My News Script [No errors] - Just wont work!

codefreek · 07-03-2008, 10:16 AM

The problem is that when i try to visit edit?=1 or addnews.php
it redirects me to index.php and it should only do that if i am not logged in which i am.. so what is the problem :S?

THIS IS THE SQL Tables
PasteBin.be

Index.php

PHP Code:


			
<?php

    // Turn on error reporting and start the session
    error_reporting(E_ALL);
    session_start(); 

    include('lib_class/db_class_connect.php');
    $database_connection = new db_connect();

    //Look for our logged status, if not found redirect the user
    if($_SESSION['logged'] != 1)
    {
        //header("Location: users.php");
        exit();
    }

    define('DEBUG', 1);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<style type="text/css">
h1 {
    font-size: 2em;
}

h2 {
    margin-bottom: 1em;
    font-size: 1.6em;
    color: #FF9900;
    font-weight: bold;
}

table, td {
    border: none;
    border-collapse: collapse;
}
</style>

<title>Codefreek's Page</title>
</head>

<body>

<h1>This is the main page!</h1>


<?php

    if (isset($_GET['cat']))
    {

        $category = (int) $_GET['cat'];

        $q      = sprintf("SELECT des, rest FROM `news` WHERE valid = 1 AND cat_id = %d", $category);
        $result = mysql_query($q);

        if( ! $result)
        {

            if (defined('DEBUG'))
            {
                echo $q; // so we can verify the query was properly formatted. Not really necessary here, but useful when you
                         // you're using dyanmically created query strings (such as those using $_GET variables)
                echo mysql_error(); // Useful for debugging, but for a live site this will give useful information to a potential hacker, just so you know.
            }
            else
            {
                echo "Category ID not found.";
            }

        }
        else
        {

            while($row = mysql_fetch_assoc($result))
            {
                echo '<h2>'.$row['des'].'</h2>'; 
                echo '<table><tr><th>NEWS:</th><td>'.$row['rest'].'</td></tr></table>';
            }


         }

        // Add some whitespace
        echo "<br /><br />";

    }

    // You had a second query on the 'news' table here, but it wasn't doing anything, so I just removed it?
    // In addition you were checking $cat_result in your if statement, when $cat_result had yet to be assigned.

    $q = "SELECT id, name FROM `cat`";
    $result = mysql_query($q);

    if( ! $result)
    {
        echo mysql_error();
    }
    else
    {

        while($row = mysql_fetch_assoc($result))
        {

            echo '<a href="index.php?cat='.$row['id'].'">'.$row['name'].'</a><br />';

        }

    }

        echo '<br /><a href="logout.php">Logout</a>';

?>

</body>
</html>

ADD NEWS

PHP Code:


			
<?php
error_reporting(E_ALL & ~E_NOTICE);
include("login_config.php");
include("lib_class/db_class_connect.php");
$database_connection = new db_connect();
if(!isset($_POST['add_news'])) 
    { 
echo" 
<form action='addnews.php' name='addnews' method='post'> 
<table> 
    <tr> 
        <td> 
        Author 
        </td> 
    </tr> 
    <tr> 
        <td> 
        <input type='text' name='name'> 
        </td> 
    </tr> 

        <tr> 
        <td> 
        Title 
        </td> 
    </tr> 
    <tr> 
        <td> 
        <input type='text' name='des'> 
        </td> 
    </tr> 
    <tr> 
        <td> 
        News 
        </td> 
    </tr> 
    <tr> 
        <td> 
        <textarea cols='50' name='rest' rows='20'></textarea> 
        </td> 
    </tr> 
    <tr> 
        <td> 
        <input type='submit' name='add_news' value='submit news topic'> 
        </td> 
    </tr> 
</table> 
</form>";     
} 
if(isset($_POST['add_news'])) 
{
    $name = mysql_real_escape_string(strip_tags($_POST['name']));
    $des = mysql_real_escape_string($_POST['des']);
    $rest = $_POST['rest'];
    $tim = date("y.m.d");
    $errors = array();

    if(empty($name)) {
        $errors[] = "Please enter your name";
    }

    if(empty($des)) {
        $errors[] = "Enter a News topic title!";
    }

    if(empty($rest)) {
        $errors[] = "Enter some News text please"; 
    }

    if(count($error) > 0) {
        echo"<font size='3' color='CC0000'><strong>ERROR:</strong></font>";
        foreach($errors as $error) {
            echo $error;
        }
    } else {
        $sql = "INSERT INTO news(id, name, des, rest, tim, valid) VALUES(NULL, '$name', '$des', '$rest', '$tim', '0')";
        mysql_query($sql) or die(mysql_error());
        echo"News successfully added to the database.";
    }

