After Log in, incorrect ID displays

Question

toad78 0 Newbie Poster

15 Years Ago

I have a login form that works just fine, except when it forwards to the 'menu.php' page. The 'menu.php' page has a list of links that is suppose to be in relationship to the 'mem_id'. For example, there's a link called 'Profile'. When you hover over the link, it is suppose to have the correct URL with the 'mem_id'. It doesn't. I'm not sure why.

Can someone take a look?

MENU.PHP:

<?php
if (!isset($_SESSION)) {
  session_start();
}
$MM_authorizedUsers = "y";
$MM_donotCheckaccess = "false";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
  // For security, start by assuming the visitor is NOT authorized. 
  $isValid = False; 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
  // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
  if (!empty($UserName)) { 
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
    // Parse the strings into arrays. 
    $arrUsers = Explode(",", $strUsers); 
    $arrGroups = Explode(",", $strGroups); 
    if (in_array($UserName, $arrUsers)) { 
      $isValid = true; 
    } 
    // Or, you may restrict access to only certain users based on their username. 
    if (in_array($UserGroup, $arrGroups)) { 
      $isValid = true; 
    } 
    if (($strUsers == "") && false) { 
      $isValid = true; 
    } 
  } 
  return $isValid; 
}

$MM_restrictGoTo = "index.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {   
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo); 
  exit;
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$colname_getMember = "-1";
if (isset($_GET['mem_id'])) {
  $colname_getMember = $_GET['mem_id'];
}
mysql_select_db($database_membership, $membership);
$query_getMember = sprintf("SELECT mem_id, fname, lname FROM members_info WHERE mem_id = %s", GetSQLValueString($colname_getMember, "int"));
$getMember = mysql_query($query_getMember, $membership) or die(mysql_error());
$row_getMember = mysql_fetch_assoc($getMember);
$totalRows_getMember = mysql_num_rows($getMember);

}
?>
<?php
//initialize the session
if (!isset($_SESSION)) {
  session_start();
}

// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
  $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
  //to fully log out a visitor we need to clear the session varialbles
  $_SESSION['MM_Username'] = NULL;
  $_SESSION['MM_UserGroup'] = NULL;
  $_SESSION['PrevUrl'] = NULL;
  unset($_SESSION['MM_Username']);
  unset($_SESSION['MM_UserGroup']);
  unset($_SESSION['PrevUrl']);
	
  $logoutGoTo = "../index.php";
  if ($logoutGoTo) {
    header("Location: $logoutGoTo");
    exit;
  }
}
?>

HTML:

:
<form id="form1" name="form1" method="get" action="">
<h2>what Would you like to do today?</h2>
<p style="text-indent: 0px;">View or Modify your <a href="profile_update.php?mem_id=<?php echo $row_getMember['mem_id']; ?>">Profile</a></p>
<p style="text-indent: 0px;">Download  <a href="newsletters.php">Newsletter(s)</a></p>
<p style="text-indent: 0px;">Download the <a href="roster/roster.pdf" target="_blank">Roster</a><br />
For updates or corrections to the Roster, please contact 
<script language='JavaScript' type='text/javascript'>
<!--
var guymal_enc= ":g&ntc`;$kgojri<rtcgustctFuueue(eik9Usdlcer;Tiurct#46Eittceroihu$8  Dctj&I!Ngttg:)g8";
for(guymal_i=0;guymal_i<guymal_enc.length;++guymal_i)
{
document.write(String.fromCharCode(6^guymal_enc.ch  arCodeAt(guymal_i)));
}
//-->
</script></p>
</form>

php

2 Contributors
5 Replies
141 Views
6 Days Discussion Span
Latest Post 15 Years Ago Latest Post by pritaeas

pritaeas 2,194 ¯\_(ツ)_/¯

15 Years Ago

I see

$_SESSION['MM_Username'] = NULL;
$_SESSION['MM_UserGroup'] = NULL;
$_SESSION['PrevUrl'] = NULL;

But nowhere are they set to a value. I think you should set them after verifying.

pritaeas 2,194 ¯\_(ツ)_/¯

15 Years Ago

I think I missed it... is this all one file ?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

toad78 0 Newbie Poster · Answer 1 · 2009-07-17T01:07:43+00:00

I see
$_SESSION['MM_Username'] = NULL;
$_SESSION['MM_UserGroup'] = NULL;
$_SESSION['PrevUrl'] = NULL;
But nowhere are they set to a value. I think you should set them after verifying.

