...

View Full Version : Form with data already populated



oxygenproject
02-15-2010, 12:18 PM
Hey guys!

I am currently working on a password changing form for my website. When a user is logged in they would go to the form, the "username" and "type" would already be populated.

Here is my code, check it out.. I am almost there, I can get the data to show up but when I press submit it doesnt ammend the data in SQL:


<form id="form1" name="form1" method="post" action="#">

<table width="465" border="0" align="center">
<tr>
<td colspan="2"><p><strong>Administration Modification Tool</strong></p>
<p><em>This allows you to reset a user's password for your website.</em></p>
<p>&nbsp;</p></td>
</tr>
<tr>
<td width="165"><label>Username:</label></td><td width="290">
<label><input name="username" type="text" disabled="disabled" id="username"
intvalue="<?php echo $_SESSION['user']['username'];?>" size="35" /></label></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="password" type="password" id="password" size="35" /></td>
</tr>
<tr>
<td>Account Type:</td>
<td><input name="type" type="text" disabled="disabled" id="type" intvalue="<?php echo $_SESSION['user']['type'];?>" size="35" /></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input type="submit" name="submit" id="submit" value="Submit" />
</div></td>
</tr>
</table>
</form>

<?php

if($_POST["username"]) {
$connection = db_connect();
extract($_POST);
$password = AESEncryptCtr($password, "******", 256);
mysql_query("UPDATE $type SET password = '$password' WHERE username = '$username' LIMIT 1") or die(mysql_error());
}
?>

Would appreciate some help with this one.. Cheers, Aaron!

mlseim
02-15-2010, 02:33 PM
I guess I'm not sure what "extract" does, but try grabbing your POST variables as shown, and sanitize them first:



if($_POST["username"]) {
$connection = db_connect();
// extract($_POST);
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
$type=mysql_real_escape_string($_POST['type']);
$password = AESEncryptCtr($password, "******", 256);
mysql_query("UPDATE $type SET password = '$password' WHERE username = '$username' LIMIT 1") or die(mysql_error());
}

SSJ
02-15-2010, 02:43 PM
I guess I'm not sure what "extract" does, but try grabbing your POST variables as shown, and sanitize them first:



if($_POST["username"]) {
$connection = db_connect();
// extract($_POST);
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
$type=mysql_real_escape_string($_POST['type']);
$password = AESEncryptCtr($password, "******", 256);
mysql_query("UPDATE $type SET password = '$password' WHERE username = '$username' LIMIT 1") or die(mysql_error());
}

@mlseim: The extract() function imports variables into the local symbol table from an array.

@oxygenproject: I think you should store the post data into one array and then try to extract it. I think that will work well.

MattF
02-15-2010, 10:12 PM
intvalue?

Inigoesdr
02-15-2010, 10:26 PM
Hey guys!
...
Would appreciate some help with this one.. Cheers, Aaron!
Please remember to read the stickies for this forum. In particular the one about using
tags (http://www.codingforums.com/showthread.php?t=68462) when posting code.

@mlseim: The extract() function imports variables into the local symbol table from an array.
Which is normally a bad idea (http://php.net/extract#function.extract.notes), and not really needed.

@oxygenproject: I think you should store the post data into one array and then try to extract it. I think that will work well.
That does.. nothing different.

intvalue?
What?

MattF
02-15-2010, 10:35 PM
What?

Look at the code. :) What is an intvalue? Last time I checked, that should be value.

mlseim
02-15-2010, 10:48 PM
What's wrong with my example in post #2 ?

MattF
02-15-2010, 10:50 PM
What's wrong with my example in post #2 ?

Whom is that question for? :D

oxygenproject
02-15-2010, 11:49 PM
intvalue is supposed to be value.. ignore that .. i balls up some comments i was adding to them.. this doesnt have anything to do with it not working :P

that revised code that you provided mlseim doesnt work either..

