Weborum Webmaster Forum

franches

Oct 1 2004, 05:44 AM

I badly need help. I have these codes. I'm doing a statuslog form. Before the user could go the form he/she has to log in.

QUOTE

<!doctype html public "-//W3C//DTD HTML 4.0 //EN">
<html>
<head>
</head>
<body>
<form action="validationtest.php" method=post>
<table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
<tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>
<tr><td align=right>Username: </td><td><input type=text name=username size=15></td></tr>
<tr><td align=right>Password: </td><td><input type=password name=password size=15></td></tr>
<tr><td align=center colspan=2><input type=submit value=Login></td></tr>
</table>
</form>
</body>
</html

then i have a validationtest.php

QUOTE

<?
session_start();

if ($username=="" || $password=="")
{
echo "You have to enter your username and password";
include ('login.php');
}

else
{
include ('db.php');

$result=mysql_query("select * from StaffTable where PIN='$username'")
or die ("cant do it");

while ($row=mysql_fetch_array($result))
{
if ($row["Password"]==$password )
{
$name=$row["Name"];
session_register('Name');
$_SESSION['Name'] = $Name;

include('tutor.php');

}
else
{
print("Please enter your valid Username and Password!");
include ('login.php');
}
}
}
?>

after the person is validated then it will directed to tutor.php and this is where my problem started. The problem is after i press the add hours it goes directly to the login form again. what i really want to happen is that after pressing the add hours it will still go on the same page so that the user will be able to log his/her other activities. I hope someone could help me with the code. i'm doing this for the first time.

thank you very much!!!

QUOTE

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Workhours form</title>
<script type="text/javascript">

var total = <?php echo (isset($_POST['work_hours_total']) ? $_POST['work_hours_total'] : "0"); ?>;

function update1()
{
document.getElementById("work_hours_total").value = total + Number(document.getElementById("work_hours").value);
document.getElementById("remaining_hours").value = 7.5 - Number(document.getElementById("work_hours_total").value);
}

</script>
</head>
<body>
<?php
session_start();

mysql_connect("localhost", "root")
or die( "Unable to connect\n". mysql_error() );

mysql_select_db("TEST")
or die("Unable to select db ".mysql_error()."\n");

if (isset($_POST['pin']))
{
$sql= "insert into StatusTable (PIN, Activity,RegHours) values ('" . $_POST['pin'] . "','" . $_POST['activity'] . "','" . $_POST['work_hours'] . "')";
mysql_query($sql) or die('error making query: ' . mysql_error());
}

?>

<form action="<?php echo $_SERVER["PHP_SELF"] ?>" method="post">
<fieldset>
<div>
<label for="pin">PIN :</label> <? echo $username ?><br>
<label for="name">Name : </label><? echo $name ?> <br>
</div>
<div>
<label for="activity">Activity</label>
<input id="activity" name="activity" type="text" size="20">
</div>
<div>
<label for="work_hours">Work Hours</label>
<input id="work_hours" name="work_hours" type="text" size="5" onchange="update()">
</div>
<div>
<label for="work_hours_total">Total Work Hours</label>
<input id="work_hours_total" name="work_hours_total" type="text" size="5" value="<?php echo (isset($_POST['work_hours_total']) ? $_POST['work_hours_total'] : ""); ?>" readonly="true">
</div>
<div>
<label for="remaining_hours">Hours Remaining</label>
<input id="remaining_hours" name="remaining_hours" type="text" size="5" value="<?php echo (isset($_POST['work_hours_total']) ? (7.5 - $_POST['work_hours_total']) : "7.5"); ?>" readonly="true">
</div>
<div>
<input type="submit" value="Add hours" name="Add">
</div>
</fieldset>
</form>
</body>
</html>

Joe

Oct 1 2004, 11:30 AM

Your session_start() tag must be placed directly at the top of the page before any other code

Like so

CODE

<?php session_start(); ?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Workhours form</title>
<script type="text/javascript">

var total = <?php echo (isset($_POST['work_hours_total']) ? $_POST['work_hours_total'] : "0"); ?>;

function update1()
{
document.getElementById("work_hours_total").value = total + Number(document.getElementById("work_hours").value);
document.getElementById("remaining_hours").value = 7.5 - Number(document.getElementById("work_hours_total").value);
}
blah blah blah

Timo

Oct 1 2004, 11:51 AM

I also highly suggest you strip certain characters* from your input before you put them in a query. That code looks extremely easy to hack.

The normal stuff... single quotes, double quotes

franches

Oct 2 2004, 04:49 AM

what do you mean by this? could you explain it further?

QUOTE

I also highly suggest you strip certain characters* from your input before you put them in a query. That code looks extremely easy to hack.