}  

?>
<a href="index.php"> home </a>

Login_config

PHP Code:


			
<?php

//i can include this on pages i want to be secure
session_start(); // Starts the session.

if ($_SESSION[&#8216;logged’] != 1) { // There was no session found!

        header("Location: users.php"); // Goes to login page.

        exit(); // Stops the rest of the script.

}

echo "This is the main page!";
echo '</br>';
print "Welcome";
?>

Logout.php

PHP Code:


			
<?php
session_start();
      session_unset(); // Destroys the session.

      header("Location: users.php"); // Goes back to login.


?>

Edit.php

PHP Code:


			
<?php
error_reporting(E_ALL & ~E_NOTICE);
include('lib_class/db_class_connect.php');
include('login_config.php');
$database_connection = new db_connect();

    $id = (int) $_REQUEST['id'];
if($id <= 0) header('Location: index.php');

if(isset($id) && !empty($id)) {


                $sql = "SELECT * FROM `news` WHERE `id` = '".$id."'";
                $query = mysql_query($sql) or die(mysql_error());
                $news = mysql_fetch_array($query, MYSQL_ASSOC);

        
        
                if(!isset($_POST['edit_news'])) {

                                echo '<form action="edit.php?id='.$id.'" name="edit" method="post">

<table>
                <tr>
                                <td>
                                Author
                                </td>
                </tr>
                <tr>
                                <td>
                                <input type="text" name="name" value="'.$news['name'].'">
                                </td>
                </tr>

                                <tr>
                                <td>
                                Title
                                </td>
                </tr>
                <tr>
                                <td>
                                <input type="text" name="des" value="'.$news['des'].'">
                                </td>
                </tr>
                <tr>
                                <td>
                                News
                                </td>
                </tr>
                <tr>
                                <td>
                                <textarea cols="50" name="rest" rows="20">'.$news['rest'].'</textarea>
                                </td>
                </tr>
                <tr>
                                <td>
                                <input type="submit" name="edit_news" value="edit news">
                                </td>
                </tr>
</table>
</form>';

               
        
        } else {

                $name = mysql_real_escape_string(strip_tags($_POST['name']));
                $des = mysql_real_escape_string($_POST['des']);
                $rest = mysql_real_escape_string($_POST['rest']);
                $errors = array();

                if(empty($name)) {
                                $errors[] = "Please enter your name";
                }

                if(empty($des)) {
                                $errors[] = "Enter a News topic title!";
                }

                if(empty($rest)) {
                                $errors[] = "Enter some News text please";
                }

                if(count($error) > 0) {
                                echo"<font size='3' color='CC0000'><strong>ERROR:</strong></font>";
                                foreach($errors as $error) {
                                                echo $error;
                                }

                } else {

                        $sql = "UPDATE `news` SET `name` = '".$name."', `des` = '".$des."', `rest` = '".$rest."' WHERE `id` = '".$id."'";
                        mysql_query($sql) or die(mysql_error());
                        echo 'News successfully updated.';

                }

        }

}



?>

users.php

PHP Code:


			
<?php
session_start(); // Starts the session.
error_reporting(E_ALL & ~E_NOTICE);
include("lib_class/db_class_connect.php");

$database_connection = new db_connect();

if ($_SESSION['logged'] == 1) { // User is already logged in.

        header("Location: index.php"); // Goes to main page.

        exit(); // Stops the rest of the script.

