SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Hybrid View

  1. #1
    SitePoint Enthusiast cpeat's Avatar
    Join Date
    Sep 2001
    Location
    England ( UK )
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    !!! Script needing to be cut down. !!!

    Hey everyone. I have this user manager script but i want to cut it down so only users can edit there own records or information eg. name, password, profiles dec, aim, picture.

    But the only problem is i need to cut down this script below to do it. Can anyone help me out and correct this for me thanks - Chris

    =======================
    User Manager Script
    =======================
    PHP Code:
    <?php
    //userman.php

    include "../common_db.inc.php";

    $link_id db_connect();
    mysql_select_db("sample_db");
    mysql_close($link_id);


    function 
    user_message($msg$url='') {
      
    html_header();
      
      if(empty(
    $url)) 
           echo 
    "<SCRIPT>alert(\"$msg\");history.go(-1)</SCRIPT>";
      else echo 
    "<SCRIPT>alert(\"$msg\");self.location.href='$url'</SCRIPT>";
      
      
    html_footer();
      exit;
    }

    ?>
    <DIV ALIGN="CENTER">
    <TABLE BORDER="1" WIDTH="90%" CELLPADDING="2">
       <TR>
          <TH WIDTH="25%" NOWRAP>
             <A HREF="<?php echo "$PHP_SELF?action=list_records&sort_order=$sort_order&order_by=usernumber"?>">
             User Number
             </A>
          </TH>
          <TH WIDTH="25%" NOWRAP>
             <A HREF="<?php echo "$PHP_SELF?action=list_records&sort_order=$sort_order&order_by=userid"?>">
             User ID
             </A>
          </TH>
          <TH WIDTH="25%" NOWRAP>
             <A HREF="<?php echo "$PHP_SELF?action=list_records&sort_order=$sort_order&order_by=username"?>">
                User Name
             </A>
          </TH>
          <TH WIDTH="25%" NOWRAP>Action</TH>
       </TR>
    <?php
       
    while($query_data mysql_fetch_array($result)) {
          
    $usernumber $query_data["usernumber"];
          
    $userid $query_data["userid"];
          
    $username $query_data["username"];
          echo 
    "<TR>\n";
          echo 
    "<TD WIDTH=\"25%\" ALIGN=\"CENTER\">$usernumber</TD>\n";
          echo 
    "<TD WIDTH=\"25%\" ALIGN=\"CENTER\">$userid</TD>\n";
          echo 
    "<TD WIDTH=\"25%\" ALIGN=\"CENTER\">$username</TD>\n";
          echo 
    "<TD WIDTH=\"25%\" ALIGN=\"CENTER\">
                <A HREF=\"javascript:open_window('
    $PHP_SELF?action=view_record&userid=$userid');\">View</A>    
                <A HREF=\"
    $PHP_SELF?action=delete_record&userid=$userid\" onClick=\"return confirm('Are you sure?');\">Delete</A></TD>\n";
          echo 
    "</TR>\n";
       }
    ?>
    </TABLE>
    </DIV>
    <?php      
       
    echo "<BR>\n";
       echo 
    "<STRONG><CENTER>";
       if(
    $page_num 1) {
          
    $prev_page $cur_page 1;

          echo 
    "<A HREF=\"$PHP_SELF?action=list_records&sort_order=$org_sort_order&order_by=$order_by&cur_page=0\">[Top]</A>";

          echo 
    "<A HREF=\"$PHP_SELF?action=list_records&sort_order=$org_sort_order&order_by=$order_by&cur_page=$prev_page\">[Prev]</A>";
       }
       if(
    $page_num <  $total_num_page) {
          
    $next_page $cur_page 1;
          
    $last_page $total_num_page 1;

          echo 
    "<A HREF=\"$PHP_SELF?action=list_records&sort_order=$org_sort_order&order_by=$order_by&cur_page=$next_page\">[Next]</A>";

          echo 
    "<A HREF=\"$PHP_SELF?action=list_records&sort_order=$org_sort_order&order_by=$order_by&cur_page=$last_page\">[Bottom]</A>";
       }

       echo 
    "</STRONG></CENTER>"
       
    html_footer();
    }

    function 
    delete_record() {
      global 
    $default_dbname$user_tablename$access_log_tablename;
      global 
    $userid;

      if(empty(
    $userid)) error_message('Empty User ID!');
      
