Sorry, I sent that last email directly to someone... Here it is again.
Here is my index file, it's the smallest of the set. This would be a
huge post if I would submit one of those. Config.php has config
options, time.php is basically getting the system time and then
manipulating it, instead of in each file.
I tried what you mentioned, almost exactly, missing the register id,
but I was using the $_SESSION for all my variables, and that's where I
ran into not being able to change them unless I would close the
browser and start over. And yes, I was using session_start() at the
beginning of all my files.
If the person puts in username: admin, then it basically dumps the
entire database onto the screen, with some manipulation of course,
otherwise, it only shows the individual employees data.
I also know I have to change the way people log in, I need to hash the
password and compare the two instead of all plain text.
Thanks,
Jake
<?
include("config.php");
include("time.php");
if (($SuBmIt) && ($inout) && ($username) && ($password))
{
$result = mysql_query("SELECT * FROM `users` WHERE `uname` LIKE
'$username'");
$row = mysql_fetch_array($result);
$id = $row[0];
$funame = $row[1];
$fpasswd = $row[2];
$fullname = $row[3];
// $ip = GetHostByName($REMOTE_ADDR);
if (getenv(HTTP_X_FORWARDED_FOR))
{
$ip = getenv(HTTP_X_FORWARDED_FOR);
}
else
{
$ip = getenv(REMOTE_ADDR);
}
mysql_query("UPDATE `users` SET `lastip`='$ip' WHERE `uname` LIKE
'$username' LIMIT 1");
if ($password == $fpasswd)
{
$error = 0;
$result = mysql_query("SELECT * FROM $username");
while ($row = mysql_fetch_array($result))
{
$cotime = $row[cotime];
if ($cotime == "00:00:00")
{
$error = $error + 1;
}
}
if ($inout == "in")
{
if ($error == 0)
{
$sql = "INSERT INTO $username (ymd,citime,ciampm) VALUES
('".addslashes("$Year-$MonthNumber-$DayNumber")."','".addslashes("$Log
InOutTime")."','".addslashes("$LogInOutAmPm")."')";
$result = mysql_query($sql);
if ($result == 1)
{
Header("Location:
userpage.php?uname=$username&fullname=$fullname&inout=$inout\n\n");
}
else
{
echo "<p align=\"center\"><font face=\"$fontface\"
size=\"$fontsize\">Database Error: Not Logged In, please try
again</font></p>";
}
}
else
{
echo "<p align=\"center\"><font face=\"$fontface\"
size=\"$fontsize\">Error: You are already clocked in!</font></p>";
}
}
else if ($inout == "out")
{
if ($error != 0)
{
$sql = "UPDATE $username SET `cotime`='$LogInOutTime',
`coampm`='$LogInOutAmPm' WHERE `ymd` LIKE
'$Year-$MonthNumber-$DayNumber' AND `cotime` LIKE '00:00:00' LIMIT 1";
$result = mysql_query($sql);
if ($result == 1)
{
Header("Location:
userpage.php?uname=$username&fullname=$fullname&inout=$inout\n\n");
}
else
{
echo "<p align=\"center\"><font face=\"$fontface\"
size=\"$fontsize\">Database Error: Not Logged Out, please try
again</font></p>";
}
}
else
{
echo "<p align=\"center\"><font face=\"$fontface\"
size=\"$fontsize\">Error: You are not clocked in!</font></p>";
}
}
else if ($inout == "timeoff")
{
Header("Location:
timeoff.php?uname=$username&fullname=$fullname&inout=$inout\n\n");
}
else
{
Header("Location:
userpage.php?uname=$username&fullname=$fullname&inout=$inout\n\n");
}
}
else
{
echo "<p align=\"center\"><font face=\"$fontface\"
size=\"$fontsize\">Error: invalid password!</font></p>";
}
}
echo <<<EndHTML
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com
> -----Original Message-----
> From: Chris Hubbard [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 14, 2003 9:24 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [PHP] Sessions Question
>
>
> Jake,
> it would be helpful if we could see your code.
>
> That said...
>
> first you need to identify what information you need to track
> in the sessions, and whether you're going to use php sessions
> (the $_SESSIONS
> array) or build your own mysql based session tracker.
>
> to use php sessions:
> you will need some place where you set up/create the
> sessions. typically this is the login page. let's assume
> you'll use the login page. The logic for the login page goes
> something like this: 1. present a form for logging in
> (usually username/password) 2. on post, clean the posted
> data (remove html, special characters, etc) 3. check the
> cleaned username/password against the data in the database 4.
> if the username/password is valid, create your session and
> assign variables to it like this:
> session_start(); //create the session
> $id = session_id(); // create a unique session id
> session_register("id"); // register id as a session variable
> session_register("name"); // register name as a
> session variable
> session_register("email"); // register email as a
> session variable
> $_SESSION["id"] = $id; // assign the unique session id
> to session array
> $_SESSION["name"] = $data["name"]; // assign the
> username to session array
> $_SESSION["email"] = $data["email"]; // assign
> additional values (after regisering them) to session array
>
> 5. now either redirect to your main application page, or
> create another page with links to that main applicaiton page.
> In either case every page where you want to use sessions has
> to start with: session_start();
>
> for example:
> <?php
> session_start();
> the rest of your code.
>
> 6. I recommend that you add a check to your pages to make
> sure that the session is still the right one and it's intact,
> something like this: if (!$_SESSION["id"]) // if no session
> id, return to the login page {
> header ("Refresh: 0; url=login.php"); //or
> // header ("location:http://www.mydomain.com/login.php";);
> }else{
> // the body of your code goes here.
> }
>
> 7. so with all that the pages you want to access session in
> should have a structure similar to: <?php session_start(); if
> (!$_SESSION["id"]) {
> header ("Refresh: 0; url=login.php");
> }else{
> // do all kinds of nifty time card things here
> }
> ?>
>
>
> Hope this is helpful.
>
> Chris
>
> -----Original Message-----
> From: Jake McHenry [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 14, 2003 4:00 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Sessions Question
>
>
> Hi everyone,
>
> I've been trying to set up sessions, but have been having
> problems. I created an online time clock for my company using
> php and a mysql database. It's everything that my boss
> wanted. The only problem is, he told me today that he is
> planning on selling it to our partners. The actual software
> and database will reside on my server, but I will give them
> their own database.
>
> I started designing it about 2 years ago, and the machine
> that I was working on at the time had register_globals=on, so
> I built my scripting around that. I didn't know much about
> php at the time, but have learned an immense amount since then.
>
> Since a people are now going to be accessing the time clock
> from outside my company, I need to turn register_globals off,
> and turn sessions on. My problem is that all my variables are
> declared locally in the individual files, and are being
> passed by forms to $PHP_SELF, and all of the variables and
> their values can be seen in the address bar.
>
> This never concerned me while being inside my firewall, since
> it was only my employees and I. I knew what was going on.
>
> I've read a lot of documents on the net concerning sessions,
> but still can't get it to work right. Whenever I try to go to
> another page, or submit a time, it either doesn't work at
> all, or it works, but the value that's in the variable is
> stuck there, and I can't change it without closing the
> browser and starting over.
>
> Can someone point me in the right direction here?
>
> Thanks,
> Jake McHenry
> Nittany Travel MIS Coordinator
> http://www.nittanytravel.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> > -----Original Message-----
> From: Chris W. Parker [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 14, 2003 8:27 PM
> To: Jake McHenry; [EMAIL PROTECTED]
> Subject: RE: [PHP] Sessions Question
>
>
> Jake McHenry <mailto:[EMAIL PROTECTED]>
> on Tuesday, October 14, 2003 5:00 PM said:
>
> [snip]
>
> > Can someone point me in the right direction here?
>
> I'd love to help you but you did not provide enough information.
>
>
> What exactly are you trying to do and what is it failing? Try
> showing us the code in question.
>
> Are you receiving any errors messages?
>
> Are you making sure to start the session with
> 'session_start();' on each page the session needs to be accessed?
>
>
>
> HTH,
> Chris.
>
> --
> Don't like reformatting your Outlook replies? Now there's
> relief! http://home.in.tum.de/~jain/software/outlook-quotefix/
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