MattF
02-16-2010, 12:00 AM
What exactly isn't working? Are $type, $password and $username set where you try updating the DB? Have you tried echoing them to make sure they're set? Is the DB query throwing an error? You're description of what is happening, (or not, as the case may be), is vague.

oxygenproject
02-16-2010, 12:03 AM
Okay sorry MattF about being vague..

The 'username' and 'type' fields are working correctly, when I load the form it displays the username I am logged in as likewise the type of account I am running.

When I submit the password changes, it doesnt make any modifications to the SQL data as per the purpose of the form.

Here is a complete extract of the code from go to woe:



<form id="form1" name="form1" method="post" action="#">

<table width="465" border="0" align="center">
<tr>
<td colspan="2"><p><strong>Administration Modification Tool</strong></p>
<p><em>This allows you to reset a user's password for your website.</em></p>
<p>&nbsp;</p></td>
</tr>
<tr>
<td width="165"><label>Username:</label></td><td width="290">
<label><input name="username" type="text" disabled="disabled" id="username"
value="<?php echo $_SESSION['user']['username'];?>" size="35" /></label></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="password" type="password" id="password" size="35" /></td>
</tr>
<tr>
<td>Account Type:</td>
<td><input name="type" type="text" disabled="disabled" id="type" value="<?php echo $_SESSION['user']['type'];?>" size="35" /></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input type="submit" name="submit" id="submit" value="Submit" />
</div></td>
</tr>
</table>
</form>

<?php

if($_POST["username"]) {
$connection = db_connect();
// extract($_POST);
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
$type=mysql_real_escape_string($_POST['type']);
$password = AESEncryptCtr($password, "school786a", 256);
mysql_query("UPDATE $type SET password = '$password' WHERE username = '$username' LIMIT 1") or die(mysql_error());
}
?>

MattF
02-16-2010, 12:10 AM
Adding the print() line as below displays the username and type?



if($_POST["username"]) {
$connection = db_connect();
// extract($_POST);
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
$type=mysql_real_escape_string($_POST['type']);

print('Username: '.htmlspecialchars($_POST['username']).' Type: '.htmlspecialchars($_POST['type']));

$password = AESEncryptCtr($password, "school786a", 256);
mysql_query("UPDATE $type SET password = '$password' WHERE username = '$username' LIMIT 1") or die(mysql_error());
}

oxygenproject
02-16-2010, 01:40 AM
Still not having much luck..

When i submit the page it takes me back to the home page (index.php).. and does not make any amendments to the SQL data.

mlseim
02-16-2010, 01:57 AM
If your form is calling itself, remove this: action="#"

You should use a separate script to process the form anyhow, it's easier to troubleshoot.

oxygenproject
02-16-2010, 02:06 AM
No problems I have removed it, thanks for you help.

Working through a few different things with the post script, as its still not amending the sql data in the password field.

mlseim
02-16-2010, 02:09 AM
Add the lines in red and tell us what shows-up for those three variables ...

if($_POST["username"]) {
$connection = db_connect();
extract($_POST);
$password = AESEncryptCtr($password, "******", 256);

echo "
Type: $type <br>
Pass: $password <br>
User: $username
";
exit;

mysql_query("UPDATE $type SET password = '$password' WHERE username = '$username' LIMIT 1") or die(mysql_error());
}

oxygenproject
02-16-2010, 07:19 AM
Nothing shows up..

For some reason when you press submit, it ends the session and returns back to the home page.. thus not resulting in showing anything.

The page is accessed using swithes.. but I am not sure why it does this.

mlseim
02-16-2010, 02:40 PM
Well, now you know that it doesn't go into the database because it never executes.
That's the answer to post #1. Now, you have to figure out why it doesn't execute.

The script you showed us in post #1. Is that the whole script?
Or did you only show us part of it?

And what do you mean by "switches"?

oxygenproject
02-16-2010, 10:21 PM
The website I am playing with is open-source, with that there is hardly any documentation and the code is inconsistant.

What you saw is the complete page and that I just need to play with it,

I appreciate your help.. Thanks alot.

mlseim
02-16-2010, 11:00 PM
hmmm ....

