hi.
im building a site that involves having access authenticated by admin, to achieve this i have used sessions to seperate user types (members, officers & commanders (me)). in commanders is a link to a requests page that recieves requests from users (the requests table) and once submitted sends the info to the (verified) users table so that members can log in. obviously i need this page secure so im using the commander session to limit access.
the proplem is everytime i submit a request to the users table, it submits my username & my password not that of the request(e). the only way i have found to stop this is to remove the session details which means anyone can access which is not an option. im a bit of a newb to php but from my understanding the fields im submiting match that of the session info meaning the session info replaces it, but i need the fields to mact otherwise data wont go into the right fields, hence catch 22...lol
this is my script without the session details
Code: Select all
<?php
$errorMessage = '';
if (isset($_POST['rank']) && isset($_POST['forename']) && isset($_POST['surname']) && isset($_POST['email']) && isset($_POST['username']) && isset($_POST['password']) && isset($_POST['khlink']) && isset($_POST['status']))
{
include '../library/config.php';
$tbl_name="users";
include '../library/opendb.php';
$rank = addslashes ($rank);
$forename = addslashes ($forename);
$surname = addslashes ($surname);
$email = addslashes ($email);
$username = addslashes ($username);
$pass = addslashes ($pass);
$khlink = addslashes ($khlink);
$status = addslashes ($status);
if (!$rank || !$forename || !$surname || !$email || !$username || !$password || !$khlink || !$status )
{
$errorMessage = 'Sorry, you did not enter all the required information.';
}
else
{
if (!get_magic_quotes_gpc())
{
$_POST['username'] = addslashes($_POST['username']);
}
$usercheck = $_POST['username'];
$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'")
or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 != 0)
{
$errorMessage = 'Sorry, the username '.$_POST['username'].' is already in use.';
}
$_POST['password'] = md5($_POST['password']);
if (!get_magic_quotes_gpc())
{
$_POST['password'] = addslashes($_POST['password']);
$_POST['username'] = addslashes($_POST['username']);
}
$query = "INSERT INTO $tbl_name(rank, forename, surname, email, username, password, khlink, status)VALUES('".$rank."', '".$forename."', '".$surname."', '".$email."', '".$username."', '".$password."', '".$khlink."', '".$status."')";
$result = mysql_query($query);
if ($result)
{
$successMessage = 'Complete';
}
else
{
$errorMessage = 'Sorry';
}
}
include '../library/closedb.php';
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta name="keywords" content="~AK~, allheart, knights, knighthood, facebook"/>
<meta name="description" content="~AK~ Knighthood Register Review"/>
<link rel="stylesheet" type="text/css" href="requests/requests.css" title="stylesheet"/>
<title>~AK~ | Requests</title>
</head>
<body>
<div id="banner"></div>
<div id="menu">
<a href="home.php" onmouseover="this.style.color='#832d2d'" onmouseout="this.style.color='#b28989'">home</a>
<a href="catagories.php" onmouseover="this.style.color='#832d2d'" onmouseout="this.style.color='#b28989'">forum</a>
<a href="" onmouseover="this.style.color='#832d2d'" onmouseout="this.style.color='#b28989'">members</a>
<a href="" onmouseover="this.style.color='#832d2d'" onmouseout="this.style.color='#b28989'">officers</a>
<a href="rules.php" onmouseover="this.style.color='#832d2d'" onmouseout="this.style.color='#b28989'">rules</a>
<a href="http://apps.new.facebook.com/knighthood/" target="_blank" onmouseover="this.style.color='#832d2d'" onmouseout="this.style.color='#b28989'">knighthood</a>
<a href="requests.php" onmouseover="this.style.color='#832d2d'" onmouseout="this.style.color='#b28989'">requests</a>
<a href="../library/signout.php" onmouseover="this.style.color='#832d2d'" onmouseout="this.style.color='#b28989'">sign out</a>
</div> <!-- end menu -->
<div id="content">
<p align="center">
<?php
if ($successMessage != '')
{
?>
<?php echo $successMessage; ?>
<?php
}
?>
<?php
if ($errorMessage != '')
{
?>
<?php echo $errorMessage; ?>
<?php
}
?>
</p>
<?php
include '../library/config.php';
$tbl_name="requests";
include '../library/opendb.php';
$sql="SELECT * FROM $tbl_name ORDER BY forename DESC";
$result=mysql_query($sql);
?>
<?php
while($rows=mysql_fetch_array($result))
{
?>
<form action="" method="post">
<table cellspacing="5">
<tr>
<th>Rank</th>
<th>Forename</th>
<th>Surname</th>
<th>E-mail</th>
</tr>
<tr>
<td><input type="text" name="rank" value="<? echo $rows['rank']; ?>"/></td>
<td><input type="text" name="forename" value="<? echo $rows['forename']; ?>"/></td>
<td><input type="text" name="surname" value="<? echo $rows['surname']; ?>"/></td>
<td><input type="text" name="email" value="<? echo $rows['email']; ?>"/></td>
<tr>
<th>Username</th>
<th>Password</th>
<th>KHlink</th>
<th>Status</th>
</tr>
<tr>
<td><input type="text" name="username" value="<? echo $rows['username']; ?>"/></td>
<td><input type="text" name="password" value="<? echo $rows['password']; ?>"/></td>
<td><input type="text" name="khlink" value="<? echo $rows['khlink']; ?>"/></td>
<td><input type="text" name="status" value="<? echo $rows['status']; ?>"/></td>
</tr>
<tr>
<td colspan="4" height="50px" valign="bottom"><input type="submit" value="Confirm"/></td>
</tr>
</table>
</form>
<?php
}
mysql_close();
?>
</div>
</body>
</html>