!!! Script needing to be cut down. !!!

Hey everyone. I have this user manager script but i want to cut it down so only users can edit there own records or information eg. name, password, profiles dec, aim, picture.

But the only problem is i need to cut down this script below to do it. Can anyone help me out and correct this for me thanks - Chris

=======================
User Manager Script
=======================

PHP Code:

<?php //userman.php include "../common_db.inc.php"; $link_id = db_connect(); mysql_select_db("sample_db"); mysql_close($link_id); function user_message($msg, $url='') { html_header(); if(empty($url)) echo "<SCRIPT>alert(\"$msg\");history.go(-1)</SCRIPT>"; else echo "<SCRIPT>alert(\"$msg\");self.location.href='$url'</SCRIPT>"; html_footer(); exit; } ?> <DIV ALIGN="CENTER"> <TABLE BORDER="1" WIDTH="90%" CELLPADDING="2"> <TR> <TH WIDTH="25%" NOWRAP> <A HREF="<?php echo "$PHP_SELF?action=list_records&sort_order=$sort_order&order_by=usernumber"; ?>"> User Number </A> </TH> <TH WIDTH="25%" NOWRAP> <A HREF="<?php echo "$PHP_SELF?action=list_records&sort_order=$sort_order&order_by=userid"; ?>"> User ID </A> </TH> <TH WIDTH="25%" NOWRAP> <A HREF="<?php echo "$PHP_SELF?action=list_records&sort_order=$sort_order&order_by=username"; ?>"> User Name </A> </TH> <TH WIDTH="25%" NOWRAP>Action</TH> </TR> <?php while($query_data = mysql_fetch_array($result)) { $usernumber = $query_data["usernumber"]; $userid = $query_data["userid"]; $username = $query_data["username"]; echo "<TR>\n"; echo "<TD WIDTH=\"25%\" ALIGN=\"CENTER\">$usernumber</TD>\n"; echo "<TD WIDTH=\"25%\" ALIGN=\"CENTER\">$userid</TD>\n"; echo "<TD WIDTH=\"25%\" ALIGN=\"CENTER\">$username</TD>\n"; echo "<TD WIDTH=\"25%\" ALIGN=\"CENTER\"> <A HREF=\"javascript:open_window('$PHP_SELF?action=view_record&userid=$userid');\">View</A> <A HREF=\"$PHP_SELF?action=delete_record&userid=$userid\" onClick=\"return confirm('Are you sure?');\">Delete</A></TD>\n"; echo "</TR>\n"; } ?> </TABLE> </DIV> <?php echo "<BR>\n"; echo "<STRONG><CENTER>"; if($page_num > 1) { $prev_page = $cur_page - 1; echo "<A HREF=\"$PHP_SELF?action=list_records&sort_order=$org_sort_order&order_by=$order_by&cur_page=0\">[Top]</A>"; echo "<A HREF=\"$PHP_SELF?action=list_records&sort_order=$org_sort_order&order_by=$order_by&cur_page=$prev_page\">[Prev]</A>"; } if($page_num < $total_num_page) { $next_page = $cur_page + 1; $last_page = $total_num_page - 1; echo "<A HREF=\"$PHP_SELF?action=list_records&sort_order=$org_sort_order&order_by=$order_by&cur_page=$next_page\">[Next]</A>"; echo "<A HREF=\"$PHP_SELF?action=list_records&sort_order=$org_sort_order&order_by=$order_by&cur_page=$last_page\">[Bottom]</A>"; } echo "</STRONG></CENTER>"; html_footer(); } function delete_record() { global $default_dbname, $user_tablename, $access_log_tablename; global $userid; if(empty($userid)) error_message('Empty User ID!'); $link_id = db_connect($default_dbname); if(!$link_id) error_message(sql_error()); $query = "DELETE FROM $user_tablename WHERE userid = '$userid'"; $result = mysql_query($query); if(!$result) error_message(sql_error()); $num_rows = mysql_affected_rows($link_id); if($num_rows != 1) error_message("No such user: $userid"); $query = "DELETE FROM $access_log_tablename WHERE userid = '$userid'"; $result = mysql_query($query); user_message("All records regarding $userid have been trashed!"); } function edit_record() { global $default_dbname, $user_tablename, $access_log_tablename; global $userid, $new_userid, $userid, $username, $userpassword, $useremail, $useraim, $userphoto, $userprofile, $registerdate, $lastaccesstime; if(empty($userid)) error_message('Empty User ID!'); $link_id = db_connect($default_dbname); if(!