Trouble Viewing $_POST data

tizzo

Hi guys I 'm having extreme headaches with a php displaying contents from a $POST or a $COOKIE.

I'm creating a page that allows a user to view information that they've entered in a page on a previous page.

Simple Right ?

I only changed table pointing information when I copied code from my already 'working' page (only difference table and some fields).

testing: the database works.
I ran a separate test for this

i did
= mysql_error(), initially got a dredded vars error at point in code, called host server comp
=print_r for $res ---it returned Resource ID#241 (read manual don't quite understand yet)
=i also echoed $_COOKIE- got back the set cookie

what happens is that the page jump to else statement " bad username..."
doesn't even post form with info for user to view profile

here is the authenication at the post of the form:

outbuffering is set at top of page along with a session_start()

<?php

  include("includes/connectdb_host.php") or die(mysql_error());

  if (!isset($_POST['update'])){

             header('location:login_test.php');
             exit;

        }
  $prod_user=$_POST['prod_user'];
  $prod_pass=$_POST['prod_pass'];
  $authorized=false;


  //echo  " <br> user is". $prod_user. "prod_pass is". $prod_pass";
  //empty pass will show a random profile of empty password when everyone's logged out, so no empty pass variables should be kept
  if($prod_pass=="")
    $prod_pass="xyz";

   // echo" <br> user is $prod_user, prod_pass is $prod_pass";
 //if(!empty($_POST)) //i.e. dont run when no post is sent,

  $query=mysql_query ("SELECT * FROM producer WHERE prod_user='$prod_user'");
  //if(!$query)
    //echo(" <br> cant verify password, db error? <br>");

  	while($res=mysql_fetch_array($query))
  	{
  	 if($res['prod_pass']==$prod_pass)
  	 {
  	 	$authorized=true;
  	 	$id=$res['id'];
        echo $res['id'];
  	 }
  	}


  //if still not authorized, check cookies and try if the user is valid (this is actually giving it a second chance) if user/pass not sent via post then check cookies

  if(!$authorized)
  {
  $query=mysql_query("SELECT * FROM producer WHERE prod_user='".$_COOKIE['prod_user']."' LIMIT 1") ;
	   while($res=mysql_fetch_array($query))
	   {
	   	  if($res['prod_pass']==$_COOKIE['prod_pass'])
	   	  {
	   	  	$authorized=true;
	   	  	$id=$res['id'];

	   	  	//overwrite $user and $pass <<-- these will have data from post, but since we're using the 2nd resort i.e. cookies so update cookies values into these
	   	  	$prod_user=$_COOKIE['prod_user'];
	   	  	$prod_pass=$_COOKIE['prod_pass'];
	   	  }
	   }
  }
  if($authorized)
  {
  	//echo "Congratulations you've logged in<br>";
  	//setcookies now to remember the user
  	setcookie("prod_user",$prod_user);
  	setcookie("prod_pass",$prod_pass);
  	//echo("<br>cookies set<br>");
  	echo "<br><a href=\"logout_test.php\">Log out</a>&nbsp;&nbsp;|&nbsp;&nbsp<a href=\"pEditProfile.php\">Edit your profile</a> &nbsp;&nbsp;<a href=\"search_test.php\">Log IN</a><br> <br>   ";

  	//show the profile data of the the user
  	$query=mysql_query("SELECT * FROM producer WHERE id=$id");
  		while($res=mysql_fetch_array($query))
  		{
  			?>



 	<?php		
  		}

  }
  else
  {
  	echo "<br><br>Bad username or password ||  If you're a producer <a href=\"login2_prod.php\">click here to get to the login page</a><br><br><br>";
  }


  ?>

[/code]

Any feedback would be great. Everything works accept this page

tizzo

 $dbCon=mysql_connect('host','user','pass');
 $selDB=mysql_select_db('db',$dbCon);

 if(!$dbCon)
 {
 	exit("<br> error connecting to db server");
 }
 if(!$selDB)
 {
 	exit("<br> error connecting to database");
 }

