hidden variable not being picked up by php on resubmission

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

hidden variable not being picked up by php on resubmission

Post by m3rajk »

that didn't help.
it's sending me back to the choice page after i choose a user to approve. this doesn't make sense because the hidden input fn should set fn correctly to go back to appnu. on top of that, only two functions seem to be passing an fn in the hidden fields. i don't understand why it's not passing in the others. the fn was passed to bring up the section of the admin panels in question

this is only the relevant functions (everything from the opening through appnu)

note: errors on E_ALL

set in includes: $host, $login2, $pass2, $admins, bgnpg(), bgnmsgpg(), $approvers, $suspenders, $jra, $adm, $wbm, $ok

Code: Select all

<?php
include("/home/joshua/includes/fyd.incs.php"); # includes file

/* ***************************************************
   ** set any and all variables that need to be set **
   *************************************************** */

$fn=$_POST['fn']; // what you want to do
$un=$_COOKIE['un']; // who you are
$pw=$_COOKIE['pw']; // verify yourself

# check for access in the db
$db=mysql_connect($host, $login2, $pass2) or die("cannot access mysql"); # connect to the db
$fyd=mysql_select_db('findyourdesire', $db) or die("cannot access db"); # get the db
$accessfind=mysql_query("SELECT site_access FROM users WHERE username='$un' AND password='$pw'", $db);

if(!(mysql_num_rows($accessfind)==0)){ # we found a user

  $accesscheck=mysql_fetch_array($accessfind); $sa=$accesscheck['site_access']; # find out the access level

  if(contains($sa, $admins)){ # if the level is an admin level

    /* *******************************************************
     *** find where we are and call the creation functions ***
     ******************************************************* */

    if(isset($fn)){ // we wanna do something
      if($fn=='appnu'){ bgnpg('New User Approval'); appnu($db); } # approve new user profile
      elseif($fn=='appbio'){ bgnpg('Bio Approval'); appbio($db); } # approve bios
      elseif($fn=='appmain'){ bgnpg('Main Pic Approval'); appmain($db); } # approve bios
      elseif($fn=='appt1'){ bgnpg('Thumbnail Pic Approval'); appt1($db); } # approve thumb 1
      elseif($fn=='appt2'){ bgnpg('Thumbnail Pic Approval'); appt2($db); } # approve thumb 2
      elseif($fn=='appt3'){ bgnpg('Thumbnail Pic Approval'); appt3($db); } # approve thumb 3
      elseif($fn=='appt4'){ bgnpg('Thumbnail Pic Approval'); appt4($db); } # approve thumb 4
      elseif($fn=='appsalute'){ bgnpg('Salute Pic Approval'); appsalute($db); } # approve salute
      elseif($fn=='susus'){ bgnmsgpg('Member Suspension'); susus($db); } # suspend user
      elseif($fn=='susrev'){ bgnmsgpg('Suspension Review'); susrev($db); } # review suspensions
      elseif($fn=='delu'){ bgnmsgpg('Member Deletion page'); delu(); } # delete user
      elseif($fn=='access'){ bgnmsgpg('Site Access Adjustment'); access($db); } # adjust user's site access
      elseif($fn=='adjfor'){ bgnmsgpg('Forum Adjustment'); adjfor($db); } # adjust forums
      elseif($fn=='misc'){ bgnmsgpg('Josh''s Special Page'); misc(); } # give miscellaneous commands
      else{ bgnmsgpg('Administration Area (restricted access)'); choice($db); } # something's wrong

    }else{ bgnmsgpg('Administration Area (restricted access)'); choice($db); } # begin this craziness

  }else{ bgnmsgpg('Administration Area (restricted access)'); problem(); } # user shouldn't be this far

}else{ bgnmsgpg('Administration Area (restricted access)'); problem(); } # user shouldn't be this far

function choice($db){ # main admin page

  include("/home/joshua/includes/fyd.altincs.php"); # includes file (precautionary measure)

  $un=$_COOKIE['un']; // who you are
  $pw=$_COOKIE['pw']; // verify
  $options=''; // what can ya do

