user login directing to restrictGoTo = "../denied.php WHAT AM I DOING WRONG?

Report · Apr 13, 2012

i have followed the same process i also do, user signs up then should go to there landing page. but it is sending them to the failed page

the input page code is here

<?php require_once('../Connections/hostprop.php'); ?>

<?php

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

if (PHP_VERSION < 6) {

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

}

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

foreach($_FILES as $files => $_file){

$_POST[$files]="";

if($_file['name']!=""){

$pathinfo=pathinfo($_file['name']);

$file_name_array = explode(".", basename($_file['name']));

$filename = $file_name_array[count($file_name_array)-2];

$_POST[$files]=$file_prefix.$filename.$file_suffix.$date_stamp.".".$pathinfo['extension'];

}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form4"))

{

if($_POST['password'] == $_POST['password2'] && $_POST['email'] == $_POST['email2'])

$insertSQL = sprintf("INSERT INTO think_signup (FirstName, Surname, userid, password, email, ContactMethod, TeleNumber, SalaryReq, PositionReq, skills_offered, cv, needCV, otherComments, location) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",

GetSQLValueString($_POST['FirstName'], "text"),

GetSQLValueString($_POST['Surname'], "text"),

GetSQLValueString($_POST['userid'], "text"),

GetSQLValueString($_POST['password'], "text"),

GetSQLValueString($_POST['email'], "text"),

GetSQLValueString($_POST['ContactMethod'], "text"),

GetSQLValueString($_POST['TeleNumber'], "text"),

GetSQLValueString($_POST['SalaryReq'], "text"),

GetSQLValueString($_POST['PositionReq'], "text"),

GetSQLValueString($_POST['skills_offered'], "text"),

GetSQLValueString($_POST['cv'], "text"),

GetSQLValueString(isset($_POST['needCV']) ? "true" : "", "defined","'Y'","'N'"),

GetSQLValueString($_POST['otherComments'], "text"),

GetSQLValueString($_POST['location'], "text"));

mysql_select_db($database_hostprop, $hostprop);

$Result1 = mysql_query($insertSQL, $hostprop) or die(mysql_error());

$insertGoTo = "php.php";

if (isset($_SERVER['QUERY_STRING'])) {

$insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";

$insertGoTo .= $_SERVER['QUERY_STRING'];

}

header(sprintf("Location: %s", $insertGoTo));

}

$colname_rsReg = "-1";

if (isset($_SESSION['MM_Username'])) {

$colname_rsReg = $_SESSION['MM_Username'];

}

mysql_select_db($database_hostprop, $hostprop);

$query_rsReg = sprintf("SELECT * FROM think_signup WHERE userid = %s", GetSQLValueString($colname_rsReg, "text"));

$rsReg = mysql_query($query_rsReg, $hostprop) or die(mysql_error());

$row_rsReg = mysql_fetch_assoc($rsReg);

$totalRows_rsReg = mysql_num_rows($rsReg);mysql_select_db($database_hostprop, $hostprop);

$query_rsReg = "SELECT * FROM think_signup";

$rsReg = mysql_query($query_rsReg, $hostprop) or die(mysql_error());

$row_rsReg = mysql_fetch_assoc($rsReg);

$totalRows_rsReg = mysql_num_rows($rsReg);

?>

form attributes

<form action="<?php echo $editFormAction; ?>" method="post" name="form4" enctype="multipart/form-data">

</form>

and the landing page is here

<?php require_once('../Connections/hostprop.php'); ?>

<?php

//initialize the session

if (!isset($_SESSION)) {

session_start();

}

// ** Logout the current user. **

$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";

if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){

$logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);

}

if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){

//to fully log out a visitor we need to clear the session varialbles

$_SESSION['MM_Username'] = NULL;

$_SESSION['MM_UserGroup'] = NULL;

$_SESSION['PrevUrl'] = NULL;

unset($_SESSION['MM_Username']);

unset($_SESSION['MM_UserGroup']);

unset($_SESSION['PrevUrl']);

$logoutGoTo = "../index.php";

if ($logoutGoTo) {

header("Location: $logoutGoTo");

exit;

}

?>

<?php

if (!isset($_SESSION)) {

session_start();

}

$MM_authorizedUsers = "";

$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page

function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {

// For security, start by assuming the visitor is NOT authorized.

$isValid = False;

// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.

// Therefore, we know that a user is NOT logged in if that Session variable is blank.

if (!empty($UserName)) {

// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.

// Parse the strings into arrays.

$arrUsers = Explode(",", $strUsers);

$arrGroups = Explode(",", $strGroups);

if (in_array($UserName, $arrUsers)) {

$isValid = true;

}

// Or, you may restrict access to only certain users based on their username.

if (in_array($UserGroup, $arrGroups)) {

$isValid = true;

}

if (($strUsers == "") && true) {

$isValid = true;

}

return $isValid;

}

$MM_restrictGoTo = "../denied.php";

if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {

$MM_qsChar = "?";

$MM_referrer = $_SERVER['PHP_SELF'];

if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";

if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)

$MM_referrer .= "?" . $_SERVER['QUERY_STRING'];

$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);

header("Location: ". $MM_restrictGoTo);

exit;

}

?>

<?php

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

if (PHP_VERSION < 6) {

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

}

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

$colname_Recordset1 = "-1";

if (isset($_SESSION['MM_Username'])) {

$colname_Recordset1 = $_SESSION['MM_Username'];

}

mysql_select_db($database_hostprop, $hostprop);

$query_Recordset1 = sprintf("SELECT * FROM think_signup WHERE email = %s", GetSQLValueString($colname_Recordset1, "text"));

$Recordset1 = mysql_query($query_Recordset1, $hostprop) or die(mysql_error());

$row_Recordset1 = mysql_fetch_assoc($Recordset1);

$totalRows_Recordset1 = mysql_num_rows($Recordset1);

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

<title>Untitled Document</title>

</head>

<body>

</p>

</body>

</html>

<?php

mysql_free_result($Recordset1);

?>

Report · Apr 13, 2012

You are checking if the email fields match - but I don't see them in the form.

Is the data actually getting inserted into the DB? I would think not

Why are you using multipart/form-data when there is no file field in the form?

If the email and password fields don't match, you end up executing most of the code anyway. Why?

Lots of other errors too.

In Response To bregent · Apr 13, 2012

i have scrap it and doing something else...as you say too many errors

im using multipart/form-data because the is a uploader aswell