Can any of you see a problem with this script?

<?php

$user_name = $_POST["user_name"];
$password = $_POST["password"];
$admin = $_POST["admin"];

if( $admin == 'on' ) {
$admin = 1;
} else {
$admin = 0;
}

echo $user_name.','.$password.','.$admin;

//echo $user_name;

if( $user_name == '' or $password == '' ) {
header( 'location: create_user.html' );
}

$user = 'temp_admin';
$password = '';
$host = 'localhost';
$database = 'security';

$cxn = mysqli_connect( $host, $user, $password, $database )
or die( 'Could not connect to database' );

$sql = "insert into user ( user_name, password, admin )
values ( '" .$user_name. "', '" .$password. "', " .$admin. " )";

$result = mysqli_query( $cxn, $sql );

echo "Created user ".$user_name;

?>

echo $user_name;
echo $password;
echo $admin;

It would help if you told us what's going wrong.

Ok you can sign normal people up but when you wont to sign a admin up it doesn't work

Are you sure you are posting $_POST['admin'] as "on"?

<?php

$user_name = $_POST[ 'user_name' ];
$password = $_POST[ 'password' ];
$admin = $_POST[ 'admin' ];

if( $admin == 'on' )
{

$admin = '1';

}
else
{

$admin = '0';

}

echo $user_name . ',' . $password . ',' . $admin;

//echo $user_name;

if( $user_name == '' || $password == '' )
{

header( 'Location: create_user.html' );
die;

}

$user = 'temp_admin';
$password = '';
$host = 'localhost';
$database = 'security';

$cxn = mysqli_connect( $host, $user, $password, $database ) or die( 'Could not connect to database' );

$sql = "INSERT INTO `user` ( `user_name`, `password`, `admin` ) VALUES ( '" . $user_name . "', '" . $password . "', '" . $admin . "' )";

$result = mysqli_query( $cxn, $sql );

echo 'Created user ' . $user_name;

?>


That should work...if not please tell me/us the error.

I hate it when people capitalize the first letter of php and leave the rest in lowercase :(

Sorry, but your explanation really didn't help me, Simon's code looks like it should work, I haven't seen it, but yeah..

I hope your not basing administrator abilities on a post, fyi this could easily be spoofed.

I hope your not basing administrator abilities on a post, fyi this could easily be spoofed.

Ah... Looks like he is. :(

It shouldn't be a problem, as this looks like its in an admin control area... its for making users and not logging in etc...

If it is, an $admin variable wouldn't be needed, as we'd already know it was in the admin control area.

This is for making users charlie... am I been thick or something? At the moment it seems to be you...

This is for making users, the admin variable is to determine if that user would have admin rights, it then stores the details in the database. $admin related to the admin column.

I hope your not basing administrator abilities on a post, fyi this could easily be spoofed.


If it is, an $admin variable wouldn't be needed, as we'd already know it was in the admin control area.

Can you really not interpret something as easy as that?

It's a checkbox.. on/off? if checkbox is on, do you not get that?

I mean.. you're a professional coder.. you should understand that?

It's not posting permissions?! That would be stupid.

http://www.tehupload.com/uploads/app-56547322428369983.png (http://www.tehupload.com/share/6534)

In which case, I'll change my point. Somebody could easily navigate to this page and send a spoofed $_POST array, thus adding themselves a user, which is dangerous, regardless of whether the page with the form is secure.

and the chances of that person knowing what the structure of the site is, and what the file name would be?

I'm pretty damn sure, that isn't all of his code.



<?php
include "config.php";

$core->user->requireLogin();
$core->user->requireAdmin();

$action = $_GET ["action"];

switch($action) {

}
?>

Couldn't spoof that.

Plus he isn't asking for if it is secure or not, he's asking what's the matter with it.

I'm pretty damn sure, that isn't all of his code.



<?php
include "config.php";

$core->user->requireLogin();
$core->user->requireAdmin();

$action = $_GET ["action"];

switch($action) {

}
?>

Couldn't spoof that.

Plus he isn't asking for if it is secure or not, he's asking what's the matter with it.

Where did that code come from?

And we're inferencing that. You could easily have made bad functions. of requireLogin() and requireAdmin().

It was an example..?

of course I could have.. but I didn't.. :rolleyes:

Twinkies.