The normal stuff... single quotes, double quotes

I've tried this one. but still after I press the add hours it automatically goes to my login form wherein I should login again. what should really happen is after pressing the add hours it will still open the tutor.php inorder for me to input my other activities.

QUOTE

Your session_start() tag must be placed directly at the top of the page before any other code

Joe

Oct 2 2004, 09:41 PM

You should add the session code to all pages.

After you log-in, after it forwards you to the new page you should have an IF statement to check with the sessions to see if the user really is logged in.

Kinda like the code on this site

Timo

Oct 3 2004, 02:14 AM

Run any input you put into your database through a function to strip it of potentially dangerous input... Most of the stuff noobie hackers can do is blocked through this.

function dbInsans($text) {
$text = strip_tags ($text, "");
$text = str_replace(chr(10),"",$text);
$text = str_replace(chr(13), "<br />", $text);
$text = str_replace("\"",""",$text);
$text = str_replace("'","& #39;",$text); #without the space between & and #
$text = addslashes($text);
return($text);
}

Is what I generally use.

franches

Oct 4 2004, 04:49 AM

QUOTE

Run any input you put into your database through a function to strip it of potentially dangerous input... Most of the stuff noobie hackers can do is blocked through this.

function dbInsans($text) {
$text = strip_tags ($text, "");
$text = str_replace(chr(10),"",$text);
$text = str_replace(chr(13), "<br />", $text);
$text = str_replace("\"",""",$text);
$text = str_replace("'","& #39;",$text); #without the space between & and #
$text = addslashes($text);
return($text);
}

Is what I generally use.

do you have any sample codes that shows on how you used it? i really can't imagine how am i going to do it.

by the way, could you please examine my code again.

QUOTE

<?php
session_start();
$dbHost = "localhost"; // Database Connection Details - host
$dbUser = "root"; // Database Connection Details - username
$dbname = "TEST"; // Database Connection Details - database name

$username = $_POST['username'];
// Stores our inputted data in these variable names

$password = $_POST['password'];
// Stores our inputted data in these variable names

$db = mysql_connect($dbHost,$dbUser); // Connection Code
mysql_select_db($dbname); // Connects to database

$query = "(SELECT PIN, Password,Name FROM StaffTable WHERE PIN = '$username' AND Password = '$password')";
$result = mysql_query($query);

if(mysql_num_rows($result)) {
$_SESSION['loggedin'] = 1;
header('Location: http://copernicus/rhodora/statuslog/trial/admin.php');
exit(); }
else {
header('Location: http://copernicus/rhodora/statuslog/trial/...?error=1');
exit(); }
?>

and this is my page after successful login. and my problem is I am not able to display the username which is the ID number of the user and his/her name. i think i used the wrong code in calling the PIN and Name.

thank you in advance. I'll be looking forward for your response.

QUOTE

<?php
session_start();

if(!isset($_SESSION['loggedin'])) {
header('Location: http://copernicus/rhodora/statuslog/trial/...?error=1');
exit();
}
?>
blah blah blah

<?php
mysql_connect("localhost", "root")
or die( "Unable to connect\n". mysql_error() );

mysql_select_db("TEST")
or die("Unable to select db ".mysql_error()."\n");

<form action="<?php echo $_SERVER["PHP_SELF"] ?>" method="post">

<fieldset>
<div>
<label for="pin">PIN :</label> <? echo $username ?><br>
<label for="name">Name : </label><? echo $name ?> <br>
</div>

blah blah blah

</form>

</body>
</html>

Joe

Oct 4 2004, 09:49 AM

CODE

function dbInsans($text) {
$text = strip_tags ($text, "");
$text = str_replace(chr(10),"",$text);
$text = str_replace(chr(13), "<br />", $text);
$text = str_replace("\"",""",$text);
$text = str_replace("'","& #39;",$text); #without the space between & and #
$text = addslashes($text);
return($text);
}

$username = dbInsans($username);

Like this

franches

Oct 5 2004, 02:13 AM

could you please tell me where and what part in my code i will put this one? ]

And also my other problem is that the username and name of the user did not appear on my 2nd page.

I have attached my code so that you may be able to examine my code and make some corrections. thank you very much. i would still be looking forward for your response.

Joe

Oct 5 2004, 09:47 AM

I have made some changes to 'process.php' I can't even see what you are trying to do inside admin.php so I have left that as it is.

To retrieve the sessions you need the code;

<? echo $_SESSION[username']; ?>
<? echo $_SESSION['password']; ?>

I'm sure you will be able to figure the rest out for yourself

franches

Oct 11 2004, 01:19 AM

thanks!