Hey,

I have created a test membership site and am having a little bit of difficulty. Check this link:

http://www.gallaghermail.com/phptest...join_form.html

You can login there and it will register the user okay to the mysql database. Originally, the "activation" was set to "null". For some reason, when the user gets the welcome email, they click the link but it does not change the activate membership on the mysql side. It remains null. So just for a test, I set the default to "1" which will activate the account.

If you could - try to register as a new user, then go and login. You should be able to get that far. From there, 3 newsletters should be available but check out the parse error on this location:
http://www.gallaghermail.com/phptest...newsletter.php

Not sure where it's hanging up..

2nd thing real quick

I have on http://www.gallaghermail.com/phptest/logon/

click on "signup.html" and it lets you create an account just fine. If you go to "login.html" it will let you login and gives the message just fine as well. The problem is when you don't enter your credentials correctly it just sits at a blank page. Here is the code:
__________
$username = $_POST["username"];
$password = $_POST["password"];

$result = MYSQL_QUERY("SELECT * from users WHERE username='$username'and password='$password'")
or die ("Name and password not found or not matched");

$worked = mysql_fetch_array($result);

$username = $worked[username];
$password = $worked[password];
$email = $worked[email];

if($worked)
echo "Welcome $user! Your e-mail address is $email";
?>

What do you think it's messing up on?

A few things. First off, about the parse error. Without seeing code I can't help too much about the problem. Most common parse errors are caused by a missing semi-colon or quotations. Check on the lines above the line the parse error provides you.

As for the blank page. What I would do personnaly is rather than using the die statement, I would check to see if results were returned.

One thing I noticed about your script, you have SQL injections in the queries. This can cause major security situations via the database depending on how exactly PHP is configured. What I mean exactly is the query you're using. You should use addslashes. What that funciton will do is escape the quotes in your post vairables. Let me show you an example of something someone can do:

If someone puts their username as:
admin' AND password <>
And their password as:
AND email <> '

Your query will turn out like this after php parses the query and when MySQL attempts to execute the query:
SELECT * from users WHERE username='admin' AND password <> ' and password=' AND email <> ''
There should be a space before the above line.

So basically the way you have wrote that. All I would have to do is place those two entries above in the username and password field. It will give me access as long as there is a user with the username as admin and it's password does not equal ' and password=' (without the quotes) and that same user's email is not empty.

That would grant me access and actually give me full admin access as long as that was the correct username.

That's just a little help! ;)

Let me know if you have any other questions.

EDIT: I actually tested it and it appears your server has PHP configured to automatically escape post variables, which is good, but you should always addslashes to variables and or intval the variables using intval.

Any way to send you my getin.php file and have you insert what you just said so I can see it directly? I'm having a bit of a hard time...

Thanks,

Gallagher

What you can do is post a reply using the "Go Advanced" button.

Under where you can type click on the "Manage Attachments" button and then upload that file here in order for me to be able to download the file and take a look at it. Once I read through it and modify it I'll attach my version.

:D

Thanks man..

Attached Files

getin.php (542 Bytes, 212 views)

Here you go. This should work fine, but it's untested. Let me know how it works out!

Attached Files

getin.php (612 Bytes, 236 views)

Works great - Thanks for the improvement it fixed what I needed.

Thanks!

Gallagher

No problem! :)