Page 1 of 1

Include problem

Posted: Sun Aug 31, 2003 2:13 pm
by Subberke
Hello, i have a log in system with 3300 users. With that system i created an admin panel.

The admin panel i made can aprove or deny users and edit everything of their account.

everything worked perfect until now, the includes sometimes don't respond.

if i click on a link it includes a page. now sometimes it includes, sometimes is just doesnt and gives the default page i programmed.

Is it because of the database?
Is it because of a bug in the newest PHP version?

i don't know? I can't be my script cause it worked fine for 4 months and since now it doesn't

please help me,

greetz,

Subberke

Posted: Sun Aug 31, 2003 2:24 pm
by JAM
Hard to tell with so little information. Possible to link to the files/paste some code that you think might have the issue?

Posted: Sun Aug 31, 2003 2:29 pm
by Subberke
it's not my code, i'm sure of it. Since a week or 2 every include i use just doesn't react always.

say i have a link

<a href="index.php?link=test>test</a>

and this code

if ($link == "")
{
include("empty.php");
}
elseif ($link == "test");
{
include("testpage.php");
}
else
{
include("error.php");
}


if i should click the link, somethimes it wil show the testpage somethimes it will show the error page

Posted: Sun Aug 31, 2003 2:46 pm
by JAM
Aha!

Posted: Sun Aug 31, 2003 2:47 pm
by JAM
Opps, that wasn't a very good post was it? Hehe...

Sounds that your struck by the register_globals syndrome... Read the last link in my signature... (Especially the $_GET part)

Posted: Sun Aug 31, 2003 4:51 pm
by Subberke
ok i was changing everything but now i'm stuck in my script

normally i did this

$query = "SELECT * FROM users WHERE naam = '$user' AND paswoord = '$pass'";

but now...

$query = "SELECT * FROM users WHERE naam = '$_REQUEST['user']' AND paswoord = '$_REQUEST['pass']'";

this doesnt work :?

Posted: Sun Aug 31, 2003 5:31 pm
by JAM

Code: Select all

from
$query = "SELECT * FROM users WHERE naam = '$_REQUEST&#1111;'user']' AND paswoord = '$_REQUEST&#1111;'pass']'"; 
to
$query = "SELECT * FROM users WHERE naam = '$_REQUEST&#1111;user]' AND paswoord = '$_REQUEST&#1111;pass]'";
Notice the singel quotes in the $_REQUEST vars?

Posted: Sun Aug 31, 2003 5:31 pm
by McGruff
Subberke wrote:$query = "SELECT * FROM users WHERE naam = '$_REQUEST['user']' AND paswoord = '$_REQUEST['pass']'";

this doesnt work :?
Concatenate:

Code: Select all

<?php
 "SELECT * FROM users WHERE naam='" . $_REQUEST['user']  . "' AND paswoord='" . $_REQUEST['pass'] . "'";

?>
It's slightly more secure if you use $_POST or $_COOKIE (wherever it is user and pass come from) rather than $_REQUEST since this at least leaves a single avenue of attack.

Does your script perform any checks on user input?

Posted: Sun Aug 31, 2003 5:35 pm
by Subberke
my script goes in mysql database

looks for the row where username and pasword are correct

if the row returns 1 then it allows access

i was solving it by doing this

$username = $_REQUEST[user];

and then SELECT * FROM database WHERE name = '$username' ...

Posted: Sun Aug 31, 2003 5:38 pm
by JAM
McGruff and I had the same answer, but a different path to it, it seems.

$username = $_REQUEST[user];
Doesn't that generate any errors, as youre not using any single quotes? (Ignore if it was just typed as demonstrative purposes)

Posted: Sun Aug 31, 2003 5:42 pm
by Subberke
was an example :-)

i use the single quotes in the script ;)

thx for the concerns ;)

Posted: Sun Aug 31, 2003 5:44 pm
by JAM
Yah well, you never know. :D