  /* find access level in db. set appropriately */
  $accessret=mysql_query("SELECT site_access FROM users WHERE username='$un' AND password='$pw'", $db);
  $access=mysql_fetch_array($accessret); // get the access level
  $sa=$access['site_access']; // set the access level

  if(contains($sa, $approvers)){ // you are allowed to approve
    $options.="   <option value="appnu">Approve New Users</option>\n    <option value="appbio">Approve Bios</option>\n   <option value="appmain">Approve Main Pictures</option>\n       <option value="appt1">Approve 1st Thumb</option>\n    <option value="appt2">Approve 2nd Thumb</option>\n        <option value="appt3">Approve 3rd Thumb</option>\n    <option value="appt4">Approve 4th Thumb</option>\n        <option value="appsalute">Approve Salute Picture</option>\n"; } # add the approver options

  if(contains($sa, $suspenders)){ // you're allowed to suspend
    $options.="   <option value="susus">Suspend User</option>\n"; } # add the suspend options

  if(($sa==$jra)||($sa==$adm)||($sa==$wbm)){ // your more than a someone given the ability to suspend and/or approve
    $options=$options."   <option value="susrev">Review Suspended Users</option>\n      <option value="access">Adjust User Access</option>\n"; } # add things for jr/full admins

  if(($sa==$adm)||($sa==$wbm)){ // you're a full admin
    $options.="   <option value="delu">Delete User</option>\n   <option value="adjfor">Adjust Forums</option>\n"; } # full admin options

  if($sa==$wbm){ // you're the webmaster
    $options.="   <option value="misc">Misc Commands</option>"; } # only the webmaster, since the other full admins might not have a grasp of how to use dbs
    
    echo <<<END
      <h3>Welcome to the Admin Choice Page. If you link a non-admin to any admin page, they will see nothing, except for the an error message letting them to know to report it. (security)</h3>
      <p>
        <!-- php checks access level in form creation & makes select choices based on it -->
        <form action="$_SERVER[PHP_SELF]" target="_blank" method="POST" >
        <select name="fn" size="1">
$options
        </select>
        <input type="submit" value="Administrate!">
        </form>
      </p>
    </center>
  </body>
</html>
END;
}

function appnu($db){ # approve a new user

  include("/home/joshua/includes/fyd.altincs.php"); # includes file (precautionary measure)

  $un=$_COOKIE['un']; // who you are
  $pw=$_COOKIE['pw']; // verify
  $options=''; // what can ya do

  /* find access level (site_access) in db. set appropriately */
  $accessret=mysql_query("SELECT site_access FROM users WHERE username='$un' AND password='$pw'", $db);
  $access=mysql_fetch_array($accessret); // get access level
  $sa=$access['site_access']; // set access level

  if(!(contains($sa, $approvers))){ error(); } # double check on access

  else{ # we're gonna do find and appprove someone

    if($_POST['action']==='APPROVED'){ # approve

      $ruin=$_POST['ruin']; // id # being approved
      $run=$_POST['run']; // name being approved

      $update=mysql_query("UPDATE users SET approved='$ok' WHERE uid='$ruin'", $db); // approve profile

      foreach($pics as $pic){ // for each picture you have
        $img=getcwd().'/unapproved/'.$pic.'.'.$run.'.jpg'; $to=getcwd().'/userpics/'.$pic.'.'.$run.'.jpg';
        if(is_file($img)){ rename($img, $to); } # move to approved
      } // pictures should now show up

      if(mysql_affected_rows($update)==1){ $result="$run's profile successfully approved"; } // worked

      else{ // something went wrong
        $errno=mysql_errno($db); // error number
        $error=mysql_error($db); // error message
        $result="Error approving $run's profile<br />$errno: $error"; } // set error message

      echo "      <p>$result</p>\n"; // report what happened

    }elseif($_POST['action']==='REJECT'){ # reject

      $ruin=$_POST['ruin']; // id number
      $run=$_POST['run']; // username
      $reason=$_POST['reason']; // reson for rejection

      $findemail=mysql_query("SELECT email FROM users WHERE uid='$ruin'", $db); # find user's email
      $getemail=mysql_fetch_array($findemail); // get email
      $to=$getemail['email']; // set email
      unapproveMessage('Profile', $reason, $run, $to); // let the user know why

    }elseif($_POST['action']==='review'){ # review

      # get the info
      $ui=explode(',', $_POST['ui']); // array info
      $ruin=$ui[0]; // set id number
      $run=$ui[1]; // set username