I wonder if the reason it goes back to your main page is because there
is a PHP script failure and your PHP config (or .htaccess) has some sort
of error redirect.

If what you have in post #1 is a stand-alone script, I can't see how it would
work ... as there's no way it is connected to a database. There must be more
stuff involved that you either didn't show us, or you don't know about.

Is this thing part of a larger script? Like something you installed on your website?

oxygenproject
02-16-2010, 11:06 PM
Sorry what I meant to say is that the form itself is standalone but it is apart of my website I am working on.

When you log in, it creates a session thus the script above can pull down the details of the username/password and type.

With the last code you posted, I can view the source of the page and it will display the information.. just wont submit when I use the form

mlseim
02-17-2010, 01:00 AM
Let's try a different approach ...

Use this script instead (see below). It's basically the same, but we'll comment-out
parts of it and test it ... adding in parts later on. Just to make sure it works little by little ... Test it just like it is (with commented-out lines).
Process the form and see if it comes back with the correct values ...



<?php
session_start();

if(isset($_POST['username'])) {

// Sanitize variables from form.
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
$type=mysql_real_escape_string($_POST['type']);

// Test the values of the variables.
echo "
User: $username <br>
Pass: $password <br>
Type: $type
";
exit;

// $connection = db_connect();
// extract($_POST);
// $password = AESEncryptCtr($password, "******", 256);
// mysql_query("UPDATE $type SET password = '$password' WHERE username = '$username' LIMIT 1") or die(mysql_error());

// Return to main page after writing change to database.
// header ("location: index.php");
}
?>

<form id="form1" name="form1" method="post">

<table width="465" border="0" align="center">
<tr>
<td colspan="2"><p><strong>Administration Modification Tool</strong></p>
<p><em>This allows you to reset a user's password for your website.</em></p>
<p>&nbsp;</p></td>
</tr>
<tr>
<td width="165"><label>Username:</label></td><td width="290">
<label><input name="username" type="text" disabled="disabled" id="username"
intvalue="<?php echo $_SESSION['user']['username'];?>" size="35" /></label></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="password" type="password" id="password" size="35" /></td>
</tr>
<tr>
<td>Account Type:</td>
<td><input name="type" type="text" disabled="disabled" id="type" intvalue="<?php echo $_SESSION['user']['type'];?>" size="35" /></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input type="submit" name="submit" id="submit" value="Submit" />
</div></td>
</tr>
</table>
</form>

oxygenproject
02-17-2010, 01:09 AM
Okay, well this script isn't bringing up any text in the text boxes.. Do I need to add ' ' to the echo $_Session.. ?

mlseim
02-17-2010, 01:15 AM
Try adding the line in red to the very top of your script ...

<?php
session_start();

oxygenproject
02-17-2010, 01:46 AM
Still no luck mate?

oxygenproject
02-17-2010, 01:48 AM
This is my other script which works. The only difference is that the user can manually input the name, password and type.. And this works. I just want to make it so that the user cannot just input another person's username to change their password :)

Here is the page:



<form id="form1" name="form1" method="post" action="#">

<table width="465" border="0" align="center">
<tr>
<td colspan="2"><p><strong>Administration Modification Tool</strong></p>
<p><em>This allows you to reset a user's password for your website.</em></p>
<p>&nbsp;</p></td>
</tr>
<tr>
<td width="165"><label>Username:</label></td>
<td width="290"><input name="username" type="text" id="username" size="35" /></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="password" type="password" id="password" size="35" /></td>
</tr>
<tr>
<td>Account Type:</td>
<td><select name="type" id="type">
<option value="admins" selected="selected">Web Administrator</option>
<option value="teachers">Teacher</option>
<option value="students">Student</option>
<option value="parents">Parents</option>
</select></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input type="submit" name="submit" id="submit" value="Submit" />
</div></td>
</tr>
</table>
</form>

<?php

if($_POST["username"]) {
$connection = db_connect();
extract($_POST);
$password = AESEncryptCtr($password, "school786a", 256);
mysql_query("UPDATE $type SET password = '$password' WHERE username = '$username' LIMIT 1") or die(mysql_error());
}
?>
</div>

mlseim
02-17-2010, 01:58 AM
I have no way to test anything, as I don't have your database ...
so I guess you'll have to figure it out somehow.

