[nick1200]

I have found a whole in my website

The user can edit my sql results using url's like mysite.com/team.php/username=shadowteamname=whatever


and so on i am gonna make it check the database be for it does the mysql

But i have been looking at if else tut and do not get it

If i don;t get something i think its better to ask

$number_three = 3;

if ( $number_three == 3 ) {
	echo "The if statement evaluated to true";
} else {
	echo "The if statement evaluated to false";
}

Now i want to check $id if $id = $id then do the mysql
else don't do it

But i don't know how to replace the 3 with a session variable
i am posting the $id on top of the page so just got to check it

any advice ?

[macosxnerd101]

The reason the users can see and edit information from the URL bar is b/c you use GET to send form data. If you use POST instead of GET, it will take care of that problem.

As for comparing variables, you can do so like this:

$a = 3;
$b = 4;

if($a == $B)/> echo "a == b";

So if you want to use a Session, Post, Get, Cookie, etc. variable, just treat it like a normal variable in the comparison (as I show above). So:

if($a == $_SESSION['id']) echo "a == ID";

[nick1200]

macosxnerd101, on 10 April 2010 - 01:48 PM, said:

The reason the users can see and edit information from the URL bar is b/c you use GET to send form data. If you use POST instead of GET, it will take care of that problem.

As for comparing variables, you can do so like this:

$a = 3;
$b = 4;

if($a == $B)/> echo "a == b";

So if you want to use a Session, Post, Get, Cookie, etc. variable, just treat it like a normal variable in the comparison (as I show above). So:

if($a == $_SESSION['id']) echo "a == ID";

This is my code which toke me a week to make

<?php
$username = $_POST['username'];
$poke_name = $_POST['poke_name'];
$poke_type = $_POST['poke_type'];
$poke_pic = $_POST['poke_pic'];

$con = mysql_connect("","_","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("pokemont_pokemon", $con);


$sql="INSERT INTO userbox (username, pokemon, pokemonlvl, pokemon_gender, pokemonexp, pokemon_pic)
VALUES
('$username','$poke_name',5,'male',500,'$poke_pic')";
mysql_query($sql);

echo $poke_name."<br>";
/*
if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
*/


?> 

It works fine but ppl can edit it so im gonna grab the id of the monster caught and match it up be for the my sql is done


And the code you have showed wouldn't work for me it would work if the monsters all had the same id lol but they don't i just wanna do if $id = $id then do my sql ......


So if i change the post to GET then it would be fine ?

This post has been edited by nick1200: 10 April 2010 - 02:59 PM

[macosxnerd101]

If you change GET to POST, it will fix the display of the data in the URL bar.

Quote

And the code you have showed wouldn't work for me it would work if the monsters all had the same id lol but they don't i just wanna do if $id = $id then do my sql ......

I never intended the code I provided to be a copy-paste solution, only to illustrate a concept. Could you clarify what you are trying to compare (ie., the ID provided by the user against the List of IDs in the database to see if there is a match)? Right now, the expression $id == $id will always return true, as a variable is always equal to itself.

[nick1200]

macosxnerd101, on 10 April 2010 - 02:00 PM, said:

If you change GET to POST, it will fix the display of the data in the URL bar.

Quote

And the code you have showed wouldn't work for me it would work if the monsters all had the same id lol but they don't i just wanna do if $id = $id then do my sql ......

I never intended the code I provided to be a copy-paste solution, only to illustrate a concept. Could you clarify what you are trying to compare (ie., the ID provided by the user against the List of IDs in the database to see if there is a match)? Right now, the expression $id == $id will always return true, as a variable is always equal to itself.

if you have a look at my code im using post and not get so i don't understand were im "getting" from lol

$username = $_POST['username'];
$poke_name = $_POST['poke_name'];
$poke_type = $_POST['poke_type'];
$poke_pic = $_POST['poke_pic'];

Im posting so this would work ?

if ( $id == $id  ) {

echo "my sql will go here";
} else {
	echo "you have tryied to hack !";
}

Wouldn't they try to change the id then ?

[macosxnerd101]

Without seeing your HTML, I can't explain about the URL bar.

As for your if statement, I think I explained above that $id == $id will always evaluate to true. So even if someone "hacks in and changes $id," the new value for $id will still equal the new value for $id. Again, you are being ambiguous. I do not know what IDs you are comparing (userInput id, database id, local variable id, etc.). I don't know how much more I can help you if you can't better explain to us...

[nick1200]

macosxnerd101, on 10 April 2010 - 02:09 PM, said:

Without seeing your HTML, I can't explain about the URL bar.

As for your if statement, I think I explained above that $id == $id will always evaluate to true. So even if someone "hacks in and changes $id," the new value for $id will still equal the new value for $id. Again, you are being ambiguous. I do not know what IDs you are comparing (userInput id, database id, local variable id, etc.). I don't know how much more I can help you if you can't better explain to us...

Ok ill explain i have a map script

<?php

	
$con = mysql_connect("","_","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("_", $con);

$qry = mysql_query("SELECT * FROM pokemon
WHERE pokemon_map='1'");
$max = mysql_num_rows($qry) - 1; // i.e.: 5 rows would be 0,1,2,3,4
$random_number = mt_rand(0, $max);
$result = mysql_query("SELECT * FROM pokemon
WHERE pokemon_map='1' LIMIT ".$random_number.", 1");

$resultarray = mysql_fetch_array($result);
echo "<br>";
echo "<br>";

mysql_close($con); // unnecessary since connections are closed when the script ends.