      
    $link_id db_connect($default_dbname);
      if(!
    $link_iderror_message(sql_error());
      
      
    $query "DELETE FROM $user_tablename WHERE userid = '$userid'";
      
    $result mysql_query($query);
      if(!
    $resulterror_message(sql_error());

      
    $num_rows mysql_affected_rows($link_id);
      if(
    $num_rows != 1error_message("No such user: $userid");
      
    $query "DELETE FROM $access_log_tablename WHERE userid = '$userid'";
      
    $result mysql_query($query);
      
      
    user_message("All records regarding $userid have been trashed!");
    }

    function 
    edit_record() {
      global 
    $default_dbname$user_tablename$access_log_tablename;
      global 
    $userid$new_userid$userid$username$userpassword,
              
    $useremail$useraim$userphoto$userprofile$registerdate,
             
    $lastaccesstime;

      if(empty(
    $userid)) error_message('Empty User ID!');
      
      
    $link_id db_connect($default_dbname);
      if(!
    $link_iderror_message(sql_error());
      
      
    $field_str '';
      if(
    $userid != $new_userid$field_str " userid = '$new_userid', ";
      if(!empty(
    $userpassword)) {
        
    $field_str .= " userpassword = password('$userpassword'), ";
      }
      if (!empty(
    $useraim)) {
        
    $field_str .= " useraim = '$useraim', ";
      }
      if (!empty(
    $userphoto)) {
        
    $field_str .= "userphoto = '$userphoto', ";
      }
      
    $field_str .= " username = '$username', ";
      
    $field_str .= " useremail = '$useremail', ";
      
    $field_str .= " userprofile = '$userprofile', ";
      
    $field_str .= " registerdate = '$registerdate', ";
      
    $field_str .= " lastaccesstime = '$lastaccesstime' ";
      
      
    $query "UPDATE $user_tablename SET $field_str WHERE userid = '$userid'";
      
      
    $result mysql_query($query);
      if(!
    $resulterror_message(sql_error());

      
    $num_rows mysql_affected_rows($link_id);
      if(!
    $num_rowserror_message("Nothing changed!");
      if(
    $userid != $new_userid) {
        
    $query "UPDATE $access_log_tablename SET userid = '$new_userid
                                               WHERE userid = '
    $userid'";
        
    $result mysql_query($query);
        if(!
    $resulterror_message(sql_error());

        
    user_message("All records regarding $userid have been changed!"
                     
    "$PHP_SELF?action=view_record&userid=$new_userid");
      }
      else {
        
    user_message("All records regarding $userid have been changed!");
      }
    }

    function 
    edit_log_record() {
      global 
    $default_dbname$access_log_tablename;
      global 
    $userid$org_page$new_page$visitcount$accessdate;

      if(empty(
    $userid)) error_message('Empty User ID!');
      
      
    $link_id db_connect($default_dbname);
      if(!
    $link_iderror_message(sql_error());
      
      
    $field_str '';
        
      
    $field_str .= " page = '$new_page', ";
      
    $field_str .= " visitcount = $visitcount, ";
      
    $field_str .= " accessdate = '$accessdate' ";
      
    $query "UPDATE $access_log_tablename SET $field_str 
                                             WHERE userid = '
    $userid'
                                             AND page = '
    $org_page'";
      
    $result mysql_query($query);
      if(!
    $resulterror_message(sql_error());
      
    $num_rows mysql_affected_rows($link_id);
      if(!
    $num_rowserror_message("Nothing changed!");

      
    user_message("All records regarding $userid have been changed!");
    }

    function 
    view_record() {

      global 
    $default_dbname$user_tablename$access_log_tablename;
      global 
    $userid;
      global 
    $PHP_SELF;
      
      if(empty(
    $userid)) error_message('Empty User ID!');
      
      
    $link_id db_connect($default_dbname);
      
      if(!
    $link_iderror_message(sql_error());
      
    $query "SELECT usernumber, userid, username,
                       useremail, useraim, userphoto, userprofile, registerdate,
                       date_format(registerdate, '%M, %e, %Y') 
                         as formatted_registerdate,
                       lastaccesstime, date_format(lastaccesstime, '%M, %e, %Y')
                         as formatted_lastaccesstime
                       FROM 
    $user_tablename WHERE userid = '$userid'";
      
    $result mysql_query($query);
      
      if(!
    $resulterror_message(sql_error());
      
    $query_data mysql_fetch_array($result);
      
    $usernumber $query_data["usernumber"];
      
    $userid $query_data["userid"];
      
    $username $query_data["username"];
      
    $useremail $query_data["useremail"];
      
    $useraim $query_data["useraim"];
      
    $userphoto $query_data["userphoto"];
      
    $userprofile $query_data["userprofile"];
      
    $registerdate $query_data["registerdate"];
      
    $formatted_registerdate $query_data["formatted_registerdate"];
      
    $lastaccesstime $query_data["lastaccesstime"];
      
    $formatted_lastaccesstime $query_data["formatted_lastaccesstime"];
      
      
    html_header();
      echo 
    "<CENTER><H3>
            Record for User No.
    $usernumber - $userid($username)
            </H3></CENTER>"
    ;
    ?>

    <FORM METHOD="POST" ACTION="<?php echo $PHP_SELF?>">
    <INPUT TYPE="HIDDEN" NAME="action" VALUE="edit_record">
    <INPUT TYPE="HIDDEN" NAME="userid" VALUE="<? echo $userid?>">
    <DIV ALIGN="CENTER"><CENTER>
    <TABLE BORDER="1" WIDTH="90%" CELLPADDING="2">
        <TR>
          <TH WIDTH="30%" NOWRAP>User ID</TH>
          <TD WIDTH="70%">
          <INPUT TYPE="TEXT" NAME="new_userid" 
                             VALUE="<?php echo $userid?>
                             SIZE="8" MAXLENGTH="8"></TD>
        </TR>
        <TR>
          <TH WIDTH="30%" NOWRAP>User Password</TH>
          <TD WIDTH="70%"><INPUT TYPE="TEXT" NAME="userpassword" SIZE="15"></TD>
        </TR>
        <TR>
          <TH WIDTH="30%" NOWRAP>Full Name</TH>
          <TD WIDTH="70%"><INPUT TYPE="TEXT" NAME="username" 
                                 VALUE="<?php echo $username?>" SIZE="20"></TD>
        </TR>
        <TR>
          <TH WIDTH="30%" NOWRAP>Email</TH>
          <TD WIDTH="70%"><INPUT TYPE="TEXT" NAME="useremail" SIZE="20"
                                 VALUE="<?php echo $useremail?>"></TD>
        </TR>
        <TR>
          <TH WIDTH="30%" NOWRAP>AIM Handle</TH>
          <TD WIDTH="70%"><INPUT TYPE="TEXT" NAME="useraim" SIZE="30"
                                 VALUE="<?php echo $useraim?>"></TD>
        </TR>
        <TR>
          <TH WIDTH="30%" NOWRAP>Photo URL</TH>
          <TD WIDTH="70%"><INPUT TYPE="TEXT" NAME="userphoto" SIZE="50"
                                 VALUE="<?php echo $userphoto?>"></TD>
        </TR>
        <TR>
          <TH WIDTH="30%" NOWRAP>Profile</TH>
          <TD WIDTH="70%">
            <TEXTAREA ROWS="5" COLS="40" NAME="userprofile">
              <?php echo htmlspecialchars($userprofile); ?>
            </TEXTAREA>
          </TD>
        </TR>
        <TR>
          <TH WIDTH="30%" NOWRAP>Register Date</TH>
          <TD WIDTH="70%">
            <INPUT TYPE="TEXT" NAME="registerdate" SIZE="10" MAXLENGTH="10" 
                               VALUE="<?php echo $registerdate?>">
            <?php echo $formatted_registerdate;?>
          </TD>
        </TR>    
        <TR>
          <TH WIDTH="30%" NOWRAP>Last Access Time</TH>
          <TD WIDTH="70%">
            <INPUT TYPE="TEXT" NAME="lastaccesstime" SIZE="14" MAXLENGTH="14" 
                   VALUE="<?php echo $lastaccesstime?>">
            <?php echo $formatted_lastaccesstime?>
          </TD>
        </TR>    
        <TR>
          <TH WIDTH="100%" COLSPAN="2" NOWRAP>
            <INPUT TYPE="SUBMIT" VALUE="Change User Record">
            <INPUT TYPE="RESET" VALUE="Reset">
          </TH>
        </TR>
      </TABLE>
      </CENTER></DIV>
    </FORM>
    <?php 
      
    echo "<HR SIZE=\"2\" WIDTH=\"90%\">\n";
      
    $query "SELECT page, visitcount, accessdate,
                date_format(accessdate, '%M, %e, %Y') as formatted_accessdate 
                FROM 
    $access_log_tablename WHERE userid = '$userid'";
      
    $result mysql_query($query);
      
      if(!
    $resulterror_message(sql_error());
      if(!
    mysql_num_rows($result))
        echo 
    "<CENTER>No access log record for $userid ($username).</CENTER>";
      else {
        echo 
    "<CENTER>Access log record(s) for $userid ($username).</CENTER>";
    ?>
    <DIV ALIGN="CENTER"><CENTER>
    <TABLE BORDER="1" WIDTH="90%" CELLPADDING="2">
      <TR>
        <TH WIDTH="20%" NOWRAP>Page</TH>
        <TH WIDTH="20%" NOWRAP>Hits</TH>
        <TH WIDTH="30%" NOWRAP>Last Access</TH>
        <TH WIDTH="30%" NOWRAP>Action</TH>
      </TR>
    <?php    
        
    while($query_data mysql_fetch_array($result)) {
          
    $page $query_data["page"];
          
    $visitcount $query_data["visitcount"];
          
    $accessdate $query_data["accessdate"];
          
    $formatted_accessdate $query_data["formatted_accessdate"];
          
          echo 
    "<FORM METHOD=\"POST\" ACTION=\$PHP_SELF\">";
          echo 
    "<INPUT TYPE=\"HIDDEN\" NAME=\"action\"
                                       VALUE=\"edit_log_record\">"
    ;
          echo 
    "<INPUT TYPE=\"HIDDEN\" NAME=\"userid\" VALUE=\"$userid\">";
          echo 
    "<INPUT TYPE=\"HIDDEN\" NAME=\"org_page\" VALUE=\"$page\">";
          echo 
    "<TR>\n";
          echo 
    "<TD WIDTH=\"20%\"><INPUT TYPE=\"TEXT\"
                    NAME=\"new_page\" SIZE=\"30\" VALUE=\"
    $page\"></TD>\n";
          echo 
    "<TD WIDTH=\"20%\" ALIGN=\"CENTER\">
                  <INPUT TYPE=\"TEXT\" NAME=\"visitcount\" SIZE=\"3\" 
                                       VALUE=\"
    $visitcount\"></TD>\n";
          echo 
    "<TD WIDTH=\"30%\" ALIGN=\"CENTER\">
                  <INPUT TYPE=\"TEXT\" NAME=\"accessdate\" SIZE=\"14\" 
                         MAXLENGTH=\"14\" VALUE=\"
    $accessdate\">
                <BR>
    $formatted_accessdate</TD>\n";
          echo 
    "<TD WIDTH=\"30%\" ALIGN=\"CENTER\">
                  <INPUT TYPE=\"SUBMIT\" VALUE=\"Change\">
                  <INPUT TYPE=\"RESET\" VALUE=\"Reset\"></TD>\n"
    ;
          echo 
    "</TR>\n";
          echo 
    "</FORM>\n";
        }
    ?>
      </TR>
    </TABLE>
    </CENTER></DIV>
    <?php  
      
    }
      
    html_footer();
    }

    switch(
    $action) {
      case 
    "edit_record":
        
    edit_record();
      break;
      case 
    "edit_log_record":
        
    edit_log_record();
      break;
      case 
    "delete_record":
        
    delete_record();
      break;
      case 
    "view_record":
        
    view_record();
      break;
      default: 
        
    list_records();
      break;

    }
    ?>
    Last edited by freakysid; Dec 14, 2001 at 14:45.