I'm stumped why it doesn't work.
Something is fishy with your sessions.

MattF
02-17-2010, 02:39 AM
The website I am playing with is open-source, with that there is hardly any documentation and the code is inconsistant.

Are the scripts you're playing with part of the standard distribution? If so, what is the name of software?

oxygenproject
02-17-2010, 03:08 AM
I am running a customised version of Open School (www.open-school.org)

MattF
02-17-2010, 03:48 AM
I am running a customised version of Open School (www.open-school.org)


Are the scripts you're playing with part of the standard distribution?

If yes, which specific script are you having problems with? Btw, please be precise with answers and provide all the info requested. Having to ask several times or mastering mind reading doesn't make things any easier.


Edit: How customised a version are you running, btw? Just had a quick look at that site and the general release is still Alpha status? It's not generally a good idea to run anything less than R.C status, (minimum), software on a production site unless you know exactly what you're doing and have the abilities to sort any possible problems. You might as well put up a sign saying 'Rodger Me' otherwise.

oxygenproject
02-17-2010, 03:56 AM
I apologise for not being specific, but I would imagine it would be too hard to explain to someone to get help on a package.

At this stage.. thanks for your help, I will not worry about it as I dont want to be wasting anyone's time.

Cheers and thanks again, Aaron.

oxygenproject
02-17-2010, 04:05 AM
My own addition.. If the website were live I would show you exactly what I am talking about.. But I have it sitting locally using a WAMP server.

MattF
02-17-2010, 04:07 AM
My own addition.. If the website were live I would show you exactly what I am talking about.. But I have it sitting locally using a WAMP server.

You've followed the general layout and done all of the general includes or suchlike within your script which are evident in the official source files? A step or two appears to be missing somewhere.

oxygenproject
02-17-2010, 04:08 AM
Correct.. I may be slightly noobish but not a full blown noob.

I have followed the coding conventions and utilised the same framework within the web application

MattF
02-17-2010, 06:21 AM
Correct.. I may be slightly noobish but not a full blown noob.

Fairly new to programming or an old hand, it doesn't matter. Anyone can miss the obvious on occasion. :)

oxygenproject
02-17-2010, 11:16 AM
Thanks MattF, if you have the time to check out the code and see how the foundations are put together on that software package.. then you better understand what I am trying to do.

Furthermore I would love for someone to take a look, explain to me how to develop modules for this web app too.. I am at the point where I am prepared to paypal someone :P

DaiWelsh
02-17-2010, 11:43 AM
There may well be several issues but I think the key ones are:


The username and type fields are set to disabled, this does not just prevent user input it also prevents them being submitted with the form (IIRC and it would explain your issue)
You are taking the username from the form, this is insecure irrespective of hiding or disabling the field as a hacker can easily bypass that. It looks like there is a session variable with current user info in it, just use the username (or far better a unique id if there is one) to update the record


So what I would suggest is to put the username not in a text field but just as text, likewise the type. Then in the query do something like


mysql_query("UPDATE ".$_SESSION['user']['type']." SET password = '$password' WHERE username = '".$_SESSION['user']['username']."' LIMIT 1") or die(mysql_error());

or assuming there is an id field something like


mysql_query("UPDATE ".$_SESSION['user']['type']." SET password = '$password' WHERE id = '".$_SESSION['user']['id']."' LIMIT 1") or die(mysql_error());

I would also sanitise my inputs left right and center, but I am guessing you just want functionality resolved right now.

HTH,

Dai

oxygenproject
02-17-2010, 10:55 PM
I tried both of those lines that you supplied DaiWelsh, but to no avail..

DaiWelsh
02-18-2010, 01:15 PM
So what happens - nothing? error message? Reload the form? Goes somewhere else entirely?