      # make the approval form
      echo <<<END
      <h1>Do NOT link to the pictures in the forum. It will defeat the purpose of the obscuring done in the profiles. You are linked to the originals for approval only</h1>
      <form action="$_SERVER[PHP_SELF]">
        <input type="hidden" name="fn" value="appnu"><input type="hidden" name="ruin" value="$ruin">
        $tsnw
            <tr><td>user:<input type="text" size="15" readonly name="run" value="$run"> </td><td>APPROVING: PROFILE</td></tr>
            <tr><td colspan="2"><iframe frameborder="0" name="bio" scrolling="auto" src="bio.php?un=$run&uin=$ruin&show=yes">if you see this upgrade to <a href="http://www.mozilla.org/">Mozilla</a> 1.3.1 or later</iframe></td></tr>
            <tr><td colspan="2" align="center"><a href="uapproved/main.$run.jpg" target="pic">Main</a></td></tr>
            <tr><td colspan="2" align="center"><a href="uapproved/t1.$run.jpg" target="pic">Thumb 1</a></td></tr>
            <tr><td colspan="2" align="center"><a href="uapproved/t2.$run.jpg" target="pic">Thumb 2</a></td></tr>
            <tr><td colspan="2" align="center"><a href="uapproved/t3.$run.jpg" target="pic">Thumb 3</a></td></tr>
            <tr><td colspan="2" align="center"><a href="uapproved/t4.$run.jpg" target="pic">Thumb 4</a></td></tr>
            <tr><td colspan="2" align="center"><a href="uapproved/salute.$run.jpg" target="pic">Salute</a></td></tr>
            <tr>
              <td><input type="text" name="reason" size="21"></td>
              <td>
                <select name="action">
                  <option value="REJECT">REJECT</option>
                  <option value="APPROVED">APPROVE</option>
                </select>
                <input type="submit" value="Done">
              </td>
            </tr>
        </table>
      </form>
    </center>
  </body>
</html>
END;
    }

    if($_POST['action']!=='review'){ # if we're not reviewing

      $unapproved=''; // who needs to be approved (options)
      $users=array(); // who needs to be approved (raw db retrieval)

      # who needs to be approved
      $newbs=mysql_query("SELECT uid,username FROM users WHERE approved='$nuv'", $db); # find newbs
      $found=mysql_num_rows($newbs); // how many newbs
      for($i=0;$i<$found;$i++){ $users[]=mysql_fetch_array($newbs); } # for each newb, get the info

      foreach($users as $user){ # for each newb
        $id=$user['uid']; // find id number
        $name=$user['username']; // find name
        $newmems=$newmems."<option value="$id,$name">$name</option>"; # make them an option
      } #so we can place it in the form

      # find out who they want to approve
      echo <<<END
      $poserr
      <form action="$_SERVER[PHP_SELF]">
        <input type="hidden" name="fn" value="appnu">
        <input type="hidden" name="action" value="review">
        <select name="un" size="1">
          $newmems
        </select>
        <input type="submit" value="Review Profile!">
      </form>
    </center>
  </body>
</html>
END;
    }
  }
}
jmarcv
Forum Contributor
Posts: 131
Joined: Tue Jul 29, 2003 7:17 pm
Location: Colorado

Post by jmarcv »

You might want to add METHOD=POST to the 2 form tags that resubmit, and do NOT have it. I believe it defaults to GET if not specified, which would explain why you don't see it if you expect it to be in POST.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

lol. i wasn't expecting it in the html so 've been looking at the php yesterday trying oto find a problem there. once again the issue is that i expected the error in the wrong place. i've done that for all the really frustrating things.. ie: the login issue i had for a week and this one that i was looking at for a day and a half and two others before the login
jmarcv
Forum Contributor
Posts: 131
Joined: Tue Jul 29, 2003 7:17 pm
Location: Colorado

Post by jmarcv »

Been there, done that. Thats what these forums are for. A fresh look.

P.S. hw boute tht 4kin BenColon?
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

i saw the first post, saw bech's response and thought "ok. the script kiddie'll leave".

saw his response and figured he needs something more direct to show his folies.

he should go to phpbuilders.com forums. i was there for a week. got no help. recreated a thread, and decided to look actively.

first two posts were like his, only ppl gave scripts. so i pointed out they're breeding script kiddies, made an examplee of a better response, and posed the question why they were doing the other way. went on to someother threads. most were like that and given answers. the ones that weren't i had some insight.
one i went back the next day the person thanked me bt the thread had died and was brought back up and let me know it had already been worked out but thanked me because what i said gave a second option, a second fix that was viable and was good.
the day after i went to see if there was anything on my thread and after logging in it simply had a screen (no way of logging out) that said "you are banned form these forums"

i got around that to look and saw no one responded and several more script kiddie stuff.

simply put he's at the wrong boards. i laughed and never looked back. phpbuilders is a script kiddie place. this is where to go if you want to learn or help people learn.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

m3rajk wrote:simply put he's at the wrong boards. i laughed and never looked back. phpbuilders is a script kiddie place. this is where to go if you want to learn or help people learn.
He probably thinks he's a 133t h4xor lol. Apparently some kids in the UK have even written exams in that gobbledygook :? . Oh well, maybe he'll get bored and go surf warez soon.

Mac
Post Reply