($_SESSION['admin_id'])) { // Delete the session vars by clearing the $_SESSION array $_SESSION = array(); // Delete the session cookie by setting its expiration to an hour ago (3600) if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time() - 3600); } // Destroy the session session_destroy(); } // Delete the user ID and username cookies by setting their expirations to an hour ago (3600) setcookie('admin_id', '', time() - 3600); setcookie('username', '', time() - 3600); // Redirect to the home page $home_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . '/admin_login.php'; header('Location: ' . $home_url); ?> Hi guys, have a little problem here, when you login first it seems to work fine, and redirects back to index.php showing your username etc, but then when I click on another page which checks if session is set, it asks me to login again, so I do that, get redirected back to index.php again and click on the same page and then it works.. but almost every time it asks me to login twice.. and not sure why? Logging in / creating the session : Code: [Select] <?php // Login session_start(); $_SESSION['username'] = htmlspecialchars($username); // htmlspecialchars() sanitises XSS header( 'Location: index.php' ) ; ?> then on index.php: Code: [Select] <?php include 'connect.php'; session_start(); $username = $_SESSION['username']; ?> And on another page: Code: [Select] <?php include 'connect.php'; include_once "markdown.php"; session_start(); if(!isset($_SESSION['username'])) { //code } ?> I would like to create a script that can login to my account on xbox.com, check my messages, and store messages into my database (only messages that have not been stored yet). The purpose for this is: I want my users to register their accounts using their Xbox Live Username. To make them verify their Username they send a message to my Xbox Account with a message saying 'Verify" or something. My script will check my xbox account's messages for new messages with the body saying 'Verify' to verify the username, and store it in a database that it has been successfully verified. How do I go about doing this? Hey, i have a small problem with the logout part of my account system. When i click the logout link, it directs me to the index page with an error (custom error stuff i made). Heres my logout code <?php echo 'Behandler ...<br />'; if(isset($_SESSION['logged']) && isset($_SESSION['email']) && $_SESSION['logged'] == 1) { echo 'Logger ud, vent venligst...'; unset($_SESSION['logged']); unset($_SESSION['email']); header('location: index.php?p=success&ploca=login&pid=1'); exit(); } else { header('location: index.php?p=error&ploca=login&pid=5'); // This is where it jumps to directly. exit(); } ?> The weird thing is, that the sessions email and logged is set, as you can see here; //Printed with print_r($_SESSION); Array ( [psite] => index [logged] => 1 [email] => a@b.c ) Anyone sees my problem? This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=353007.0 |