I suspect there is a problem with the generic open school code - possibly the fieldnames are causing it to try a log-in. Did you say you had another similar form working? - if so have you got the code?

My next step would be to put in a couple of debug statements, firstly to see if your code is even being reached when the form submits. If it isn't then you need to try to find hat is happening to the form submission instead.

oxygenproject
02-18-2010, 10:50 PM
When I press submit, nothing at all happens.. it simply takes me back to the home page.

I have a form that DOES work, the code for this is as such:




<form id="form1" name="form1" method="post" action="#">

<table width="465" border="0" align="center">
<tr>
<td colspan="2"><p><strong>Administration Modification Tool</strong></p>
<p><em>This allows you to reset a user's password for your website.</em></p>
<p>&nbsp;</p></td>
</tr>
<tr>
<td width="165"><label>Username:</label></td>
<td width="290"><input name="username" type="text" id="username" size="35" /></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="password" type="password" id="password" size="35" /></td>
</tr>
<tr>
<td>Account Type:</td>
<td><select name="type" id="type">
<option value="admins" selected="selected">Web Administrator</option>
<option value="teachers">Teacher</option>
<option value="students">Student</option>
<option value="parents">Parents</option>
</select></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input type="submit" name="submit" id="submit" value="Submit" />
</div></td>
</tr>
</table>
</form>

<?php

if($_POST["username"]) {
$connection = db_connect();
extract($_POST);
$password = AESEncryptCtr($password, "******", 256);
mysql_query("UPDATE $type SET password = '$password' WHERE username = '$username' LIMIT 1") or die(mysql_error());
}
?>

_Aerospace_Eng_
02-19-2010, 12:20 AM
And you still have the # in the action? Leave it blank to submit to allow it to submit to itself. Clearly its not working if you aren't getting any updates.

oxygenproject
02-19-2010, 03:46 AM
This is the form I use to create accounts, I would of thought by removing "INSERT" and replacing with "REPLACE" I would't have any dramas. Here is the page:



<form id="form1" name="form1" method="post" action="#">

<table width="465" border="0" align="center">
<tr>
<td colspan="2"><p><strong>Administration Creation Tool</strong></p>
<p><em>This allows you to add more users to your website.</em></p>
<p>&nbsp;</p></td>
</tr>
<tr>
<td width="165"><label>Username:</label></td>
<td width="290"><input name="username" type="text" id="username" size="35" /></td>
</tr>
<tr>
<td>First Name:</td>
<td><input name="first_name" type="text" id="first_name" size="35" /></td>
</tr>
<tr>
<td>Last Name:</td>
<td><input name="last_name" type="text" id="last_name" size="35" /></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="password" type="password" id="password" size="35" /></td>
</tr>
<tr>
<td><label>Email Address:</label></td>
<td><input name="email" type="text" id="email" size="35" /></td>
</tr>
<tr>
<td>Account Type:</td>
<td><select name="type" id="type">
<option value="admins" selected="selected">Web Administrator</option>
<option value="teachers">Teacher</option>
<option value="students">Student</option>
<option value="parents">parents</option>
</select></td>
</tr>
<tr>
<td>Subjects (<strong><em>teachers Only</em></strong>)</td>
<td><label>
<textarea name="subjects" cols="35" rows="5" id="subjects">ie. SUB1A,SUB1B</textarea>
</label></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input type="submit" name="submit" id="submit" value="Submit" />
</div></td>
</tr>
</table>
</form>

<?php

if($_POST["username"]) {
$connection = db_connect();
extract($_POST);
$password = AESEncryptCtr($password, "school786a", 256);
mysql_query("INSERT INTO $type(username, first_name, last_name, password, email, subjects) VALUES('$username', '$first_name','$last_name', '$password', '$email', '$subjects')") or die(mysql_error());
}
?>

_Aerospace_Eng_
02-19-2010, 04:01 AM
Does the form above work?

oxygenproject
02-19-2010, 04:45 AM
It certainly does, when you are logged in :)

DaiWelsh
02-19-2010, 09:09 AM
Can you post the latest non-functioning update page please, the last one I can see still had the fields disabled. Comparing that to the working code above should allow us to establish whether there is still a problem in the code. If not then I suspect it may be to do with the URLs you access them each on, so can you post that too:

The URL of the working form and of the non-working form.

