(Ch. 1 Conflicting Info) This should be the Greatest PHP & mySQL Book

mo_money · May 22nd, 2009, 10:46 PM

When I read through this book I thought - YES!!!! this is the one....
but there seem to be a few issues, like as if the book was rushed out...

I want to stick with this book (but dont want to move on until CH1 is working) which I have most of this stuff working, but my issue is with login and INPARTICULAR - Figure 1-6 - showing part-data - MINE is BLANK - but only logs in if values are correct and stored

for "main.php" (near top)

//this hard-codes USER_ID (direct from table - BUT - if "1" deleted... - NOTHING)
$user = User::getById(1);

or
//nothing regardless
$user = User::getById($_SESSION['USER_ID']);

I have tried this second option from the downloads many many times with every variation...

Any help would be great -

kenj · October 9th, 2009, 01:37 PM

Hi MO_MONEY

The book and the download code are different.
The book is correct.
The book says

Code:

$user = User::getById($_SESSION['userId']);

the download code says

Code:

     $user = User::getById(1);

This is a VERY SERIOUS SECURITY ISSUE which I will talk
about near the bottom.

and you tried
$SESSION['USER_ID']

It should be $_SESSION['userId'], not $SESSION['USER_ID'] or 1
(and the 'userId' is case sensitive too)

What happens if you use $_SESSION['USER_ID'] is this.
$_SESSION['USER_ID'] is 0.
So you are calling getById with a userId of 0.
When User::getById queries the database it does this query

SELECT USERNAME, PASSWORD, EMAIL_ADDR, IS_ACTIVE, PERMISSION
FROM USER
WHERE USER_ID = 0

and it returns nothing, as it should, because there is no user_id of 0.
so then there are no rows returned, which makes it
fall through the if block

Code:

  
   if (mysql_num_rows($result))
         {
            $row = mysql_fetch_assoc($result);
            $user->username = $row['USERNAME'];
            $user->password = $row['PASSWORD'];
            $user->emailAddr = $row['EMAIL_ADDR'];
            $user->isActive = $row['IS_ACTIVE'];
            $user->permission = $row['PERMISSION'];
            $user->uid = $user_id;
         }

So there is nothing in the user object.

When the program returns to main.php it has no $user->username or
$user->emailAddr.
So in the disabled, readonly, textfield labeled "Username",
there is nothing to echo, $user->username is empty.

Code:

  
   <tr>
         <td><label>Username</label></td>
         <td><input type="text" name="username" disabled="disabled"
         readonly="readonly" value="<?php echo $user->username; ?>" /></td>
   </tr>

Same for the textfield labeled "Email Address";
$user->emailAddr is empty

Code:

   <tr>
            <td><label for="email">Email Address</label></td>
            <td><input type="text" name="email" id="email"
              value="<?php echo (isset($_POST['email']))? htmlspecialchars(
              $_POST['email']) : $user->emailAddr;  ?>" /></td>
    
   </tr>

NOW, about the book download code.

Since you are passing down a user_id of 1, it will return the user
object for userId 1. THIS IS NOT CORRECT and a SERIOUS SECURITY HOLE.

If your userId was 10 then
You wouldn't be changing your own password and email you would be
changing it for someone else!! (userId 1)
Two things happen here
First, User 10 would be annoyed and wouldn't be able to change his password
or email.
Second, This is a VERY SERIOUS security hole. If you have 100 users, any of those users 2-100 could steal everything from userId 1.
1. They see the readonly user name in the textfield.
2. They change the email to there own.
4. They change password to their own.
So they have stolen the identity of userId 1.

I am sure this is just an oversight, and the publishing company will
change the download code. I am going to enter an erata with
WROX right now.

I hope this helps.