	 //check if cookie's prod_user/pass are valid, then show this prod_user his profile in the fields below
	 $authorized=false;
	 $prod_user=$_COOKIE['prod_user'];
	 $prod_pass=$_COOKIE['prod_pass'];


	 if(isset($_POST['update']))
  	{$authorized=true;

 //get all the data from the POST
      		$prod_fname=$_POST['prod_fname'];
      		$prod_lname=$_POST['prod_lname'];
		    $prod_comp=$_POST['prod_comp'];
      		$prod_address=$_POST['prod_address'];
      		$prod_city=$_POST['prod_city'];
      		$prod_state=$_POST['prod_state'];
      		$prod_zip=$_POST['prod_zip'];
            $prod_user=$_POST['prod_user'];
            $prod_pass=$_POST['prod_pass'];
      	   	$prod_email=$_POST['prod_email'];
      		$prod_phone=$_POST['prod_phone'];
		    $prod_phone2=$_POST['prod_phone2'];
		    $prod_fax=$_POST['prod_fax'];
      		$prod_website=$_POST['prod_website'];
      		$fprod_name=$_POST['fprod_name'];
      		$fprod_city=$_POST['fprod_city'];
      		$fprod_state=$_POST['fprod_state'];

  		$id=$_POST['id'];
  		//take care "user" isn't changed. username shall remain unchagned.
  		$query=mysql_query ("UPDATE producer SET

                prod_user='$prod_user',
                prod_pass='$prod_pass',
		        prod_fname='$prod_fname',
  	        	prod_lname='$prod_lname',
	            prod_comp='$prod_comp',
  		        prod_address='$prod_address',
  		        prod_city='$prod_city',
  		        prod_state='$prod_state',
  		        prod_zip='$prod_zip',
    	   	    prod_email='$prod_email',
    	    	prod_phone='$prod_phone',
	            prod_phone2='$prod_phone2',
	            prod_fax='$prod_fax',
  		        prod_website='$prod_website',
  		        fprod_name='$fprod_name',
  		        fprod_city='$fprod_city',
  		        fprod_state='$fprod_state'
                WHERE prod_user='$prod_user'")or die(mysql_error());


	 		 if(!$query)
	  			echo "<br> problem updating the profile, please hit the BACK button and try again !! <br>".mysql_error();
	  		 else
	 		 {
	  			echo "Your profile has been updated successfully<br>";

	  			//SET cookies to keep the prod_user logged in (setting cookies again caz need to refresh the new prod_user and  password (changed after updated)
	   		  setcookie("prod_user",$prod_user);
	  		  setcookie("prod_pass",$prod_pass);
	   		 //echo("cookies created yo!<br>");
	 		 }
	   	  }

	 $query=mysql_query("SELECT * FROM producer WHERE prod_user='".$_COOKIE['prod_user']."' LIMIT 1");
	   while($res=mysql_fetch_array($query))
	   {
	   	  if($res['prod_user']==$_COOKIE['prod_user'])
	   	  {
	   	  	$authorized=true;
	   	  	//$prod_user_id=$res['id'];
	   	  	echo "<br><a href=\"logout.php\">Log out</a>&nbsp;|&nbsp;<a href=\"prod_done.php\">View your profile</a>&nbsp;|&nbsp;<a href=\"search_rebuildpt2.php\"> Back to Search</a>&nbsp;";
	   	  	//echo "<br> logged in prod_user is $prod_user and prod_pass is $prod_pass <br><br>";
	   	  	// popular all variables from database for that prod_user who's logged in

		$prod_fname=$res['prod_fname'];
  		$prod_lname=$res['prod_lname'];
	    $prod_comp=$res['prod_comp'];
  		$prod_address=$res['prod_address'];
  		$prod_city=$res['prod_city'];
  		$prod_state=$res['prod_state'];
  		$prod_zip=$res['prod_zip'];
        $prod_user=$res['prod_user'];
        $prod_pass=$res['prod_pass'];
  	   	$prod_email=$res['prod_email'];
  		$prod_phone=$res['prod_phone'];
	    $prod_phone2=$res['prod_phone2'];
	    $prod_fax=$res['prod_fax'];
  		$prod_website=$res['prod_website'];
  		$fprod_name=$res['fprod_name'];
  		$fprod_city=$res['fprod_city'];
  		$fprod_state=$res['fprod_state'];


