| Author |
PHP Fusion question |
stdio
Member
Posts: 375
Location: omnipresent
Joined: 06.04.08
Rank: God |
|
Im currently helping to modify a php fusion site for a friend, but running into a bit of php/sql trouble. My php is a bit weak.
Im trying scblockedript an automatic account upgrade from a registered member to an actual member (2 different permission user groups). I created a custom page and can get it to identify the correct password, but I do not know how to identify the user that entered the password so that I can make the sql line effect only his account.
Here is the custom page code
<center>
<form name="input" action="" method="post">
Password:
<input type="text" name="pass">
<input type="submit" value="Submit" class="button">
</form>
<?php
if ($_POST["pass"]==NULL)
{}
elseif ($_POST["pass"]=="password")
{
echo 'Your Account has been upgraded';
//Some code here get uid and modify the table to upgrade permissions
}
else
echo 'Wrong Password, please try again.';
?>
</center>
Any suggestions / ideas?
I'm sorry, I cant hear you over the sound of how awesome I am!
Edited by stdio on 15-10-08 16:28 |
 
|
| Author |
RE: PHP Fusion question |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
Look for SELECT FROM statements on W3schools.
Hint: your question has nothing to do with PHP, rather, you should have been asking about SQL statements. This means that besides your weak PHP, your SQL skills also could use an upgrade. And -this- means you shouldn't even try to help your friends in the first place, since your webprogramming skills are weak.
Anyway, SELECT FROM, go from there.
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: PHP Fusion question |
Zephyr_Pure
Member
Posts: 2402
Location:
Joined: 15.09.06
Rank: God |
|
The current user / userID is probably stored in a $_SESSION variable. Throw this into a PHP page and see what output you get:
<?php
foreach ($_SESSION as $k=>$v) { echo "Session variable $k = $v\n"; }
?>
I still check PMs from time to time.
Our responses were moronic, why shouldn't he follow suit? - Futility
Edited by Zephyr_Pure on 15-10-08 16:43 |
|
|
| Author |
RE: PHP Fusion question |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
|
Zephyr_Pure wrote:
The current user / userID is probably stored in a $_SESSION variable.
Be warned though, OP. Only use this variable if you're sure it's IP bound. Cookie stealing is -very- easy on PHP-fusion, and people -will- be able to exploit code that checks stuff by $_SESSION.
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: PHP Fusion question |
stdio
Member
Posts: 375
Location: omnipresent
Joined: 06.04.08
Rank: God |
|
Solved -- albiet sloppy and insecure. But,...
A) Not my website
B) Probably not the most insecure thing about the website
C) It works.
Anyways here's the code I used. If any better ideas jump in your head feel free to post them.
<center>
<form name="input" action="" method="post">
Password:
<input type="text" name="pass">
<input type="submit" value="Submit" class="button">
</form>
<?php
if ($_POST["pass"]==NULL)
{}
elseif ($_POST["pass"]=="password")
{
$uid = floor($fusion_user);
$result = mysql_query( "SELECT * FROM fusion_users WHERE user_id='$uid'");
while($row = mysql_fetch_array($result))
{
if ($row['user_groups']=='.1')
{
echo 'Account already Upgraded';
}
elseif ($row['user_groups']!='.1')
{
mysql_query("UPDATE fusion_users SET user_groups = '.1' WHERE user_id = '$uid'");
echo 'Upgraded Account';
}
}
}
else
echo 'Wrong Password, please try again.';
?>
</center>
I'm sorry, I cant hear you over the sound of how awesome I am!
Edited by stdio on 15-10-08 22:12 |
|
|
| Author |
RE: PHP Fusion question |
Zephyr_Pure
Member
Posts: 2402
Location:
Joined: 15.09.06
Rank: God |
|
stdio wrote:
if ($_POST["pass"]==NULL)
{}
elseif ($_POST["pass"]=="password" 
{
... Why? You're only acting on one conditional.
I still check PMs from time to time.
Our responses were moronic, why shouldn't he follow suit? - Futility |
|
|
| Author |
RE: PHP Fusion question |
stdio
Member
Posts: 375
Location: omnipresent
Joined: 06.04.08
Rank: God |
|
Zephyr_Pure wrote:
stdio wrote:
if ($_POST["pass"]==NULL)
{}
elseif ($_POST["pass"]=="password"
{
... Why? You're only acting on one conditional.