?> 
<center>
<br />

	<strong>Pokemon Name :</strong> <?php echo $resultarray['pokemon_name'] ?>
<br />
	<strong>Pokemon Type :</strong> <?php echo $resultarray['pokemon_type'] ?>

<br />
 <?php echo '<img src="'.$resultarray['pokemon_pic'].'" width="80" height="80" />'; ?>



</center>
<center>

<form action="test678.php" method="post">
<input type="hidden" name="username" value="<?php echo $_SESSION['myusername']; ?>" />
<input type="hidden" name="poke_name" value="<?php echo $resultarray['pokemon_name']; ?>"  />
<input type="hidden" name="poke_type" value="<?php echo $resultarray['pokemon_type']; ?>"  />
<input type="hidden" name="poke_pic" value="<?php echo $resultarray['pokemon_pic'] ?>" />
<input type="submit" name="Catch" value="Catch" />
</form>

</center>
<BODY>

<div align="center">
<script LANGUAGE="Javascript">

<!-- Begin
document.write('<form><input type=button value="Keep Looking" onclick="history.go()"></form>')
//  End -->
</script>

Which grabs a random monster form the pokemon table ok ? i havnt added it to get the id yet because i just found out about this hack

then when they click catch it goes to the test page which adds it to the user_box

<?php
$username = $_POST['username'];
$poke_name = $_POST['poke_name'];
$poke_type = $_POST['poke_type'];
$poke_pic = $_POST['poke_pic'];

$con = mysql_connect("","_","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("pokemont_pokemon", $con);


$sql="INSERT INTO userbox (username, pokemon, pokemonlvl, pokemon_gender, pokemonexp, pokemon_pic)
VALUES
('$username','$poke_name',5,'male',500,'$poke_pic')";
mysql_query($sql);

echo $poke_name."<br>";
/*
if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
*/


?> 

so it grabs a random pokemon from a table shows the image name etc of it then when they click catch it adds it to there user_box but they are editing the results lol
and i wanted to know if i got the id with the map script and then posted it over to the mysql after they click catch and check the id that of the pokemon that was on the map script was the same if you get what i mean if the id of the pokemon on the map script and the 1 id that has been brought forward to the test page which adds it to there box are the same then do the mysql

[nick1200]

Sorry for double posting but now this is my map script
the part were i make the variables
everything else is the same has above just changed this bit

<form action="test678.php" method="post">
<input type="hidden" name="username" value="<?php echo $_SESSION['myusername']; ?>" />
<input type="hidden" name="id" value="<?php echo $resultarray['id']; ?>"  />
<input type="hidden" name="poke_name" value="<?php echo $resultarray['pokemon_name']; ?>"  />
<input type="hidden" name="poke_type" value="<?php echo $resultarray['pokemon_type']; ?>"  />
<input type="hidden" name="poke_pic" value="<?php echo $resultarray['pokemon_pic'] ?>" />
<input type="submit" name="Catch" value="Catch" />
</form>

Then on the catch / testpage after they click catch im trying to echo out the id of the pokemon but ent working

$username = $_POST['username'];
$id = $_POST['id'];
$poke_name = $_POST['poke_name'];
$poke_type = $_POST['poke_type'];
$poke_pic = $_POST['poke_pic'];

 echo $id['id'];

Ive noticed it mite not be garbing the id cus of this

$max = mysql_num_rows($qry) - 1; // i.e.: 5 rows would be 0,1,2,3,4

Its grabbing the image name and all tho which is more than 1

This post has been edited by nick1200: 10 April 2010 - 03:48 PM

[gregwhitworth]

Where is the query that fills the result array?

--

Greg

[nick1200]

gregwhitworth, on 11 April 2010 - 02:05 PM, said:

Where is the query that fills the result array?

--

Greg

i emailed you it both files

[JennaPeterson88]

I'd like to help but I'm still not seeing where any data is being received through the URL.

Quote

The user can edit my sql results using url's like mysite.com/team.php/username=shadowteamname=whatever

This means that "username" is a GET value, not a POST value. POST is transferred between pages through forms, GET is transferred through variables in the URL like you've shown above.

$_GET is excellent for tasks such as displaying a profile. You have a file called profile.php that recieves the value id from the URL (profile.php?id=001 or whatever) and fills in the content using the row of your members table (or whateveryou call it) that corresponds with an "id" value of "001".

$_GET is NOT good for passing values that pose a security risk. If a user can modify another user's account/items/etc. by changing the value "username" in the URL then obviously you have a security issue. For this reason, session-type variables should NEVER be passed via GET. (And by session-type variables, I mean the id of the user logged in, or anything else specific to the user that could pose a security risk if someone else got at it.) POST is an excellent and rather simple alternative to GET, but if you're passing username in the URL through every single page to keep your user "logged in" then you'd have to replace all your links with forms. Not practical, and not asthetically pleasing.

The best and safest way to pass login information (user currently logged in, etc.) information from page to page is sessions, as mentioned above. We would be more than happy to help you get on the right track using sessions if you'd like to make the switch.

This post has been edited by JennaPeterson88: 13 April 2010 - 10:13 PM