Page 1 of 1
Re: Finding ID
Posted: Sun Jun 19, 2011 11:30 am
by jacek
What URL do you get sent to after clicking on one of the links ?
Re: Finding ID
Posted: Sun Jun 19, 2011 3:45 pm
by jacek
If you add
var_dump(fetch_users());
somewhere, do you get the ids from that ?
Re: Finding ID
Posted: Sun Jun 19, 2011 4:47 pm
by jacek
hmm...
can you make sure you have error_reporting set to E_ALL, the problem is most likely a misspelled variable and enabling E_NOTICE level messages will show you that right away instead of trying to guess.
Re: Finding ID
Posted: Sun Jun 19, 2011 7:32 pm
by jacek
the error_reposting() line should be the first thing in the script
Re: Finding ID
Posted: Sun Jun 19, 2011 11:03 pm
by jacek
Well that tells you that you can remove the session_start line
But you are looking in the wrong file, the problem has to be in the "page where you choose an account:" file as the $_GET variable is not set right in the URL you post a few posts ago. Also you can remove the session_start in both pages as it is in the init.inc.php file.
Re: Finding ID
Posted: Mon Jun 20, 2011 6:17 pm
by jacek
Try setting error_reporting to E_ALL for this file.
Re: Finding ID
Posted: Mon Jun 20, 2011 6:19 pm
by Temor
It's probably nothing, but in Line 50
<?php $_GET['$uid'];
Is it supposed to have a $ in it? :S
Re: Finding ID
Posted: Mon Jun 20, 2011 6:34 pm
by Torniquet
nevermind, i think i had the wrong end of the stick lol
Re: Finding ID
Posted: Mon Jun 20, 2011 7:39 pm
by jacek
jacek wrote:Try setting error_reporting to E_ALL for this file.
Please try this.
Re: Finding ID
Posted: Mon Jun 20, 2011 9:23 pm
by jacek
On the page that shows the error, do you have a uid variable in the URL ?
Re: Finding ID
Posted: Mon Jun 20, 2011 11:58 pm
by Torniquet
on the latest pages you have there, you are calling for $user['acc_id'] when you are setting it as $user['id']
That one is straight forward enough.
I have tested your coding on my machine, and it seems to work fine. I have looked for the above error in the origional script, and i cant see anything wrong anywhere.
Re: Finding ID
Posted: Tue Jun 21, 2011 12:07 am
by jacek
uhshosting wrote:no ever since i done the e_all on the one page i had an error on the account page that was trying to fix
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/thailand/public_html/account/core/user.inc.php on line 79
This is a SQL injection vulnerability, essentially, the quotes in the URL are being treated as part of the query, making it's syntax invalid.
uhshosting wrote:so my url is
http:/.com/account/admin/accounts/account.php?uid=%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Undefined%20index:%20%20acc_id%20in%20%3Cb%3E/home/public_html/account/admin/accounts/index.php%3C/b%3E%20on%20line%20%3Cb%3E51%3C/b%3E%3Cbr%20/%3E
the undefined index here means that the link you are clicking uses a variable that is not defined, as the person above this said
Re: Finding ID
Posted: Tue Jun 21, 2011 1:16 am
by jacek
uhshosting wrote:thank you i got it working.
Good news, but you also need to make sure you address
jacek wrote:This is a SQL injection vulnerability
Depending on how this is used in the query somebody may be able to use it to steal all of your data.
Re: Finding ID
Posted: Tue Jun 21, 2011 5:28 pm
by jacek
my SQL injection one should tell you how :