Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

How do i improve on this code? How do i make it more secure? <?php // Variable t

ID: 3889779 • Letter: H

Question

How do i improve on this code? How do i make it more secure?

<?php

// Variable to store errors as script processes

$err = '';

// Database Access Information

$hostname="db.petsales.com";

$username="petsales";

$password="password";

$dbname="petsales";

$con = mysql_connect($hostname,$username, $password) or die ("<html><script language='JavaScript'>alert('Unable to connect to database! Please try again later.'),history.go(-1)</script></html>");

mysql_select_db($dbname);

// Navigation Management Variables

$def = true;

$mynav = '';

$mycontent = '';

$mylogin = false;

// Administrative Variables

$adm_pg = '';

$adm_un = 'admin'; // Username for administrator

$adm_pw = 'password'; // Password for administrator

// Check session information from form - email, session, fname lookup -

// Returns user type ('U' is default for active user, '0' means unregistered)

$mytype = '0';

$exp = false;

// This tests to see if the user is logged into the system successfully

// If so, $mylogin is set to TRUE

// If not, an error is generated into $err

if ((time() < intval($_POST['session']))) {

if ((($_POST['fname'] != '')&&($_POST['email'] != ''))&&($_POST['session'] != '')) {

$result = mysql_query("SELECT email,pw,fname,id FROM sessions WHERE email = '" . $_POST['email'] . "'"); // Email address is used directly.

$row = mysql_fetch_array($result);

if (!$result) {

$err = $err . "Your session is no longer valid. Please login again.<br>";

} else if ($row[0] == $_POST['email']) {

$email = $row[0];

$pw = $row[1];

$fname = $row[2];

$sess = time() + (60*60);

$exp = true;

// if successful, reset session expiration

$result = mysql_query("UPDATE sessions SET id = '" . $sess . "' WHERE email = '" . $email . "' AND pw = '" . $pw . "'");

$mylogin = true;

} else {

$err .= "Data did not return correctly. Please try your request again.<br>";

}

}

}

// This script processes the main request of the system

// Options are: register, login, logout

switch ($_POST['tokenid']) {

case "logout": // Logout from system

//kill session parameter in form

$_POST['session'] = '-1';

$_POST['email'] = '';

$_POST['fname'] = '';

$email = '';

$fname = '';

$sess = -1;

$email = '';

$mytype = '0';

$mylogin = false;

$exp = false;

break;

case "login": // Login to system

// verify login

// perform tests on values used

if (($_POST['us'] == $adm_un)&&($_POST['pw'] == $adm_pw)) { // Display Admin Results

//admin verification

$email = 'Admin';

$pw = $_POST['pw'];

$fname = $adm_un;

$mytype = 'A';

$sess = time() + (10*60);

$def = false;

$adm_pg = '';

$adm_result = mysql_query("SELECT email,fname,lname,pw FROM sessions");

if (!$adm_result) {

$err = $err . "The results from the database could not be returned.<br>&nbsp;<br>";

$def = true;

} else {

$adm_i = 0;

$adm_j = 0;

$adm_pg = $adm_pg . '<table cellpadding=2 cellspacing=0 border=0><tr><td><i>Email</i></td><td><i>Name</i></td><td><i>Password</i></td></tr>';

while ( $adm_row = mysql_fetch_array($adm_result) ) {

$adm_pg = $adm_pg . '<tr><td>' . $adm_row[0] . '</td><td>' . $adm_row[1] . ' ' . $adm_row[2] . '</td><td>' . $adm_row[3] . '</td></tr>';

}

$adm_pg = $adm_pg . '</table>';

}

} else { // Test for regular login

$result = mysql_query("SELECT email,pw,fname,id FROM sessions WHERE email = '" . ($_POST['us']) . "' AND pw = '" . $_POST['pw'] . "'");

if (!$result) {

// false return; do not change default

$err = $err . "Login information did not match existing records.<br>";

} else {

$row = mysql_fetch_array($result);

if (($row[0] == $_POST['us'])&&($row[1] == $_POST['pw'])) { // Password is used directly with no modification

$email = $row[0];

$fname = $row[2];

$sess = $row[3];

$exp = true;

$err = $err . "Login successful! Welcome, " . $fname . "!";

//update session time

$sess = time() + (60*60);

$result = mysql_query("UPDATE sessions SET id = '" . $sess . "' WHERE email = '" . $_POST['email'] . "' AND pw = '" . $_POST['pw'] . "'");

$mylogin = true;

} else {

$err = $err . "Login information did not match existing records.<br>";