Im confused by your question/statement please elaborate.
If you are referring to the if, elseif, else. It does nothing if left blank (if),.. moves on if password correct (elseif)... and displays error message if wrong (else)
I'm sorry, I cant hear you over the sound of how awesome I am!
Edited by stdio on 15-10-08 22:22 |
|
|
| Author |
RE: PHP Fusion question |
Zephyr_Pure
Member
Posts: 2402
Location:
Joined: 15.09.06
Rank: God |
|
|
stdio wrote:
If you are referring to the if, elseif, else. It does nothing if left blank (if),.. moves on if password correct (elseif)... and displays error message if wrong (else)
You're only gauging success on one conditional (password is correct), or you're either throwing an error or doing nothing. Why do "nothing" if it's null? The pass is wrong whether it's null or "wrong". Just seems like an unnecessary extra conditional at the top.
I still check PMs from time to time.
Our responses were moronic, why shouldn't he follow suit? - Futility |
|
|
| Author |
RE: PHP Fusion question |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
stdio wrote:
Solved -- albiet sloppy and insecure. But,...
A) Not my website
 Probably not the most insecure thing about the website
C) It works.
A: it's your friend's website, right? Grow some morals.
B: Fix the other things too.
C: Like Space Shuttle Columbia worked.
Now, don't get me wrong. I love lousy excuses just as much as the next guy, but yours are just very, very wrong. Bad. Negative. Useless. Bullshit.
Go code.
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: PHP Fusion question |
stdio
Member
Posts: 375
Location: omnipresent
Joined: 06.04.08
Rank: God |
|
|
spyware wrote:
A: it's your friend's website, right? Grow some morals.
B: Fix the other things too.
C: Like Space Shuttle Columbia worked.
Now, don't get me wrong. I love lousy excuses just as much as the next guy, but yours are just very, very wrong. Bad. Negative. Useless. Bullshit.
Go code.
Not my website has nothing to do with my morals, it has to do with time. He asked me as a favor to help him with something that would do exactly what it does... keep him from having to manually change every user that he needs too.. (about 50 total people). I gladly spent a few hours looking into how to do and finding away to do it. I flat out dont have the time to dedicate more to just a simple task.
Secondly, just because hes my friend, doesnt mean he doesnt have the same resources that I do interms using the internet. Again time is the major factor here. I would take a really long time to try and go through php fusion and try to fix everything. Let me use this website as an example... Developers here spent many hours coding/fixing this website. Its a php fusion website. Now with 1000's of users and 1000s of hours in total of people on it (specifically people looking to learn/teach/practice all sorts of tasks related to computer security),... there are STILL flaws in it.
Thirdly, bad comparrison to the columbia shuttle. There are SQL backups, so if someone where to hack it, the worst that would happen is a loss of a few hours, not people dieing. Quantify your risk vs rewards better imo.
Now, don't get me wrong. I love lousy critisism just as much as the next guy, but yours are just very, very wrong. Bad. Negative. Useless. Bullshit.
I'm sorry, I cant hear you over the sound of how awesome I am! |
|
|
| Author |
RE: PHP Fusion question |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
Apparently, you have enough time on your hands to write lousy rebuttals.
Your cosy refute did not impress me at all.
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: PHP Fusion question |
Zephyr_Pure
Member
Posts: 2402
Location:
Joined: 15.09.06
Rank: God |
|
|
spyware wrote:
C: Like Space Shuttle Columbia worked.
stdio wrote:
Thirdly, bad comparrison to the columbia shuttle. There are SQL backups, so if someone where to hack it, the worst that would happen is a loss of a few hours, not people dieing. Quantify your risk vs rewards better imo.
Well, the rest of it was pleasant to read except for this one. Now, I know a lot of people like to take things rather literally at times but, in this case, the comparison was just dealing with the functional adequacy of the two. Really, it wouldn't have mattered if there was just a barrel of grapefruit on Columbia at the time of that incident... a functional failure is still a failure. Don't quantify adequacy or stability by what's at stake but, rather, by an educated success rate estimate and vulnerability assessment.
Other than that, carry on... your friend's site's security is of no concern to me, anyways.
I still check PMs from time to time.
Our responses were moronic, why shouldn't he follow suit? - Futility
Edited by Zephyr_Pure on 16-10-08 13:01 |
|
|
Main:
