Advertise Here

Author Topic: ?var = $var  (Read 5638 times)

0 Members and 1 Guest are viewing this topic.

guest4485

  • Guest
?var = $var
« on: April 24, 2009, 09:45:44 pm »
Hi, I am currently developing a turn-based game using PHP & MySQL and have a decent start with it, however I am having one problem and that is with the profile pages. I have the site setup so that when you view your profile(say your id was 1) it would display http://www.websitename.com/profile.php?u=1 however if I switch to http://www.websitename.com/profile.php?u=2 (the account of my graphics guy) it displays the same information as the ?u=1 page.

Here is the profile.php page:
Code: [Select]
<?php
// Program File: Home.php
// Profram Description: The page that contains all the news, and events, along with welcoming the user.
// Start Session
session_start();
// Redirect User If They Are Not Authorized
if($_SESSION['auth'] != 'y'
{
header("Location: index.php");
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Acacian Adventures | Alpha Testing</title>
<meta name="keywords" content="" />
<meta name="description" content="" />
<link href="styles.css" rel="stylesheet" type="text/css" media="screen" />
</head>
<body>
<div id="content">
<!-- header begins -->


<!-- header ends -->
<!-- content begins -->
 <div id="main">
<div id="right">
<div id="header">
<div id="logo">
<h1><a href="http://acacianadventures.freehostia.com">Acacian Adventures</a></h1>
<h2><a href="http://acacianadventures.freehostia.com" id="metamorph">The Adventure Has Begun... ...Which Side Will You Choose?</a></h2>
</div>
<div id="menu">
<ul>
<li><a href="index.php"  title="">Home</a></li>
<li><a href="/forums" title="">Forums</a></li>
</ul>
</div>
</div>
    <div class="box">
<h2>
<?php
include "profile_includes.php";
$head_stmt "SELECT * FROM users WHERE userid='$u_id'";
$head_query mysql_query($head_stmt) or die( mysql_error() );
$head_fetch mysql_fetch_array($head_query) or die( mysql_error() );

$header $head_fetch['username'];
print 
$header;
?>

</h2><br />
<h4>Biography</h4><br />
<?php
include "profile_includes.php";

print 
$u_bio;
?>

<h4>User Statistics</h4>
<?php
include "profile_includes.php";
print 
"
<table border='0' width='150px'>
<tr><td>Version:</td><td>
$version</td></tr>
</table>"
;
?>

</div>
</div>
  <div id="left">
        <div id="top"></div>
<div id="left_back">
<h3>Player Information</h3>
<div class="title_back">
<ul>
<ul>
<?php
include("./menus/playerinfo.php");
?>

</ul>
</ul>
</div>
<br />
<div id="left_back">
<h3>Personal Space</h3>
<div class="title_back">
<ul>
<ul>
<?php
include("./menus/personal.php");
?>

</ul>
</ul>
</div>
<br />
<h3>Explore</h3>
<div class="title_back">
<ul>
<ul>
<?php
include("./menus/explore.php");
?>

</ul>
</ul>
</div>
<br />
<h3>Staff List</h3>
<div class="title_back">
<ul>
<?php
include("./menus/stafflist.php");
?>

</ul>
</div>
</li>
  </ul></div>
<br />
<h3>Game News</h3>
<div class="title_back">
<ul>
<?php
include("./menus/gamenews.php");
?>

</ul>
  </div>
</div>
<div id="bottom"></div>
</div>
<!--content ends -->
<!--footer begins -->
<div style="clear: both"></div>
</div>
</div>
<div id="footer">
<p>Copyright &copy; 2009. <a href="#">Privacy Policy</a> | <a href="#">Terms of Use</a> | <a href="http://validator.w3.org/check/referer" title="This page validates as XHTML 1.0 Transitional"><abbr title="eXtensible HyperText Markup Language">XHTML</abbr></a> | <a href="http://jigsaw.w3.org/css-validator/check/referer" title="This page validates as CSS"><abbr title="Cascading Style Sheets">CSS</abbr></a></p>
<p>Design by <a href="http://www.metamorphozis.com/" title="Free Web Templates">Free Web Templates</a></p>
</div>

<!-- footer ends-->
</body>
</html>

Here is the profile_includes.php page:
Code: [Select]
<?php
// Connect To Database
$host '***';
$user '***';
$pass '***';
$data '***';
mysql_connect($host$user$pass) or die( 'There was an error connecting to MySQL: ' mysql_error() );
mysql_select_db($data) or die( 'MySQL Couldn\'t Select The Databse: ' mysql_error() );

// Starter Variables
$un $_SESSION['id'];

// User Table
$u_stmt "SELECT * FROM users WHERE userid = '$un'";
$u_query mysql_query($u_stmt) or die( mysql_error() );
$u_fetch mysql_fetch_array($u_query) or die( mysql_error() );

$u_id $u_fetch['userid'];
$u_age $u_fetch['age'];
$u_bio $u_fetch['bio'];
$u_name $u_fetch['username'];
$u_email $u_fetch['email'];
$u_r_name $u_fetch['f_name'] . ' ' $u_fetch['l_name'];
$u_staff_notes $u_fetch['staff_notes'];
$version $u_fetch['version'];
$access_level $u_fetch['access_level'];
?>


I realize that the $un variable is $_SESSION but when I switch it to the $_GET to attempt to grab it from the url it doesn't work(i've read this in tuts but it doesn't seem to work) and I get the error message of

Notice: Undefined index: userid in C:\wamp\www\testing\profile_includes.php on line 11

Any help would be greatly appreciated.

Offline Colette Brunel

  • SMF For Free Sr. Member
  • *
  • Posts: 424
    • View Profile

  • Total Badges: 17
    Badges: (View All)
    Poll Voter Level 4 Fourth year Anniversary Windows User Topic Starter
Re: ?var = $var
« Reply #1 on: June 23, 2009, 05:22:17 pm »
$_GET can only be grabbed when the actual parameter is in the URL. $_POST should be used if it is sent through a form.

I would use $_REQUEST to do this, and you aren't cleaning your information at all or checking anything-- which is very bad.

Example;

$un = (isset($_REQUEST['id']) ? (integer) $_GET['id'] : 0);

Offline Colette Brunel

  • SMF For Free Sr. Member
  • *
  • Posts: 424
    • View Profile

  • Total Badges: 17
    Badges: (View All)
    Poll Voter Level 4 Fourth year Anniversary Windows User Topic Starter
Re: ?var = $var
« Reply #2 on: June 23, 2009, 05:26:41 pm »
A second look, and I see this:

Code: [Select]
  if($_SESSION['auth'] != 'y')
{
header("Location: index.php");
}

If session is not given, you would get an undefined issue. Make sure $_SESSION['auth'] exists before putting it in a conditional statement. Likewise, the headers sent (location) won't work properly on other browsers (like Chrome and Safari) without a "status" being sent first.

When you're grabbing your information from the db, you should loop it all into an assoc array and then clear the db request using mysql_free_result(), and then use the array to build your data in a foreach() loop for every member as the array will be filled properly by request.

You should use require_once() on your file calls as using include(), on fail, would cause the script to continue running when I'm pretty sure you don't intend or want that to happen.

If you need assistance, I can help you rewrite some portions.