Thanks,

Dai

oxygenproject
02-19-2010, 01:18 PM
The URL's are as follows:

The page creating accounts ism: http://localhost/website/index.php?module=pages&view=modify

I use this to add new accounts and manually remove the old one.

The code for this page is as follows..



<form id="form1" name="form1" method="post" action="#">
<p>
<label>username
<input type="text" name="username" id="username" />
</label>
</p>
<p>
<label>pass
<input type="password" name="password" id="password" />
</label>
</p>
<p>
<label>
<input type="submit" name="submit" id="submit" value="Submit" />
</label>
</p>
</form>

<?php

if($_POST["username"]) {
$connection = db_connect();
extract($_POST);
$password = AESEncryptCtr($password, "school786a", 256);
mysql_query("INSERT INTO admins(username, password) VALUES('$username', '$password')") or die(mysql_error());
}
?>



The password changing form which doesnt work: http://localhost/website/index.php?module=pages&view=modifyv2



<form id="form1" name="form1" method="post">

<table width="465" border="0" align="center">
<tr>
<td colspan="2"><p><strong>Administration Modification Tool</strong></p>
<p><em>This allows you to reset a user's password for your website.</em></p>
<p>&nbsp;</p></td>
</tr>
<tr>
<td width="165"><label>Username:</label></td>
<td width="290"><label><input name="username" type="text"
disabled="disabled" id="username" value="<?php echo $_SESSION['user']['username']?>" size="35" /></label></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="password" type="password" id="password" size="35" /></td>
</tr>
<tr>
<td>Account Type:</td>
<td><input name="type" type="text" disabled="disabled" id="type" value="<?php echo $_SESSION['user']['type']?>" size="35" /></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input type="submit" name="submit" id="submit" value="Submit" />
</div></td>
</tr>
</table>
</form>

<?php

if($_POST["username"]) {
$connection = db_connect();
extract($_POST);
//$password = AESEncryptCtr($password, "school786a", 256);
//mysql_query("UPDATE INTO ".$_SESSION['user']['type']."( SET password = '$password' WHERE username = '".$_SESSION['user']['username']."' LIMIT 1") or
//die(mysql_error());
mysql_query("UPDATE $type(password) VALUES('$password') WHERE ('$username')") or die(mysql_error());
}
?>


As you can see, I have tried to get the modifyv2 to grab the data without having to input it.. I thought I had a form working but after looking this is what I use at the moment.

Cheers, Aaron

DaiWelsh
02-19-2010, 01:49 PM
Ok, still a few problems I can see at first glance:


The username field is still disabled (disabeld="disabled"), which will prevent username value being passed through
The SQL update syntax is wrong,should be UPDATE tabel SET field=value WHERE condition
The username field is still being taken from the form, which is insecure. The type is also being taken form the form and appears to be used as the table name, this is massively insecure as the user can update any table they like in theory using this form
The update is done after the form is displayed, in this particular case this should not matter, but as a rule I would do it before


Try this



<?php
if($_POST["username"]) {
$connection = db_connect();
$sql = "UPDATE ".$_SESSION['user']['type']." SET password = '".$_POST['password']."' WHERE username = '".$_SESSION['user']['username']."'";
echo("[$sql]<br/>");
mysql_query($sql) or die(mysql_error());
}
?>
<form id="form1" name="form1" method="post">
<table width="465" border="0" align="center">
<tr>
<td colspan="2"><p><strong>Administration Modification Tool</strong></p>
<p><em>This allows you to reset a user's password for your website.</em></p>
<p>&nbsp;</p></td>
</tr>
<tr>
<td width="165"><label>Username:</label></td>
<td width="290"><? echo $_SESSION['user']['username'] ?></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="password" type="password" id="password" size="35" /></td>
</tr>
<tr>
<td>Account Type:</td>
<td><?php echo $_SESSION['user']['type']?></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input type="submit" name="submit" id="submit" value="Submit" />
</div></td>
</tr>
</table>
</form>


And report the output (if any).