} else {

if ( ! isset($username))
{
    $username = '';
}

if ( ! isset($password))
{
    $password = '';
}

$szForm = <<<FORM
<form action="users.php" name="login" method="post"> 
<table> 
    <tr><td>username</td>
        <td><input type="text" name="username" value="{$username}" /></td>
    </tr> 

    <tr><td>password</td>
        <td><input type="password" name="password" value="{$password}" /></td>
    </tr>

    <tr><td colspan="2"><input type='submit' name='login' value='login' /></td></tr> 
</table> 
</form>
FORM;

echo $szForm;  
   
    


               $password = mysql_real_escape_string($_POST['password']);
           $username = mysql_real_escape_string($_POST['username']);




               

                $q = mysql_query("SELECT * FROM users WHERE username = '$username'
                 AND password = '$password'") or die (mysql_error()); // mySQL query

                $r = mysql_num_rows($q); // Checks to see if anything is in the db.

               

                if ($r == 1) { // There is something in the db. The username/password match up.

                        $_SESSION['logged'] = 1; // Sets the session.

                        header("Location: index.php"); // Goes to main page.

                        exit(); // Stops the rest of the script.

                } else { // Invalid username/password.

                        exit("Incorrect username/password!"); // Stops the script with an error message.

                }

        }



?>

in a folder-><lib_class>"db_class_connect.php"

PHP Code:


			
<?php
error_reporting(E_ALL & ~E_NOTICE);

class db_connect 
{
 
    private $dbn;
    private $user;
    private $pass;
    private $db_selected;
    private $dbtestcon;

    
    public function db_connect()
    {

        
        $this->specs('localhost', 'orb', '123123');
        $this->showConnectionDetails('zone');
    
    
    }
 
    public function specs ($dbn, $user, $pass) 
    {
        
        $this->dbn = $dbn;
        $this->user = $user;
        $this->pass = $pass;

        
        $this->dbtestcon = mysql_connect($dbn, $user, $pass);

        if ( ! $this->dbtestcon) 
     {
              die('Could not connect: ' . mysql_error());
      }  

        echo 'Connected successfully';
    } 


    // Now this function will work
    function showConnectionDetails($db_selected)
    {
    $this->db_selected = $db_selected;
    
    $db_selected = mysql_select_db($this->db_selected, $this->dbtestcon) or die(mysql_error());
            if (!$db_selected)
        {
            die ('Can\'t use workspace : ' . mysql_error());
        }
        echo 'db_selected';
    }
 
}

?>

THIS IS THE SQL Tables
PasteBin.be

codefreek · 07-03-2008, 05:11 PM

do anyone have a clue, on whats wrong :S?

delayedinsanity · 07-03-2008, 08:28 PM

First thing I noticed is that on most of the pages you're checking $_SESSION['logged'] and then suddenly on the edit page you're checking $_REQUEST['id'], as well as there being no session started on those pages.

You should probably go back over your scripts and create some kind of uniform check to see if the user is logged in, and redirect them if they're not. Perhaps a function inside one of your common includes? isLoggedIn()? Or however you want to do it.
-m

codefreek · 07-03-2008, 08:40 PM

thank you ;)

EDIT:

like this ?

PHP Code:


			
function isLoggedIn()

{



    if (session_is_registered('loginid') && session_is_registered('username'))

    {

        return true; 

    } else

    {

        return false;

    }



    return false;



}

delayedinsanity · 07-03-2008, 09:06 PM

Something like that yes, have you tried it to see if it works?

It appears to me that the only session variable you're setting when a user logs in is "logged" so unless you're making sure to set those new variables (loginid and username), that'll return false everytime.

Also, since the if->else block will return either true or false, you'll never get to the third return so it becomes unnecessary. Here's three random ways you could write the same function, just to give you an idea of how flexible PHP can be with nearly everything;

PHP Code:


			
function isLoggedIn()
{
    $bLoggedIn = false;

    if (isset($_SESSION['logged']) && $_SESSION['logged'] == 1)
    {
        $bLoggedIn = true;
    }

    return $bLoggedIn;

}

function isLoggedIn()
{
    if (isset($_SESSION['logged']) && $_SESSION['logged'] == 1)
    {
        return true;
    }

    return false;

}

function isLoggedIn()
{
    if (isset($_SESSION['logged']) && $_SESSION['logged'] == 1) return true;
        return false;
}

-m

codefreek · 07-03-2008, 09:25 PM

Lol i fixed the problem ;)
Ty..

it was ´this in session` and '' that is right -.-
all ways the same bug in the end -.- ;)