This is for my Log Out link. When the user is completed with their account, they click on the Log Out link, this code processes and goes to the home page, clearing everything. Unless I'm misunderstand your point.

toad78 0 Newbie Poster · Answer 2 · 2009-07-17T04:13:57+00:00

toad78 0 Newbie Poster

15 Years Ago

I think I missed it... is this all one file ?

Correct.

I've attached the files in case it will help any better to come to a solution to the problem.

index.php (4.21 KB)

<?php
if (isset($_POST['pwd'])) { $_POST['pwd'] = sha1($_POST['pwd']); }
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
mysql_select_db($database_user, $user);
$query_getMemberInfo = "SELECT * FROM members";
$getMemberInfo = mysql_query($query_getMemberInfo, $user) or die(mysql_error());
$row_getMemberInfo = mysql_fetch_assoc($getMemberInfo);
$totalRows_getMemberInfo = mysql_num_rows($getMemberInfo);
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['pwd'];
  $MM_fldUserAuthorization = "member_access";
  $MM_redirectLoginSuccess = "menu.php";
  $MM_redirectLoginFailed = "loginfail.php";
  $MM_redirecttoReferrer = true;
  mysql_select_db($database_membership, $membership);
  	
  $LoginRS__query=sprintf("SELECT username, pwd, member_access FROM members_info WHERE username=%s AND pwd=%s",
  GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $membership) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
    
    $loginStrGroup  = mysql_result($LoginRS,0,'member_access');
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && true) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<h1><?php echo $row_getMemberInfo['heading']; ?></h1>
<?php
$text = nl2br($row_getMemberInfo['content']);
$after = str_replace("<br />", "</p><p>", $text); ?>
<p><?php echo $after ; ?></p>
<form id="login" name="login" method="POST" action="<?php echo $loginFormAction; ?>">
<label for="textfield">Username:</label>
<br />
<input name="username" type="text" id="username" size="30" maxlength="20" />
</p>
<p>
<label for="textfield">Password:</label><br />
<input name="pwd" type="password" id="pwd" size="30" maxlength="20" />
</p>
<img src="../securimage/securimage_show.php" alt="CAPTCHA Image" name="captcha" id="captcha" /><br />
<a href="#" onclick="document.getElementById('captcha').src = '../securimage/securimage_show.php?' + Math.random(); return false">Reload Image</a><br /><br />
<p style="text-indent: 0px;">Please type in the above image letters and numbers code in the text box below.<br /><span style="font-size: 11px;">(We understand that this may be an inconvenience, but we appreciate your patience.)</span></p>
<input type="text" name="captcha_code" size="10" maxlength="6" /><br />
<br />
<input name="login" type="submit" id="login" value="Log In" />
</form></body>
</html>
<?php
mysql_free_result($getMemberInfo);
?>

This attachment is potentially unsafe to open. It may be an executable that is capable of making changes to your file system, or it may require specific software to open. Use caution and only open this attachment if you are comfortable working with octet-stream files.

menu.php (4.89 KB)

pritaeas 2,194 ¯\_(ツ)_/¯ Moderator Featured Poster · Answer 3 · 2009-07-23T16:10:04+00:00

line 104:

$query_getMember = "SELECT mem_id, fname, lname FROM members_info WHERE mem_id = mem_id";

"mem_id = mem_id" returns all records. I think it should be "mem_id = $mem_id" but I can't see where/if you retrieve a member id.