  2. #2
    SitePoint Enthusiast cpeat's Avatar
    Join Date
    Sep 2001
    Location
    England ( UK )
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Help !! please

    If anyone can help me please as i don't get any major feed back on anything i post.

    Everyone here is ment to help out people who do not have much of a clur or who are stuck with projects so please help me out with this untill i can get time to learn more php and get to grips with everything possible.

    Thanks - Chris

  3. #3
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi, wow - that's a long script I do think it looks better with the vBulletin PHP tags (I edited your post to ad them - see my sig about formatting code in the forums).

    I know you have to get this script working now - but the problem is that its a lot of work to write and test and debug the changes you want for you!

    I think the simplest thing to do is this:

    Add a field to the form the user fills in which asks them for their current password (I say current because they may also be wanting to modify their password too).

    something like:
    PHP Code:
    <?php
    echo '<input type="text" name="currentpword">';
    ?>
    Then in those functions where you edit/delete records, and you only want the member to have access to their you have to add onto the sql to check the password as well as the userid.

    for example, in function delete_record() you would modify it to this:
    PHP Code:
    <?php

    function delete_record() {
      global 
    $default_dbname$user_tablename$access_log_tablename;
      
    # note my addition of $currentpword below
      
    global $userid$currentpword;

      if(empty(
    $userid)) error_message('Empty User ID!');
      
      
    $link_id db_connect($default_dbname);
      if(!
    $link_iderror_message(sql_error());
      
      
    $query "DELETE FROM $user_tablename 
                WHERE userid = '
    $userid'
                AND userpassword=password('
    $currentpword')";
      
    $result mysql_query($query);
      if(!
    $resulterror_message(sql_error());

      
    $num_rows mysql_affected_rows($link_id);
      if(
    $num_rows != 1error_message("No such user: $userid");
      
    # note my additions to the query below
      
    $query "DELETE FROM $access_log_tablename 
                WHERE userid = '
    $userid
                AND userpassword=password('
    $currentpword')";
      
    $result mysql_query($query);
      
      
    user_message("All records regarding $userid have been trashed!");
    }

    ?>
    Now with that modified function above, assuming that the value $currentpword is coming from the text input field in your form, the query will only update the record if the user has supplied the correct password for that userid.

    I should also point out that I am assuming that the tables $user_tablename and $access_log_tablename have a field userpassword - that is something you would have to work out and modify if need be.

    I hope that gives you a pointer of where to go. The next thing you should do is read Kevin Yank's tutorial (see my signature and the link to Skunk's thread on php/mysql resources - the link to the article is in that thread). If you work through that tutorial this weekend, you should be much closer to getting ontop of this particular script!

    Good luck
    Last edited by freakysid; Dec 14, 2001 at 15:05.

  4. #4
    SitePoint Enthusiast cpeat's Avatar
    Join Date
    Sep 2001
    Location
    England ( UK )
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Thanks

    I will try this out and if i cant get it to work i will post what went wrong even tho what i really need to do is remove alot of the crap that is not needed maybe i can do this after i have the script doing what i want it to do.

    - - - - - - - -

    I did try this out but i found out that people can hack the script and still get to all the information and such without even having to try.

    removing all the non needed parts of the script would stop this but i am not up to scratch with all of this right now so i can't figure out how to do the following edits. The access logger and access log table are not needed I don't know why they are even in the script i would also like to remove these parts from my script but like again i dont have anyone or anything to help me out as of being busy.

    If you could help me rip this script apart or some one else write the script from scratch this would help me out so much as this script is a major part of my web site.

    I will read through on this sort of problem but its hard to use php.net anymore as i do not have the newist version of php installed on my server as of yet. I will keep trying to figure this out so please help me out for a while and i will help you out in return when you have problems,

    Thanks - Chris
    Last edited by cpeat; Dec 14, 2001 at 18:04.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •