As I said in one of my posts, I'm not encrypting my passwords as of
yet, because it was all internal, all employees use their own
computers. My company is very relaxed. But since my boss want's to
start selling a time clock database to our partners, I have to fix
everything. I started this when I was just learning php, and have been
changing things as I go.
I'll mess around with what you gave me so far, as I've been doing.
Last week I had sessions in place and from what I read on phpbuilder,
everything was right. But as soon as I turn register_globals=off, then
nothing works.
All of the variables in the index.php and all other script files are
passed from either forms or in the url.
I'm doing pretty much a complete overhaul of my app, I know this is
going to take some time, but it needs to be done.
Thanks,
Jake
Config.php:
<?
$companyname = "Nittany Travel";
$adminpass = "xxxxxxxxx";
$dbhost = "localhost";
$dbuser = "nittany";
$dbpass = "xxxxxxxxxxx";
$dbname = "timesheet";
$updated = "Sept 25, 2003";
$version = "v4.8";
$avginterval = "365";
mysql_connect($dbhost,$dbuser,$dbpass) OR die("Can't connect to
database");
mysql_select_db("$dbname") or die("Unable to select database");
$fontface = "Verdana,Arial,Helvetica";
$fontsize = "2";
$creditfontface = "Verdana,Arial,Helvetica";
$creditfontsize = "1";
$examplesize = "1";
$bgcolor = "#999999";
$linkcolor = "#FFFFFF";
$vlinkcolor = "#FFFFFF";
$tablebgcolor = "#AAA999";
$titlebarbgcolor = "#555999";
$titlebarfontcolor = "#FFFFFF";
$bodybarfontcolor = "#000000";
$availabletimeoffbgcolor = "#AAA777"; $availabletimeofffontcolor =
"#000000"; $week1bgcolor = "#CCC777"; $week2bgcolor = "#CCC777";
$twoweekbgcolor = "#FFF777"; $inputfieldbgcolor = "#BBB999";
$inputfontface = "Verdana,Arial,Helvetica"; $inputfontsize = "10pt";
$inputfontcolor = "#FFFFFF"; $style = "background:$inputfieldbgcolor;
font-family:$inputfontface; font-size:$inputfontsize;
color:$inputfontcolor; border:none;";
$maincredit = "<table border=\"1\" cellpadding=\"3\" cellspacing=\"0\"
bordercolor=\"$bgcolor\" bordercolorlight=\"$inputfieldbgcolor\"
bordercolordark=\"$bgcolor\" style=\"right:5px; bottom:5px;
position:absolute;\">\n <tr>\n <td><font face=\"$creditfontface\"
size=\"$creditfontsize\"><a href=\"admin.php\">JMTimeSheet $version
© 2002-2003 JMM</a> - <a
href=\"mailto:[EMAIL PROTECTED]">mchenry@
nittanytravel.com</a> - Last revision: $updated</font></td>\n
</tr>\n</table>";
$topcredit = "<!-- The following source code is owned and copyrighted
by Jake McHenry, 2002-2003 $updated -->"; $credit = "<!-- JMTimeSheet
$version Copyright 2002-2003 JMM - [EMAIL PROTECTED] $updated
-->";
?>
Time.php
<?
$CurDate = getdate();
$LogInOutHour = $CurDate['hours'];
$LogInOutMinute = $CurDate['minutes'];
$LogInOutAmPm = "AM";
$LogInOutSecond = $CurDate['seconds'];
$LogInOutHourShow = $LogInOutHour;
if ($LogInOutHour > 12)
{
$LogInOutHourShow = $LogInOutHour - 12;
}
if ($LogInOutHour == 0)
{
$LogInOutHourShow = $LogInOutHour + 12;
}
if ($LogInOutHour >= 12)
{
$LogInOutAmPm = "PM";
}
if ($LogInOutMinute < 10)
{
$Temp = $LogInOutMinute;
$LogInOutMinute = 0;
$LogInOutMinute .= $Temp;
}
if ($LogInOutSecond < 10)
{
$Temp = $LogInOutSecond;
$LogInOutSecond = 0;
$LogInOutSecond .= $Temp;
}
$YearToShow = $CurDate['year'];
$MonthToShow = $CurDate['mon'];
$DayToShow = $CurDate['mday'];
$NumberOfDays = date(t,$CurDate);
$DayOfWeek = $CurDate['weekday'];
$MonthNumber = $MonthToShow;
if ($MonthToShow < 10)
{
$MonthNumber = 0;
$MonthNumber .= $MonthToShow;
}
$DayNumber = $DayToShow;
if ($DayToShow < 10)
{
$DayNumber = 0;
$DayNumber .= $DayToShow;
}
$MonthNames =
array(1=>'January','February','March','April','May','June','July','Aug
ust','September','October','November','December');
$MonthID =
array(1=>'01','02','03','04','05','06','07','08','09','10','11','12');
$Years =
array($YearToShow-5,$YearToShow-4,$YearToShow-3,$YearToShow-2,$YearToS
how-1,$YearToShow,$YearToShow+1,$YearToShow+2,$YearToShow+3,$YearToSho
w+4,$YearToShow+5);
?>
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com
> -----Original Message-----
> From: Chris Hubbard [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 14, 2003 11:37 PM
> To: Jake McHenry; [EMAIL PROTECTED]
> Subject: RE: [PHP] Sessions Question
>
>
> Jake,
> given that I can't see what is in config.php time.php, I'll
> focus on your index.php. I assume that the issues I point
> out will be applicable to config and time also.
>
> this:
> <?
> should be:
> <?php
>
> include("config.php");
> include("time.php");
>
> assuming that $SuBmIt and inout and username and password all
> come from your log in form it should read something like:
> <START> if ($_POST["SuBmIT"]) {
> // make sure posted variables are clean and are the
> kind you expect
> if ($_POST["inout"] != "")
> {
> // add other validation here
> }else{
> $error[] = "inout not set";
> }
> if ($_POST["username"] != "")
> {
> // add other validation here
> }else{
> $error[] = "username not entered";
> }
> if ($_POST["password"] != "")
> {
> // add other validation here
> }else{
> $error[] = "password not entered";
> }
> if (count($error) == 0)
> {
> $sql = "SELECT * FROM `users` WHERE `uname`
> LIKE '%". $_POST["username"] ."%'";
> // insert code to strip out < and > signs and ;
> // like this:
> $sql = str_replace("<","",$sql);
> $sql = str_replace(">","",$sql);
> $sql = str_replace(";","",$sql);
> // when we know that $sql is clean do the query
> $result = mysql_query($sql);
> $row = mysql_fetch_array($result);
> </END>
> The preceding should do roughly the same as your following
> code. Note the sql query should not use LIKE (which you're
> using) and you should use both the username and the password,
> so something like this would be better $sql = "SELECT * FROM
> `users` WHERE (`uname` = '". $_POST["username"] ."') AND
> (`password` = '". md5($_POST["password"]) ."')"; You are
> encrypting your password correct?
>
> <START>
> if (($SuBmIt) && ($inout) && ($username) && ($password))
> {
> $result = mysql_query("SELECT * FROM `users` WHERE `uname`
> LIKE '$username'");
> $row = mysql_fetch_array($result);
> </END>
>
> This should get you firmly on the road. NOTE: I have not run
> the above code, so might work, and it might not. Either way
> it's on you to sort out.
>
> Hope this is helpful,
> chris
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