$link_id) error_message(sql_error()); $field_str = ''; if($userid != $new_userid) $field_str = " userid = '$new_userid', "; if(!empty($userpassword)) { $field_str .= " userpassword = password('$userpassword'), "; } if (!empty($useraim)) { $field_str .= " useraim = '$useraim', "; } if (!empty($userphoto)) { $field_str .= "userphoto = '$userphoto', "; } $field_str .= " username = '$username', "; $field_str .= " useremail = '$useremail', "; $field_str .= " userprofile = '$userprofile', "; $field_str .= " registerdate = '$registerdate', "; $field_str .= " lastaccesstime = '$lastaccesstime' "; $query = "UPDATE $user_tablename SET $field_str WHERE userid = '$userid'"; $result = mysql_query($query); if(!$result) error_message(sql_error()); $num_rows = mysql_affected_rows($link_id); if(!$num_rows) error_message("Nothing changed!"); if($userid != $new_userid) { $query = "UPDATE $access_log_tablename SET userid = '$new_userid' WHERE userid = '$userid'"; $result = mysql_query($query); if(!$result) error_message(sql_error()); user_message("All records regarding $userid have been changed!", "$PHP_SELF?action=view_record&userid=$new_userid"); } else { user_message("All records regarding $userid have been changed!"); } } function edit_log_record() { global $default_dbname, $access_log_tablename; global $userid, $org_page, $new_page, $visitcount, $accessdate; if(empty($userid)) error_message('Empty User ID!'); $link_id = db_connect($default_dbname); if(!$link_id) error_message(sql_error()); $field_str = ''; $field_str .= " page = '$new_page', "; $field_str .= " visitcount = $visitcount, "; $field_str .= " accessdate = '$accessdate' "; $query = "UPDATE $access_log_tablename SET $field_str WHERE userid = '$userid' AND page = '$org_page'"; $result = mysql_query($query); if(!$result) error_message(sql_error()); $num_rows = mysql_affected_rows($link_id); if(!$num_rows) error_message("Nothing changed!"); user_message("All records regarding $userid have been changed!"); } function view_record() { global $default_dbname, $user_tablename, $access_log_tablename; global $userid; global $PHP_SELF; if(empty($userid)) error_message('Empty User ID!'); $link_id = db_connect($default_dbname); if(!$link_id) error_message(sql_error()); $query = "SELECT usernumber, userid, username, useremail, useraim, userphoto, userprofile, registerdate, date_format(registerdate, '%M, %e, %Y') as formatted_registerdate, lastaccesstime, date_format(lastaccesstime, '%M, %e, %Y') as formatted_lastaccesstime FROM $user_tablename WHERE userid = '$userid'"; $result = mysql_query($query); if(!$result) error_message(sql_error()); $query_data = mysql_fetch_array($result); $usernumber = $query_data["usernumber"]; $userid = $query_data["userid"]; $username = $query_data["username"]; $useremail = $query_data["useremail"]; $useraim = $query_data["useraim"]; $userphoto = $query_data["userphoto"]; $userprofile = $query_data["userprofile"]; $registerdate = $query_data["registerdate"]; $formatted_registerdate = $query_data["formatted_registerdate"]; $lastaccesstime = $query_data["lastaccesstime"]; $formatted_lastaccesstime = $query_data["formatted_lastaccesstime"]; html_header(); echo "<CENTER><H3> Record for User No.$usernumber - $userid($username) </H3></CENTER>"; ?> <FORM METHOD="POST" ACTION="<?php echo $PHP_SELF; ?>"> <INPUT TYPE="HIDDEN" NAME="action" VALUE="edit_record"> <INPUT TYPE="HIDDEN" NAME="userid" VALUE="<? echo $userid; ?>"> <DIV ALIGN="CENTER"><CENTER> <TABLE BORDER="1" WIDTH="90%" CELLPADDING="2"> <TR> <TH WIDTH="30%" NOWRAP>User ID</TH> <TD WIDTH="70%"> <INPUT TYPE="TEXT" NAME="new_userid" VALUE="<?php echo $userid; ?