By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,463 Members | 2,954 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,463 IT Pros & Developers. It's quick & easy.

not go to right page after login

P: 6
halo!!
when i login for the user it cannot go to the user page but go to admin page...
plz help me...
Expand|Select|Wrap|Line Numbers
  1. if(isset($_POST['submit']))
  2.     {
  3.         if($_POST['reg_empNo']!='' && $_POST['reg_pword']!='')
  4.         {
  5.             //Use the input username and password and check against 'users' table
  6.             $query = mysql_query("SELECT * FROM register WHERE reg_empNo='".$_POST["reg_empNo"]."' AND reg_pword='".$_POST["reg_pword"]."'");
  7.  
  8.             if(mysql_num_rows($query) == true || $_SESSION['reg_position']=="admin")
  9.             {    
  10.                 $_SESSION["valid_user"] = $_POST["reg_empNo"];
  11.                 $_SESSION["valid_time"] = time();
  12.                 die("<html><head><meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" /><link rel=\"stylesheet\" type=\"text/css\" href=\"style.css\" /></head><body><div><center><img src=\"source/statschipac logo.ashx.gif\" alt=\"Logo\" /><img src='source/comp_info.bmp'></center></div><p align='right'><SCRIPT TYPE=\"text/javascript\">document.write(new Date());</SCRIPT><ul id='nav'><li><b><font size='3'><a href='' target='middle'>LIST</a></li><li><a href='' target='middle'>UPDATE</a></li><li><a href='' target='middle'>DELETE</a></li><li><a href='index.html' target='middle'>LOGOUT</a></li></ul><br><h3><align=left><font color='blue'>EMPLOYEE NO : " . $_POST["reg_empNo"]."<br>LOGGED IN : " . date("m/d/Y", $_SESSION["valid_time"])."</font></h3><br><br><table border=3 bordercolor='#990066'><tr><td>LOT ID : </td><td><input type=text name=pro_lot_id size=10></td></tr><tr><td colspan='2' align='center' bgcolor=><input type=submit value=SEARCH></td></tr></table></body></html>");
  13.             }
  14.             if($_SESSION['reg_position'] !=='admin')
  15.             {    
  16.                 $_SESSION["valid_time"] = time();
  17.                 die("<html><head><meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" /><link rel=\"stylesheet\" type=\"text/css\" href=\"style.css\" /></head><body><div><center><img src=\"source/statschipac logo.ashx.gif\" alt=\"Logo\" /><img src='source/comp_info.bmp'></center></div><p align='right'><SCRIPT TYPE=\"text/javascript\">document.write(new Date());</SCRIPT><ul id='nav'><li><b><font size='3'><a href='' target='middle'>INSERT</a></li><li><a href='' target='middle'>DISPLAY</a></li><li><a href='' target='middle'>LIST</a></li><li><a href='index.html' target='middle'>LOGOUT</a></li></ul><br><h5><font color='green'>EMPLOYEE NO : " . $_POST["reg_empNo"]."<br>LOGGED IN : " . date("m/d/Y", $_SESSION["valid_time"])."</font></h3><br><br><table border=3 bordercolor='#990066'><tr><td>LOT ID : </td><td><input type=text name=pro_lot_id size=10></td></tr><tr><td colspan='2' align='center' bgcolor='#CC3399'><input type=submit value=SEARCH></td></tr></table></body></html>");
  18.             }
  19.             else 
  20.             {
  21.                 $error = 'Your membership was not activated.';
  22.             }
  23.         }
  24.         else 
  25.         {
  26.             $error = 'Please user both your username and password to access your account';
  27.         }
  28.     }
  29.  
Feb 22 '10 #1
Share this Question
Share on Google+
3 Replies


dlite922
Expert 100+
P: 1,584
@taurus89. No offense but you have to go back to the drawing board and learn PHP.

To guide in the right direction, here's what you're doing wrong.

1. No sanitation. Imagin what would happen if I put this for your reg_pword field:

hack'; DROP TABLE register; '

Say good bye to your register table! This is called SQL Injection and a hacker could do much worse.

2. You're using die() to do forwarding. try header("Location: url/file.php").
Examples: http://php.net/manual/en/function.header.php

I'll leave it at those two for now. fix those then your code is worthy of logic debugging.





Dan
Feb 22 '10 #2

100+
P: 1,059
dlite922 San,
I just get surprised by the intelligence of your observation. This is a huge thing I have learned today.

Thanks.

Best Regards,
Johny
Feb 22 '10 #3

dlite922
Expert 100+
P: 1,584
You're welcome @Johny

BTW: Link to SQL Injection
http://en.wikipedia.org/wiki/SQL_injection

You can google "SQL Injection" for a wealth of more information.

I wish there was one complete source for those trying to learn PHP, to teach them right to begin with and put them on the right path. I.e. to teach them about SQL injection before giving them the functions to do it.

Online tutorials are really dispersed.



Dan
Feb 22 '10 #4

Post your reply

Sign in to post your reply or Sign up for a free account.