Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > PHP/MySQL > BOOK: PHP and MySQL: Create-Modify-Reuse ISBN: 978-0-470-19242-9
Password Reminder
Register
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: PHP and MySQL: Create-Modify-Reuse ISBN: 978-0-470-19242-9
This is the forum to discuss the Wrox book PHP and MySQL: Create-Modify-Reuse by Timothy Boronczyk, Martin E. Psinas; ISBN: 9780470192429
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: PHP and MySQL: Create-Modify-Reuse ISBN: 978-0-470-19242-9 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old May 22nd, 2009, 10:46 PM
Registered User
 
Join Date: May 2009
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation (Ch. 1 Conflicting Info) This should be the Greatest PHP & mySQL Book - EVER

When I read through this book I thought - YES!!!! this is the one....
but there seem to be a few issues, like as if the book was rushed out...

I want to stick with this book (but dont want to move on until CH1 is working) which I have most of this stuff working, but my issue is with login and INPARTICULAR - Figure 1-6 - showing part-data - MINE is BLANK - but only logs in if values are correct and stored

for "main.php" (near top)

//this hard-codes USER_ID (direct from table - BUT - if "1" deleted... - NOTHING)
$user = User::getById(1);


or
//nothing regardless
$user = User::getById($_SESSION['USER_ID']);

I have tried this second option from the downloads many many times with every variation...

Any help would be great -
Reply With Quote
  #2 (permalink)  
Old October 9th, 2009, 01:37 PM
Authorized User
Points: 374, Level: 6
Points: 374, Level: 6 Points: 374, Level: 6 Points: 374, Level: 6
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jul 2009
Location: San Jose, Californina
Posts: 77
Thanks: 4
Thanked 6 Times in 6 Posts
Default

Hi MO_MONEY

The book and the download code are different.
The book is correct.
The book says
Code:
$user = User::getById($_SESSION['userId']);
the download code says
Code:
     $user = User::getById(1);
This is a VERY SERIOUS SECURITY ISSUE which I will talk
about near the bottom.

and you tried
$SESSION['USER_ID']

It should be $_SESSION['userId'], not $SESSION['USER_ID'] or 1
(and the 'userId' is case sensitive too)


What happens if you use $_SESSION['USER_ID'] is this.
$_SESSION['USER_ID'] is 0.
So you are calling getById with a userId of 0.
When User::getById queries the database it does this query

SELECT USERNAME, PASSWORD, EMAIL_ADDR, IS_ACTIVE, PERMISSION
FROM USER
WHERE USER_ID = 0

and it returns nothing, as it should, because there is no user_id of 0.
so then there are no rows returned, which makes it
fall through the if block
Code:
  
   if (mysql_num_rows($result))
         {
            $row = mysql_fetch_assoc($result);
            $user->username = $row['USERNAME'];
            $user->password = $row['PASSWORD'];
            $user->emailAddr = $row['EMAIL_ADDR'];
            $user->isActive = $row['IS_ACTIVE'];
            $user->permission = $row['PERMISSION'];
            $user->uid = $user_id;
         }
So there is nothing in the user object.

When the program returns to main.php it has no $user->username or
$user->emailAddr.
So in the disabled, readonly, textfield labeled "Username",
there is nothing to echo, $user->username is empty.
Code:
  
   <tr>
         <td><label>Username</label></td>
         <td><input type="text" name="username" disabled="disabled"
         readonly="readonly" value="<?php echo $user->username; ?>" /></td>
   </tr>
Same for the textfield labeled "Email Address";
$user->emailAddr is empty
Code:
   <tr>
            <td><label for="email">Email Address</label></td>
            <td><input type="text" name="email" id="email"
              value="<?php echo (isset($_POST['email']))? htmlspecialchars(
              $_POST['email']) : $user->emailAddr;  ?>" /></td>
    
   </tr>
NOW, about the book download code.

Since you are passing down a user_id of 1, it will return the user
object for userId 1. THIS IS NOT CORRECT and a SERIOUS SECURITY HOLE.

If your userId was 10 then
You wouldn't be changing your own password and email you would be
changing it for someone else!! (userId 1)
Two things happen here
First, User 10 would be annoyed and wouldn't be able to change his password
or email.
Second, This is a VERY SERIOUS security hole. If you have 100 users, any of those users 2-100 could steal everything from userId 1.
1. They see the readonly user name in the textfield.
2. They change the email to there own.
4. They change password to their own.
So they have stolen the identity of userId 1.

I am sure this is just an oversight, and the publishing company will
change the download code. I am going to enter an erata with
WROX right now.


I hope this helps.
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SQL Express & Ch 20 Nick Y BOOK: Ivor Horton's Beginning Visual C++ 2005 1 August 2nd, 2007 05:16 PM
Beg. PHP 5 > Ch. 11 - fetch_field.php crater BOOK: Beginning PHP4/PHP 5 ISBN: 978-0-7645-4364-7; v5 ISBN: 978-0-7645-5783-5 0 January 2nd, 2007 12:20 PM
e-Book and Lib.info Help koneruvijay General .NET 1 August 16th, 2004 02:42 PM
Ch. 4 & Ch. 12 athena BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 0 July 23rd, 2004 10:54 AM



All times are GMT -4. The time now is 08:59 PM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.