>" SIZE="8" MAXLENGTH="8"></TD> </TR> <TR> <TH WIDTH="30%" NOWRAP>User Password</TH> <TD WIDTH="70%"><INPUT TYPE="TEXT" NAME="userpassword" SIZE="15"></TD> </TR> <TR> <TH WIDTH="30%" NOWRAP>Full Name</TH> <TD WIDTH="70%"><INPUT TYPE="TEXT" NAME="username" VALUE="<?php echo $username; ?>" SIZE="20"></TD> </TR> <TR> <TH WIDTH="30%" NOWRAP>Email</TH> <TD WIDTH="70%"><INPUT TYPE="TEXT" NAME="useremail" SIZE="20" VALUE="<?php echo $useremail; ?>"></TD> </TR> <TR> <TH WIDTH="30%" NOWRAP>AIM Handle</TH> <TD WIDTH="70%"><INPUT TYPE="TEXT" NAME="useraim" SIZE="30" VALUE="<?php echo $useraim; ?>"></TD> </TR> <TR> <TH WIDTH="30%" NOWRAP>Photo URL</TH> <TD WIDTH="70%"><INPUT TYPE="TEXT" NAME="userphoto" SIZE="50" VALUE="<?php echo $userphoto; ?>"></TD> </TR> <TR> <TH WIDTH="30%" NOWRAP>Profile</TH> <TD WIDTH="70%"> <TEXTAREA ROWS="5" COLS="40" NAME="userprofile"> <?php echo htmlspecialchars($userprofile); ?> </TEXTAREA> </TD> </TR> <TR> <TH WIDTH="30%" NOWRAP>Register Date</TH> <TD WIDTH="70%"> <INPUT TYPE="TEXT" NAME="registerdate" SIZE="10" MAXLENGTH="10" VALUE="<?php echo $registerdate; ?>"> <?php echo $formatted_registerdate;?> </TD> </TR> <TR> <TH WIDTH="30%" NOWRAP>Last Access Time</TH> <TD WIDTH="70%"> <INPUT TYPE="TEXT" NAME="lastaccesstime" SIZE="14" MAXLENGTH="14" VALUE="<?php echo $lastaccesstime; ?>"> <?php echo $formatted_lastaccesstime; ?> </TD> </TR> <TR> <TH WIDTH="100%" COLSPAN="2" NOWRAP> <INPUT TYPE="SUBMIT" VALUE="Change User Record"> <INPUT TYPE="RESET" VALUE="Reset"> </TH> </TR> </TABLE> </CENTER></DIV> </FORM> <?php echo "<HR SIZE=\"2\" WIDTH=\"90%\">\n"; $query = "SELECT page, visitcount, accessdate, date_format(accessdate, '%M, %e, %Y') as formatted_accessdate FROM $access_log_tablename WHERE userid = '$userid'"; $result = mysql_query($query); if(!$result) error_message(sql_error()); if(!mysql_num_rows($result)) echo "<CENTER>No access log record for $userid ($username).</CENTER>"; else { echo "<CENTER>Access log record(s) for $userid ($username).</CENTER>"; ?> <DIV ALIGN="CENTER"><CENTER> <TABLE BORDER="1" WIDTH="90%" CELLPADDING="2"> <TR> <TH WIDTH="20%" NOWRAP>Page</TH> <TH WIDTH="20%" NOWRAP>Hits</TH> <TH WIDTH="30%" NOWRAP>Last Access</TH> <TH WIDTH="30%" NOWRAP>Action</TH> </TR> <?php while($query_data = mysql_fetch_array($result)) { $page = $query_data["page"]; $visitcount = $query_data["visitcount"]; $accessdate = $query_data["accessdate"]; $formatted_accessdate = $query_data["formatted_accessdate"]; echo "<FORM METHOD=\"POST\" ACTION=\$PHP_SELF\">"; echo "<INPUT TYPE=\"HIDDEN\" NAME=\"action\" VALUE=\"edit_log_record\">"; echo "<INPUT TYPE=\"HIDDEN\" NAME=\"userid\" VALUE=\"$userid\">"; echo "<INPUT TYPE=\"HIDDEN\" NAME=\"org_page\" VALUE=\"$page\">"; echo "<TR>\n"; echo "<TD WIDTH=\"20%\"><INPUT TYPE=\"TEXT\" NAME=\"new_page\" SIZE=\"30\" VALUE=\"$page\"></TD>\n"; echo "<TD WIDTH=\"20%\" ALIGN=\"CENTER\"> <INPUT TYPE=\"TEXT\" NAME=\"visitcount\" SIZE=\"3\" VALUE=\"$visitcount\"></TD>\n"; echo "<TD WIDTH=\"30%\" ALIGN=\"CENTER\"> <INPUT TYPE=\"TEXT\" NAME=\"accessdate\" SIZE=\"14\" MAXLENGTH=\"14\" VALUE=\"$accessdate\"> <BR>$formatted_accessdate</TD>\n"; echo "<TD WIDTH=\"30%\" ALIGN=\"CENTER\"> <INPUT TYPE=\"SUBMIT\" VALUE=\"Change\"> <INPUT TYPE=\"RESET\" VALUE=\"Reset\"></TD>\n"; echo "</TR>\n"; echo "</FORM>\n"; } ?> </TR> </TABLE> </CENTER></DIV> <?php } html_footer(); } switch($action) { case "edit_record": edit_record(); break; case "edit_log_record": edit_log_record(); break; case "delete_record": delete_record(); break; case "view_record": view_record(); break; default: list_records(); break; } ?>

Help !! please

If anyone can help me please as i don't get any major feed back on anything i post.

Everyone here is ment to help out people who do not have much of a clur or who are stuck with projects so please help me out with this untill i can get time to learn more php and get to grips with everything possible.

Thanks - Chris

Hi, wow - that's a long script :p I do think it looks better with the vBulletin PHP tags ;) (I edited your post to ad them - see my sig about formatting code in the forums).

I know you have to get this script working now - but the problem is that its a lot of work to write and test and debug the changes you want for you!

I think the simplest thing to do is this:

Add a field to the form the user fills in which asks them for their current password (I say current because they may also be wanting to modify their password too).

something like:

PHP Code:

<?php echo '<input type="text" name="currentpword">'; ?>

Then in those functions where you edit/delete records, and you only want the member to have access to their you have to add onto the sql to check the password as well as the userid.

for example, in function delete_record() you would modify it to this:

PHP Code:

<?php function delete_record() { global $default_dbname, $user_tablename, $access_log_tablename; # note my addition of $currentpword below global $userid, $currentpword; if(empty($userid)) error_message('Empty User ID!'); $link_id = db_connect($default_dbname); if(!$link_id) error_message(sql_error()); $query = "DELETE FROM $user_tablename WHERE userid = '$userid' AND userpassword=password('$currentpword')"; $result = mysql_query($query); if(!$result) error_message(sql_error()); $num_rows = mysql_affected_rows($link_id); if($num_rows != 1) error_message("No such user: $userid"); # note my additions to the query below $query = "DELETE FROM $access_log_tablename WHERE userid = '$userid' AND userpassword=password('$currentpword')"; $result = mysql_query($query); user_message("All records regarding $userid have been trashed!"); } ?>

Now with that modified function above, assuming that the value $currentpword is coming from the text input field in your form, the query will only update the record if the user has supplied the correct password for that userid.

I should also point out that I am assuming that the tables $user_tablename and $access_log_tablename have a field userpassword - that is something you would have to work out and modify if need be.

I hope that gives you a pointer of where to go. The next thing you should do is read Kevin Yank's tutorial (see my signature and the link to Skunk's thread on php/mysql resources - the link to the article is in that thread). If you work through that tutorial this weekend, you should be much closer to getting ontop of this particular script!

Good luck :)

Thanks

I will try this out and if i cant get it to work i will post what went wrong even tho what i really need to do is remove alot of the crap that is not needed maybe i can do this after i have the script doing what i want it to do.

- - - - - - - -

I did try this out but i found out that people can hack the script and still get to all the information and such without even having to try.

removing all the non needed parts of the script would stop this but i am not up to scratch with all of this right now so i can't figure out how to do the following edits. The access logger and access log table are not needed I don't know why they are even in the script i would also like to remove these parts from my script but like again i dont have anyone or anything to help me out as of being busy.

If you could help me rip this script apart or some one else write the script from scratch this would help me out so much as this script is a major part of my web site.

I will read through on this sort of problem but its hard to use php.net anymore as i do not have the newist version of php installed on my server as of yet. I will keep trying to figure this out so please help me out for a while and i will help you out in return when you have problems,

Thanks - Chris