	   	  } //terminate iff
	   } //terminate authorized prod_user


	   if($authorized==true)
	   {
	   	 //show the form where the prod_user can change and update values of his profile

	   	?>
	   	<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">


<!-- summary of table-->

        <tr>
        	<td><div align="right">Website (if any)</div></td>
            <td><input type="text" name="prod_website" id="prod_website" value="<?php echo $prod_website; ?>" /></td>
        </tr>
        <tr>
        	<td><div align="right">Current Production Name</div></td>
            <td><input type="text" name="fprod_name" id="fprod_name" value="<?php echo $fprod_name; ?>" /></td>
        </tr>
                    <tr>
        	<td><div align="right">Production City</div></td>
            <td><input type="text" name="fprod_city" id="fprod_city" value="<?php echo $fprod_city; ?>" /></td>


           <tr>
          <tr>
          <td><div align="right"></div></td>
          <td><div align="left">
           <input type="hidden" name="id" value="<?php echo $id; ?>" />
           <input type="hidden" name="prod_user" value="<?php echo $prod_user; ?>" />
            <input type="submit" name="update" id="update" value="Update My Profile" />
          </div></td>
        </tr>
      </table>
      <p>&nbsp;</p>
      </form>

 <?php

	   }


	  if($authorized==false)
	  {
	  	echo "You're not logged in, please <a href=\"login_test.php\">click here</a> to go to the login page for producers";
	  }

bradgrafelman

For one thing, you're doing the authentication bit in pretty much the worst way possible. If I register just now, and you have 1000 users already, your code has to loop through 1000 rows in the SQL database, checking the password of each row.

Why don't you just include the password in the WHERE clause of the query? You wouldn't need any looping at all then.

Also, this:

            $prod_fname=$res['prod_fname'];
              $prod_lname=$res['prod_lname'];
            $prod_comp=$res['prod_comp'];
              $prod_address=$res['prod_address'];
             $prod_city=$res['prod_city'];
              $prod_state=$res['prod_state'];
              $prod_zip=$res['prod_zip'];
            $prod_user=$res['prod_user'];
            $prod_pass=$res['prod_pass'];
                 $prod_email=$res['prod_email'];
              $prod_phone=$res['prod_phone'];
            $prod_phone2=$res['prod_phone2'];
            $prod_fax=$res['prod_fax'];
              $prod_website=$res['prod_website'];
              $fprod_name=$res['fprod_name'];
              $fprod_city=$res['fprod_city'];
              $fprod_state=$res['fprod_state'];

could be replaced with this:

extract($res);

provided that you only SELECT the columns you need.

In addition, your code is vulnerable to SQL injection attacks. User-supplied data should never be placed directly into a SQL query string. Instead, you should first sanitize it with a function such as [man]mysql_real_escape_string/man.

EDIT: Another security concern:

         if(isset($_POST['update']))
          {$authorized=true;

So in other words, if I POST'ed a field called 'update', then you automatically assume I'm an authorized entity and will allow me to change your data to whatever I like?

Weedpacket

bradgrafelman wrote:
For one thing, you're doing the authentication bit in pretty much the worst way possible. If I register just now, and you have 1000 users already, your code has to loop through 1000 rows in the SQL database, checking the password of each row.

Not to mention the fact that the loops continue to run through all the rest of the records even after the record being searched for is found, effectively doubling the time they take to run.

tizzo

Thanks Brad! I look into the the extract and escaping stings
so these changes show allow me not to keep hitting my error msg?

bradgrafelman

Well I don't know if it'll prevent the error, but it should at least help you condense the code and clean up the logic quite a bit. Once you make those changes, if you still have problems, explain exactly what's going on and show us a new copy of your code.