}

}

}

break;

case "register": // Register new user

$err_ct = 0;

// validate form data

//test for empties

//make sure passwords match

//test length of variables

//test for existing email registration

// perform registration

if ($err_ct == 0) {

$result = mysql_query("INSERT INTO sessions (email, pw, fname, lname, id) VALUES ('" . $_POST['email'] . "', '" . $_POST['pw'] ."','" . $_POST['fname'] . "','" . $_POST['lname'] . "','" . (time()+(60*60)) . "'");

}

if (!$result) {

$err = $err . "No data has been stored.";

} else {

$result = mysql_query("SELECT email,pw,fname,id FROM sessions WHERE email = '" . $_POST['email'] . "' AND pw = '" . $_POST['pw'] . "'");

$row = mysql_fetch_array($result);

if (!$result) {

// false return; do not change default

$err = $err . "Data storage unsuccessful. Please try again.<br>";

} else {

if (($row[0] == $_POST['email'])&&($row[1] == hash('md5',$_POST['pw']))) {

$email = $row[0];

$fname = $row[2];

$sess = $row[3];

$exp = true;

$err = $err . "Registration successful! Welcome, " . $fname . "!<br>";

$mylogin = true;

} else {

$err = $err . "Data storage unsuccessful. Please try again.<br>";

}

}

}

break;

// The following cases are for navigation only - Do not edit!

case "reg": // Register new user

$def = false;

echo 'document.getElementById("thispage").innerHTML = displayfile("' . $_POST['pagereq'] . '");' . PHP_EOL;

break;

case "navigate":

// select navigation parameters

if ($mylogin) {

echo 'document.getElementById("thispage").innerHTML = displayfile("' . $_POST['pagereq'] . '");' . PHP_EOL;

} else {

echo 'document.getElementById("thispage").innerHTML = "You do not have the correct permissions to view this content.";' . PHP_EOL;

}

$def = false;

break;

case "request":

// request restricted item

// return or deny

if ($mylogin) {

echo 'document.getElementById("thispage").innerHTML = displayfile("./' . $_POST['pagereq'] . '");' . PHP_EOL;

} else {

echo 'document.getElementById("thispage").innerHTML = "You do not have the correct permissions to view this content.";' . PHP_EOL;

}

$def = false;

break;

case "js":

if ($mylogin) {

echo $_POST['pagereq'] . PHP_EOL;

} else {

echo 'document.getElementById("thispage").innerHTML = "You do not have the correct permissions to view this content.";' . PHP_EOL;

}

$def = false;

break;

default:

$def = true;

break;

}

//session type sets navigation options - Do not edit!

$mynav = "'";

if ($mylogin) { // Test for login before displaying option

$mynav .= "<a href="#" class="la">View Pet Inventory</a>";

}

$mynav .= "';";

if ($exp) {

if (($fname == '')&&($_POST['fname'] != '')) {

$fname = $_POST['fname'];

}

echo 'this.document.getElementById("mylogin").innerHTML = "Welcome, ' . $fname . '! (<a href="#" class="la">Logout</a>)<br><a href="#" class="la">Change Password</a>";'. PHP_EOL;;

}

if ($def) {

if ($err == '') {

echo 'document.getElementById("thispage").innerHTML = displayfile("include/desc.html");'. PHP_EOL;

} else {

echo 'document.getElementById("thispage").innerHTML = "<br><b><i>Message: ' . $err . '</i></b><br>&nbsp;<br>" + displayfile("include/desc.html");'. PHP_EOL;

}

} else if ($mycontent != '') {

echo "document.getElementById("thispage").innerHTML = '" . $mycontent . "';" . PHP_EOL;

}

if ($adm_pg <> '') {

echo "document.getElementById("thispage").innerHTML = '" . $adm_pg . "';" . PHP_EOL;

}

echo 'document.getElementById("thisnav").innerHTML = ' . $mynav . PHP_EOL;

?>

Explanation / Answer

<?php
// Variable to store errors as script processes
$err = '';
// Database Access Information
class Database {
private static $con;
public static function connect() {
  $username = "petsales";
  $password = "password";
  $dsn='mysql:host=db.petsales.com;dbname=petsales';
  global $con;
  if (isset ( $con )) {
   return $con;
  } else {
   try {
    $con = new PDO ( $dsn, $username, $password );
    // set the PDO error mode to exception
setAttribute ( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
    //echo "connection successfull...<br>";
   } catch ( PDOException $e ) {
    echo "<br>" . $e->getMessage ();
    die ( "could not create connection" );
   }
  }
  return $conn;
}
public static function disconnect() {
  global $con;
  if (isset ( $con )) {
   $con = null;
   //echo "connection closed..";
  }
}
}
// Navigation Management Variables

$def = true;
$mynav = '';
$mycontent = '';
$mylogin = false;

// Administrative Variables

$adm_pg = '';
$adm_un = 'admin'; // Username for administrator
$adm_pw = 'password'; // Password for administrator

// Check session information from form - email, session, fname lookup -
// Returns user type ('U' is default for active user, '0' means unregistered)
$mytype = '0';
$exp = false;
$err = $adm_un = "";
// This tests to see if the user is logged into the system successfully
// If so, $mylogin is set to TRUE
// If not, an error is generated into $err

if ((time() < intval($_POST['session']))) {
if ((($_POST['fname'] != '')&&($_POST['email'] != ''))&&($_POST['session'] != '')) {
$result = mysql_query("SELECT email,pw,fname,id FROM sessions WHERE email = '" . $_POST['email'] . "'"); // Email address is used directly.
$row = mysql_fetch_array($result);
if (!$result) {
$err = $err . "Your session is no longer valid. Please login again.<br>";
} else if ($row[0] == $_POST['email']) {
$email = $row[0];
$pw = $row[1];
$fname = $row[2];
$sess = time() + (60*60);
$exp = true;

// if successful, reset session expiration

$result = mysql_query("UPDATE sessions SET id = '" . $sess . "' WHERE email = '" . $email . "' AND pw = '" . $pw . "'");
$mylogin = true;
} else {
$err .= "Data did not return correctly. Please try your request again.<br>";
}
}
}

// This script processes the main request of the system
// Options are: register, login, logout
switch ($_POST['tokenid']) {
case "logout": // Logout from system
//kill session parameter in form
$_POST['session'] = '-1';
$_POST['email'] = '';
$_POST['fname'] = '';
$email = '';
$fname = '';
$sess = -1;
$email = '';
$mytype = '0';
$mylogin = false;
$exp = false;
break;
case "login": // Login to system
// verify login
// perform tests on values used
if (($_POST['us'] == $adm_un)&&($_POST['pw'] == $adm_pw)) { // Display Admin Results
//admin verification
$email = 'Admin';
$pw = $_POST['pw'];
$fname = $adm_un;
$mytype = 'A';
$sess = time() + (10*60);
$def = false;
$adm_pg = '';
$adm_result = mysql_query("SELECT email,fname,lname,pw FROM sessions");
if (!$adm_result) {
$err = $err . "The results from the database could not be returned.<br>&nbsp;<br>";
$def = true;
} else {
$adm_i = 0;
$adm_j = 0;
$adm_pg = $adm_pg . '<table cellpadding=2 cellspacing=0 border=0><tr><td><i>Email</i></td><td><i>Name</i></td><td><i>Password</i></td></tr>';
while ( $adm_row = mysql_fetch_array($adm_result) ) {
$adm_pg = $adm_pg . '<tr><td>' . $adm_row[0] . '</td><td>' . $adm_row[1] . ' ' . $adm_row[2] . '</td><td>' . $adm_row[3] . '</td></tr>';
}
$adm_pg = $adm_pg . '</table>';
}
} else { // Test for regular login
$result = mysql_query("SELECT email,pw,fname,id FROM sessions WHERE email = '" . ($_POST['us']) . "' AND pw = '" . $_POST['pw'] . "'");
if (!$result) {
// false return; do not change default
$err = $err . "Login information did not match existing records.<br>";
} else {
$row = mysql_fetch_array($result);
if (($row[0] == $_POST['us'])&&($row[1] == $_POST['pw'])) { // Password is used directly with no modification
$email = $row[0];
$fname = $row[2];
$sess = $row[3];
$exp = true;
$err = $err . "Login successful! Welcome, " . $fname . "!";
//update session time
$sess = time() + (60*60);
$result = mysql_query("UPDATE sessions SET id = '" . $sess . "' WHERE email = '" . $_POST['email'] . "' AND pw = '" . $_POST['pw'] . "'");
$mylogin = true;
} else {
$err = $err . "Login information did not match existing records.<br>";
}
}
}
break;
case "register": // Register new user
$err_ct = 0;
// validate form data
//test for empties
//make sure passwords match
//test length of variables
//test for existing email registration
// perform registration
if ($err_ct == 0) {
$result = mysql_query("INSERT INTO sessions (email, pw, fname, lname, id) VALUES ('" . $_POST['email'] . "', '" . $_POST['pw'] ."','" . $_POST['fname'] . "','" . $_POST['lname'] . "','" . (time()+(60*60)) . "'");
}
if (!$result) {
$err = $err . "No data has been stored.";
} else {
$result = mysql_query("SELECT email,pw,fname,id FROM sessions WHERE email = '" . $_POST['email'] . "' AND pw = '" . $_POST['pw'] . "'");
$row = mysql_fetch_array($result);
if (!$result) {
// false return; do not change default
$err = $err . "Data storage unsuccessful. Please try again.<br>";
} else {
if (($row[0] == $_POST['email'])&&($row[1] == hash('md5',$_POST['pw']))) {
$email = $row[0];
$fname = $row[2];
$sess = $row[3];
$exp = true;
$err = $err . "Registration successful! Welcome, " . $fname . "!<br>";
$mylogin = true;
} else {
$err = $err . "Data storage unsuccessful. Please try again.<br>";
}
}
}
break;
// The following cases are for navigation only - Do not edit!
case "reg": // Register new user
$def = false;
echo 'document.getElementById("thispage").innerHTML = displayfile("' . $_POST['pagereq'] . '");' . PHP_EOL;
break;
case "navigate":
// select navigation parameters
if ($mylogin) {
echo 'document.getElementById("thispage").innerHTML = displayfile("' . $_POST['pagereq'] . '");' . PHP_EOL;
} else {
echo 'document.getElementById("thispage").innerHTML = "You do not have the correct permissions to view this content.";' . PHP_EOL;
}
$def = false;
break;
case "request":
// request restricted item
// return or deny

if ($mylogin) {
echo 'document.getElementById("thispage").innerHTML = displayfile("./' . $_POST['pagereq'] . '");' . PHP_EOL;
} else {
echo 'document.getElementById("thispage").innerHTML = "You do not have the correct permissions to view this content.";' . PHP_EOL;
}
$def = false;
break;
case "js":
if ($mylogin) {
echo $_POST['pagereq'] . PHP_EOL;
} else {
echo 'document.getElementById("thispage").innerHTML = "You do not have the correct permissions to view this content.";' . PHP_EOL;
}
$def = false;
break;
default:
$def = true;
break;
}

//session type sets navigation options - Do not edit!

$mynav = "'";
if ($mylogin) { // Test for login before displaying option
$mynav .= "<a href="#" class="la">View Pet Inventory</a>";
}
$mynav .= "';";
if ($exp) {
if (($fname == '')&&($_POST['fname'] != '')) {
$fname = $_POST['fname'];
}
echo 'this.document.getElementById("mylogin").innerHTML = "Welcome, ' . $fname . '! (<a href="#" class="la">Logout</a>)<br><a href="#" class="la">Change Password</a>";'. PHP_EOL;;
}
if ($def) {
if ($err == '') {
echo 'document.getElementById("thispage").innerHTML = displayfile("include/desc.html");'. PHP_EOL;
} else {
echo 'document.getElementById("thispage").innerHTML = "<br><b><i>Message: ' . $err . '</i></b><br>&nbsp;<br>" + displayfile("include/desc.html");'. PHP_EOL;
}
} else if ($mycontent != '') {
echo "document.getElementById("thispage").innerHTML = '" . $mycontent . "';" . PHP_EOL;
}
if ($adm_pg <> '') {
echo "document.getElementById("thispage").innerHTML = '" . $adm_pg . "';" . PHP_EOL;
}
echo 'document.getElementById("thisnav").innerHTML = ' . $mynav . PHP_EOL;
?>

Its my advise to create a different file for each phase like login, database connection, checking of validation etc,. because it will make you to write your code more effectively and more readable.

Related Questions

How do genetics and environment affect people at different stages of development
Question #3493452
How do germ-line mutations differ from somatic mutations? (a) Germ-line mutation
Question #73382
How do germ-line mutations differ from somatic mutations? (a) Germ-line mutation
Question #315527
How do get JavaFX to read a text file? I want to be able to enter a name and pas
Question #3859960
How do glasses help a FARSIGHTED person to see more clearly? A. diverging lens b
Question #306944
How do goals and objectives at NUCOR relate to the planning facet of the Plannin
Question #428641
How do government policies and/or regulations factor into changes in economic ac
Question #1199597
How do government policies and/or regulations factor into changes in economic ac
Question #1204566
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
How do i implement the class smartArray, as a class template elemtype to accept
Next
How do i journalize these? 2006 Feb 3 purchased equipment for 10,000, signing a

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.