Page 1 of 1
Include problem
Posted: Sun Aug 31, 2003 2:13 pm
by Subberke
Hello, i have a log in system with 3300 users. With that system i created an admin panel.
The admin panel i made can aprove or deny users and edit everything of their account.
everything worked perfect until now, the includes sometimes don't respond.
if i click on a link it includes a page. now sometimes it includes, sometimes is just doesnt and gives the default page i programmed.
Is it because of the database?
Is it because of a bug in the newest PHP version?
i don't know? I can't be my script cause it worked fine for 4 months and since now it doesn't
please help me,
greetz,
Subberke
Posted: Sun Aug 31, 2003 2:24 pm
by JAM
Hard to tell with so little information. Possible to link to the files/paste some code that you think might have the issue?
Posted: Sun Aug 31, 2003 2:29 pm
by Subberke
it's not my code, i'm sure of it. Since a week or 2 every include i use just doesn't react always.
say i have a link
<a href="index.php?link=test>test</a>
and this code
if ($link == "")
{
include("empty.php");
}
elseif ($link == "test");
{
include("testpage.php");
}
else
{
include("error.php");
}
if i should click the link, somethimes it wil show the testpage somethimes it will show the error page
Posted: Sun Aug 31, 2003 2:46 pm
by JAM
Aha!
Posted: Sun Aug 31, 2003 2:47 pm
by JAM
Opps, that wasn't a very good post was it? Hehe...
Sounds that your struck by the register_globals syndrome... Read the last link in my signature... (Especially the $_GET part)
Posted: Sun Aug 31, 2003 4:51 pm
by Subberke
ok i was changing everything but now i'm stuck in my script
normally i did this
$query = "SELECT * FROM users WHERE naam = '$user' AND paswoord = '$pass'";
but now...
$query = "SELECT * FROM users WHERE naam = '$_REQUEST['user']' AND paswoord = '$_REQUEST['pass']'";
this doesnt work

Posted: Sun Aug 31, 2003 5:31 pm
by JAM
Code: Select all
from
$query = "SELECT * FROM users WHERE naam = '$_REQUESTї'user']' AND paswoord = '$_REQUESTї'pass']'";
to
$query = "SELECT * FROM users WHERE naam = '$_REQUESTїuser]' AND paswoord = '$_REQUESTїpass]'";
Notice the singel quotes in the $_REQUEST vars?
Posted: Sun Aug 31, 2003 5:31 pm
by McGruff
Subberke wrote:$query = "SELECT * FROM users WHERE naam = '$_REQUEST['user']' AND paswoord = '$_REQUEST['pass']'";
this doesnt work

Concatenate:
Code: Select all
<?php
"SELECT * FROM users WHERE naam='" . $_REQUEST['user'] . "' AND paswoord='" . $_REQUEST['pass'] . "'";
?>
It's slightly more secure if you use $_POST or $_COOKIE (wherever it is user and pass come from) rather than $_REQUEST since this at least leaves a single avenue of attack.
Does your script perform any checks on user input?
Posted: Sun Aug 31, 2003 5:35 pm
by Subberke
my script goes in mysql database
looks for the row where username and pasword are correct
if the row returns 1 then it allows access
i was solving it by doing this
$username = $_REQUEST[user];
and then SELECT * FROM database WHERE name = '$username' ...
Posted: Sun Aug 31, 2003 5:38 pm
by JAM
McGruff and I had the same answer, but a different path to it, it seems.
$username = $_REQUEST[user];
Doesn't that generate any errors, as youre not using any single quotes? (Ignore if it was just typed as demonstrative purposes)
Posted: Sun Aug 31, 2003 5:42 pm
by Subberke
was an example
i use the single quotes in the script
thx for the concerns

Posted: Sun Aug 31, 2003 5:44 pm
by JAM
Yah well, you never know.