Regards,

Dai

_Aerospace_Eng_
02-19-2010, 04:58 PM
You won't get any output from the above. This

<?php
if($_POST["username"]) {
$connection = db_connect();
$sql = "UPDATE ".$_SESSION['user']['type']." SET password = '".$_POST['password']."' WHERE username = '".$_SESSION['user']['username']."'";
echo("[$sql]<br/>");
mysql_query($sql) or die(mysql_error());
}
?>
should be

<?php
if(isset($_SESSION['user']['username'])) {
$connection = db_connect();
$sql = "UPDATE ".$_SESSION['user']['type']." SET password = '".$_POST['password']."' WHERE username = '".$_SESSION['user']['username']."'";
echo("[$sql]<br/>");
mysql_query($sql) or die(mysql_error());
}
?>
If you are concerned about security issues then passing a direct post without escaping it is also very insecure as the user would use sql injection.

DaiWelsh
02-19-2010, 05:10 PM
You won't get any output from the above.

Good spot, didn't change that line, but it needs to, however I disagree with your alternative: $_SESSION['user']['username'] will be set all the time IIUC so you need something else from the form to decide whether it has been submitted or not.

I would suggest


if($_POST["submit"]) {

or even


if($_POST["password"]) {

which would double as validation that they had entered a password (though really they should get a message for that).


If you are concerned about security issues then passing a direct post without escaping it is also very insecure as the user would use sql injection.

Agreed, but as with most posts on this forum if you started explaining best practice for everything they have used then they would have difficulty picking out the answer they actually wanted.

Escaping user input is a must, but even with escaped input allowing type and username to be user specified would be a no-no as you don't require any hacker knowledge or sql skill to enter a different username and hence change someone else's password :)

oxygenproject
02-20-2010, 01:24 AM
Awesome!

Well I have the script working and it is echoing the SQL query..
[UPDATE admins SET password = 'password' WHERE username = 'aaron']

I just need to implement my AES Encryption back to the script :)

oxygenproject
02-20-2010, 01:25 AM
Oh how rude of me..

THANKS HEAPS GUYS!! I really appreciate your help with this project, I am sure there are many more questions to come.. brace yourselves for more headaches ;P

oxygenproject
02-20-2010, 02:51 AM
Okay guys, got it all working now!

The final code is:



<?php
if($_POST["password"]) {
$connection = db_connect();
$password = AESEncryptCtr($_POST['password'], "school786a", 256);
$sql = "UPDATE ".$_SESSION['user']['type']." SET password = '".$password."' WHERE username = '".$_SESSION['user']['username']."'";
mysql_query($sql) or die(mysql_error());
}
?>
<form id="form1" name="form1" method="post">
<table width="465" border="0" align="center">
<tr>
<td colspan="2"><p><strong>Administration Modification Tool</strong></p>
<p><em>This allows you to reset a user's password for your website.</em></p>
<p>&nbsp;</p></td>
</tr>
<tr>
<td width="165"><label>Username:</label></td>
<td width="290"><?php echo $_SESSION['user']['username']?></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="password" type="password" id="password" size="35" /></td>
</tr>
<tr>
<td>Account Type:</td>
<td><?php echo $_SESSION['user']['type']?></td>
</tr>
<tr>
<td colspan="2"><br><?php echo("[$sql]")?> </td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input type="submit" name="submit" id="submit" value="Submit" />
</div></td>
</tr>
</table>
</form>

DaiWelsh
02-20-2010, 04:09 PM
Great, glad we got there in the end :)

oxygenproject
02-20-2010, 11:38 PM
I really, really.. REALLY appreciate all of your help.. you have been extremely helpful and I hope to have some more problems for us to fix soon :P



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum