Hi, i need help, who knows and wants to help me with a problem I would greatly appreciate.

I downloaded a page to my site I instalato and work well only have one problem, anyone can access any without having to login, and must do so to be able to access only after being logged.

The page whit problem:

<!-- content -->
> <div id="content">
> <div class="boxui box-top"></div>
> <div class="boxui box-con">
> <?PHP include("./conectare/slide.php"); ?>      
> <div class="boxui box-end"></div>
> </div
> <br>
> 
> 
> <div class="boxui box-title">
> <span class="title-icon icon-status"></span>
> <h2><b>loguri accesari cont</b></a></h2></div>
> <div class="boxui box-con"><div class="wrap"><p>
> 
>                         <?php
>                       
> echo '<div align="center" style="margin-bottom: 10px; background: #FFF; padding: 6px; height:auto; border: 1px solid #c8c8c8; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px;">';
> echo '        <table border="1" bordercolor="FFCC00" style="background-color:FFFFCC" width="400" cellpadding="3" cellspacing="3">
> <thead>
> <td> id cont</td>
> <td> status logare</td>
> <td> ch</td>
> <td> info logare</td>
> <td> info delogare</td>
> <td> id pc</td>
> </thead>
> ';
>                   
>                   $id = $_SESSION['id'];
>                       mysql_select_db("account");
>                       $sql = mysql_query("SELECT * FROM `account` WHERE `login` = '" . $id . "'") or die (mysql_error());
>                       $row2 = mysql_fetch_array($sql);
>                       $idnou = $row2['id'];
>                       mysql_select_db("log");
>    $SQL = mysql_query("SELECT * FROM `loginlog2` WHERE `account_id` = '" . $idnou . "' ORDER BY `login_time` DESC") or die (mysql_error()); //gata merge:) nu ai date inca in baza de date :))
>      $x1 = 0;$afisari = 25;
>      while(($row = mysql_fetch_array($SQL)) && ($afisari > 0))
>                         {
> 
> echo '
> 
>   <tr>
>       <td> '. $row["account_id"]. ' </td>
>       <td> '. $row["type"]. ' </td>
>       <td> '. $row["channel"]. ' </td>
>       <td> '. $row["login_time"]. ' </td>
>       <td> '. $row["logout_time"]. ' </td>
>       <td> '. $row["ip"]. ' </td>
>   </tr>
>   ';
> 
>                             $x1++;$afisari--;
>                         }
>                         if($x1 == 0)
>                         {
>                           echo "<tr><td>Nu avem destule date in baza de date pentru a genera aceasta informatie!</td><td></td></tr>";
>                         }
>                       
>                   echo '  </table>
>                           </div>';
>                       
> 
>                         ?>
>                       <br>
> 
>       <div class="meta"></div></div></div>
>               <div class="boxui box-end"></div>     
>               <!-- news post -->
> 
> 
> </p>
> 
> 
>   
>   <div style="margin-bottom: 10px; background: #FFF; padding: 6px; height:auto; border: 1px solid #c8c8c8; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px;">
>    Aici se pot vedea loguri referitoare la ultimele logari in joc.
> <br><br>
> 
> Daca la "<u>Stare</u>" apare <u>"INVALID</u>", inseamna ca logarea a fost esuata sau clientul a fost inchis fara a se face delogare.
> </div>
> 
> 
>             
>       </div>
>       <!-- end content -->

and look at a page that runs on login:

> <div id="content">
> <div class="boxui box-top"></div>
> <div class="boxui box-con">
> <?PHP include("./conectare/slide.php"); ?>      
> <div class="boxui box-end"></div></div>
>   
> <div class="boxui box-title"><span class="title-icon icon-status"></span>
> <h2>listarea caracterelor</a></h2>
> </div><div class="boxui box-con"><div class="wrap"><p><span class="news-content">
> 
> <div style="margin-bottom: 0px; background: #FFF; padding: 6px; height:auto; border: 1px solid #c8c8c8; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px;">
> 
> <?PHP
> 
> if(isset($_SESSION['user_id']) && checkInt($_SESSION['user_id']) && $_SESSION['user_id']>=0) {
>  
> echo"<br/>";
> $cmdChars = "SELECT player.id,player.name,player.job,player.level,player.playtime,guild.name AS guild_name
> FROM player.player
> LEFT JOIN player.guild_member 
> ON guild_member.pid=player.id 
> LEFT JOIN player.guild 
> ON guild.id=guild_member.guild_id
> WHERE player.account_id='".$_SESSION['user_id']."'";
> $qryChars = mysql_query($cmdChars,$sqlServ);
> $x=0;
> echo'<table>
> 
> <tr>
> <th class="topLine">    Caracter               </th>
> <th class="topLine">Rasă            </th>
> <th class="topLine">Nivel          </th>
> <th class="topLine">Timp joc             </th>
> <th class="topLine">Breaslă          </th>
> <th class="topLine">   </th></tr>';
> 
> while($getChars = mysql_fetch_object($qryChars)) {
> $zF = ($x%2==0) ? "tdunkel" : "thell";
> echo'<tr>
> <td class="'.$zF.'">     <a href="?s=debugare&char='.$getChars->id.'" title="Deblocare caracter">'.$getChars->name.'</a></td>
> <td class="'.$zF.'"> '.$aRassen[$getChars->job].'</td>
> <td class="'.$zF.'"> '.$getChars->level.'</td>
> <td class="'.$zF.'"> '.$getChars->playtime.' Minute</td>
> <td class="'.$zF.'"> '.$getChars->guild_name.'</td>
> 
> </td>
> </tr>';
> $x++;
> }
> echo'</table>';
> echo" <br/><br/>";
> }
>   else {
>     echo' <center><p class="meldung">You must be logged in to access this page</p></center>';
>   }
>   
> ?>
> 
> </div><br>
> <div class="meta"></div></div></div>
> <div class="boxui box-end"></div></div>

What all you need to add that it can not be accessed whitout login.
or if someone kindly modify my code it.Thank you!

Member Avatar
LastMitch

@cristian.stilpeanu.1

What all you need to add that it can not be accessed whitout login. or if someone kindly modify my code it.

What error appear when you ran this code, since you are using JOIN in your query then must have be at least an error?

here, did not intend to advertise

<urls snipped>

Thank you!

Member Avatar
diafol

Add session protection. If user logged in - search for $_SESSION['user_id'] or whatever you're using.

Member Avatar
LastMitch

@cristian.stilpeanu.1

I downloaded a page to my site I instalato and work well only have one problem, anyone can access any without having to login, and must do so to be able to access only after being logged.

Try to included this Pear Package:

http://pear.php.net/package/LiveUser/redirected

It comes with a code so you really need to take time adding this.

What daifol mention is about protecting your session:

http://phpsec.org/projects/guide/4.html

Member Avatar
diafol

Ok, solved?

I apologize for any inconvenience, but can someone delete my php code posted by me?

Member Avatar
diafol

Why?

this discussion appears in google search words of my pages and i don't want to see the people my code, please. Thank you!

Member Avatar
LastMitch

@cristian.stilpeanu.1

this discussion appears in google search words of my pages and i don't want to see the people my code, please. Thank you!

The question you ask is weird. I mean you have to understand when you post anything on the web it will appear sooner or later on google. You can't prevent that from happening.

Member Avatar
diafol

DW has a general policy not to delete posts, especially when there have been replies to it. If you want to PM me with further info and a reason why this needs to happen, feel free, perhaps I could advise you further.

Member Avatar
diafol

.... sad

I'm afraid that's the size of it. If you could outline the issue in a PM perhaps?