Wrox Programmer Forums
Go Back   Wrox Programmer Forums > PHP/MySQL > BOOK: PHP and MySQL: Create-Modify-Reuse ISBN: 978-0-470-19242-9
| Search | Today's Posts | Mark Forums Read
BOOK: PHP and MySQL: Create-Modify-Reuse ISBN: 978-0-470-19242-9
This is the forum to discuss the Wrox book PHP and MySQL: Create-Modify-Reuse by Timothy Boronczyk, Martin E. Psinas; ISBN: 9780470192429
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: PHP and MySQL: Create-Modify-Reuse ISBN: 978-0-470-19242-9 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
Old May 22nd, 2009, 10:46 PM
Registered User
Join Date: May 2009
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation (Ch. 1 Conflicting Info) This should be the Greatest PHP & mySQL Book - EVER

When I read through this book I thought - YES!!!! this is the one....
but there seem to be a few issues, like as if the book was rushed out...

I want to stick with this book (but dont want to move on until CH1 is working) which I have most of this stuff working, but my issue is with login and INPARTICULAR - Figure 1-6 - showing part-data - MINE is BLANK - but only logs in if values are correct and stored

for "main.php" (near top)

//this hard-codes USER_ID (direct from table - BUT - if "1" deleted... - NOTHING)
$user = User::getById(1);

//nothing regardless
$user = User::getById($_SESSION['USER_ID']);

I have tried this second option from the downloads many many times with every variation...

Any help would be great -
Old October 9th, 2009, 01:37 PM
Authorized User
Points: 374, Level: 6
Points: 374, Level: 6 Points: 374, Level: 6 Points: 374, Level: 6
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Jul 2009
Location: San Jose, Californina
Posts: 77
Thanks: 4
Thanked 6 Times in 6 Posts


The book and the download code are different.
The book is correct.
The book says
$user = User::getById($_SESSION['userId']);
the download code says
     $user = User::getById(1);
This is a VERY SERIOUS SECURITY ISSUE which I will talk
about near the bottom.

and you tried

It should be $_SESSION['userId'], not $SESSION['USER_ID'] or 1
(and the 'userId' is case sensitive too)

What happens if you use $_SESSION['USER_ID'] is this.
$_SESSION['USER_ID'] is 0.
So you are calling getById with a userId of 0.
When User::getById queries the database it does this query


and it returns nothing, as it should, because there is no user_id of 0.
so then there are no rows returned, which makes it
fall through the if block
   if (mysql_num_rows($result))
            $row = mysql_fetch_assoc($result);
            $user->username = $row['USERNAME'];
            $user->password = $row['PASSWORD'];
            $user->emailAddr = $row['EMAIL_ADDR'];
            $user->isActive = $row['IS_ACTIVE'];
            $user->permission = $row['PERMISSION'];
            $user->uid = $user_id;
So there is nothing in the user object.

When the program returns to main.php it has no $user->username or
So in the disabled, readonly, textfield labeled "Username",
there is nothing to echo, $user->username is empty.
         <td><input type="text" name="username" disabled="disabled"
         readonly="readonly" value="<?php echo $user->username; ?>" /></td>
Same for the textfield labeled "Email Address";
$user->emailAddr is empty
            <td><label for="email">Email Address</label></td>
            <td><input type="text" name="email" id="email"
              value="<?php echo (isset($_POST['email']))? htmlspecialchars(
              $_POST['email']) : $user->emailAddr;  ?>" /></td>
NOW, about the book download code.

Since you are passing down a user_id of 1, it will return the user

If your userId was 10 then
You wouldn't be changing your own password and email you would be
changing it for someone else!! (userId 1)
Two things happen here
First, User 10 would be annoyed and wouldn't be able to change his password
or email.
Second, This is a VERY SERIOUS security hole. If you have 100 users, any of those users 2-100 could steal everything from userId 1.
1. They see the readonly user name in the textfield.
2. They change the email to there own.
4. They change password to their own.
So they have stolen the identity of userId 1.

I am sure this is just an oversight, and the publishing company will
change the download code. I am going to enter an erata with
WROX right now.

I hope this helps.

Similar Threads
Thread Thread Starter Forum Replies Last Post
SQL Express & Ch 20 Nick Y BOOK: Ivor Horton's Beginning Visual C++ 2005 1 August 2nd, 2007 05:16 PM
Beg. PHP 5 > Ch. 11 - fetch_field.php crater BOOK: Beginning PHP4/PHP 5 ISBN: 978-0-7645-4364-7; v5 ISBN: 978-0-7645-5783-5 0 January 2nd, 2007 12:20 PM
e-Book and Lib.info Help koneruvijay General .NET 1 August 16th, 2004 02:42 PM
Ch. 4 & Ch. 12 athena BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 0 July 23rd, 2004 10:54 AM

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.