Member Avatar for cristian.stilpeanu.1

Hi, i need help, who knows and wants to help me with a problem I would greatly appreciate.

I downloaded a page to my site I instalato and work well only have one problem, anyone can access any without having to login, and must do so to be able to access only after being logged.

The page whit problem:

<!-- content -->
> <div id="content">
> <div class="boxui box-top"></div>
> <div class="boxui box-con">
> <?PHP include("./conectare/slide.php"); ?>      
> <div class="boxui box-end"></div>
> </div
> <br>
> 
> 
> <div class="boxui box-title">
> <span class="title-icon icon-status"></span>
> <h2><b>loguri accesari cont</b></a></h2></div>
> <div class="boxui box-con"><div class="wrap"><p>
> 
>                         <?php
>                       
> echo '<div align="center" style="margin-bottom: 10px; background: #FFF; padding: 6px; height:auto; border: 1px solid #c8c8c8; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px;">';
> echo '        <table border="1" bordercolor="FFCC00" style="background-color:FFFFCC" width="400" cellpadding="3" cellspacing="3">
> <thead>
> <td> id cont</td>
> <td> status logare</td>
> <td> ch</td>
> <td> info logare</td>
> <td> info delogare</td>
> <td> id pc</td>
> </thead>
> ';
>                   
>                   $id = $_SESSION['id'];
>                       mysql_select_db("account");
>                       $sql = mysql_query("SELECT * FROM `account` WHERE `login` = '" . $id . "'") or die (mysql_error());
>                       $row2 = mysql_fetch_array($sql);
>                       $idnou = $row2['id'];
>                       mysql_select_db("log");
>    $SQL = mysql_query("SELECT * FROM `loginlog2` WHERE `account_id` = '" . $idnou . "' ORDER BY `login_time` DESC") or die (mysql_error()); //gata merge:) nu ai date inca in baza de date :))
>      $x1 = 0;$afisari = 25;
>      while(($row = mysql_fetch_array($SQL)) && ($afisari > 0))
>                         {
> 
> echo '
> 
>   <tr>
>       <td> '. $row["account_id"]. ' </td>
>       <td> '. $row["type"]. ' </td>
>       <td> '. $row["channel"]. ' </td>
>       <td> '. $row["login_time"]. ' </td>
>       <td> '. $row["logout_time"]. ' </td>
>       <td> '. $row["ip"]. ' </td>
>   </tr>
>   ';
> 
>                             $x1++;$afisari--;
>                         }
>                         if($x1 == 0)
>                         {
>                           echo "<tr><td>Nu avem destule date in baza de date pentru a genera aceasta informatie!</td><td></td></tr>";
>                         }
>                       
>                   echo '  </table>
>                           </div>';
>                       
> 
>                         ?>
>                       <br>
> 
>       <div class="meta"></div></div></div>
>               <div class="boxui box-end"></div>     
>               <!-- news post -->
> 
> 
> </p>
> 
> 
>   
>   <div style="margin-bottom: 10px; background: #FFF; padding: 6px; height:auto; border: 1px solid #c8c8c8; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px;">
>    Aici se pot vedea loguri referitoare la ultimele logari in joc.
> <br><br>
> 
> Daca la "<u>Stare</u>" apare <u>"INVALID</u>", inseamna ca logarea a fost esuata sau clientul a fost inchis fara a se face delogare.
> </div>
> 
> 
>             
>       </div>
>       <!-- end content -->

and look at a page that runs on login:

> <div id="content">
> <div class="boxui box-top"></div>
> <div class="boxui box-con">
> <?PHP include("./conectare/slide.php"); ?>      
> <div class="boxui box-end"></div></div>
>   
> <div class="boxui box-title"><span class="title-icon icon-status"></span>
> <h2>listarea caracterelor</a></h2>
> </div><div class="boxui box-con"><div class="wrap"><p><span class="news-content">
> 
> <div style="margin-bottom: 0px; background: #FFF; padding: 6px; height:auto; border: 1px solid #c8c8c8; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px;">
> 
> <?PHP
> 
> if(isset($_SESSION['user_id']) && checkInt($_SESSION['user_id']) && $_SESSION['user_id']>=0) {
>  
> echo"<br/>";
> $cmdChars = "SELECT player.id,player.name,player.job,player.level,player.playtime,guild.name AS guild_name
> FROM player.player
> LEFT JOIN player.guild_member 
> ON guild_member.pid=player.id 
> LEFT JOIN player.guild 
> ON guild.id=guild_member.guild_id
> WHERE player.account_id='".$_SESSION['user_id']."'";
> $qryChars = mysql_query($cmdChars,$sqlServ);
> $x=0;
> echo'<table>
> 
> <tr>
> <th class="topLine">    Caracter               </th>
> <th class="topLine">Rasă            </th>
> <th class="topLine">Nivel          </th>
> <th class="topLine">Timp joc             </th>
> <th class="topLine">Breaslă          </th>
> <th class="topLine">   </th></tr>';
> 
> while($getChars = mysql_fetch_object($qryChars)) {
> $zF = ($x%2==0) ? "tdunkel" : "thell";
> echo'<tr>
> <td class="'.$zF.'">     <a href="?s=debugare&char='.$getChars->id.'" title="Deblocare caracter">'.$getChars->name.'</a></td>
> <td class="'.$zF.'"> '.$aRassen[$getChars->job].'</td>
> <td class="'.$zF.'"> '.$getChars->level.'</td>
> <td class="'.$zF.'"> '.$getChars->playtime.' Minute</td>
> <td class="'.$zF.'"> '.$getChars->guild_name.'</td>
> 
> </td>
> </tr>';
> $x++;
> }
> echo'</table>';
> echo" <br/><br/>";
> }
>   else {
>     echo' <center><p class="meldung">You must be logged in to access this page</p></center>';
>   }
>   
> ?>
> 
> </div><br>
> <div class="meta"></div></div></div>
> <div class="boxui box-end"></div></div>

What all you need to add that it can not be accessed whitout login.
or if someone kindly modify my code it.Thank you!

  • 3 Contributors
  • 14 Replies
  • 541 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by diafol
Member Avatar for LastMitch

@cristian.stilpeanu.1

What all you need to add that it can not be accessed whitout login. or if someone kindly modify my code it.

What error appear when you ran this code, since you are using JOIN in your query then must have be at least an error?

Member Avatar for cristian.stilpeanu.1

here, did not intend to advertise

<urls snipped>

Thank you!

Edited by diafol because: snipped urls
Member Avatar for diafol

Add session protection. If user logged in - search for $_SESSION['user_id'] or whatever you're using.

Member Avatar for LastMitch

@cristian.stilpeanu.1

I downloaded a page to my site I instalato and work well only have one problem, anyone can access any without having to login, and must do so to be able to access only after being logged.

Try to included this Pear Package:

http://pear.php.net/package/LiveUser/redirected

It comes with a code so you really need to take time adding this.

What daifol mention is about protecting your session:

http://phpsec.org/projects/guide/4.html

Member Avatar for diafol

Ok, solved?

Member Avatar for cristian.stilpeanu.1

I apologize for any inconvenience, but can someone delete my php code posted by me?

Member Avatar for diafol

Why?

Member Avatar for cristian.stilpeanu.1

this discussion appears in google search words of my pages and i don't want to see the people my code, please. Thank you!

Edited by cristian.stilpeanu.1
Member Avatar for LastMitch

@cristian.stilpeanu.1

this discussion appears in google search words of my pages and i don't want to see the people my code, please. Thank you!

The question you ask is weird. I mean you have to understand when you post anything on the web it will appear sooner or later on google. You can't prevent that from happening.

Member Avatar for diafol

DW has a general policy not to delete posts, especially when there have been replies to it. If you want to PM me with further info and a reason why this needs to happen, feel free, perhaps I could advise you further.

Edited by diafol
Member Avatar for diafol

.... sad

I'm afraid that's the size of it. If you could outline the issue in a PM perhaps?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.