I'm trying to set up a PHP/MySQL/Flash interaction...

I want to test if the php is working or if the problem is within flash... Is there a way to test if this is working w/o the appropriate interface? I.e. adding certain variables to the URL or something like that...

Code:

<?
require_once('conf.inc.php');
require_once('functions.php');
// ---
// register new user
// ---
function register($username,$pass,$email,$question,$answer)
{
GLOBAL $db, $table;
$username = trim($username);
$pass = trim($pass);
$email = trim($email);
$question = addslashes(trim($question));
$answer = addslashes(trim($answer));
$validEmail = valid_email($email);
$validName = valid_userName($username);
$validPass = valid_password($pass);
if(!$validName) return "error=invalid name";
if(!$validPass) return "error=invalid password";
if(!$validEmail) return "error=invalid email";
$pass = md5(trim($pass));
// all checks ok
$query = @mysql_query("INSERT INTO $table (userName,userPassword,userMail,userQuestion,userAnswer) VALUES "
."('$username','$pass','$email','$question','$answer')");
if(!$query)
{
return "error=" . mysql_error();
} else {
return "user=ok";
}
}

// ---
// login, check user
// ---
function login($username,$pass)
{
GLOBAL $db,$table;
$username = trim($username);
$pass = md5(trim($pass));
$query = mysql_query("SELECT * FROM $table WHERE userName = '$username' AND userPassword = '$pass'");
return mysql_num_rows($query);
}

// ---
// forget password
// ---
function forget($email)
{
GLOBAL $db,$table;
$email = trim($email);
$query = mysql_query("SELECT userName, userQuestion from $table WHERE userMail = '$email'");
if(mysql_num_rows($query)<1)
{
return "error=email not present into database";
}
$row = mysql_fetch_array($query);
return "userName=$row[userName]&userQuestion=" . stripslashes($row['userQuestion']);
}

// ---
// generate new password
// ---
function new_password($username,$email,$answer)
{
GLOBAL $db,$table;
$username = trim($username);
$email = trim($email);
$answer = addslashes(trim($answer));
$query = mysql_query("SELECT * FROM $table WHERE userName = '$username' AND userMail = '$email' AND userAnswer = '$answer'");
if(mysql_num_rows($query) < 1)
{
return "error=wrong answer";
}
$rand_string = '';
// ---
// generating a random 8 chars lenght password
// ---
for($a=0;$a<7;$a++)
{
do
{
$newrand = chr(rand(0,256));
} while(!eregi("^[a-z0-9]$",$newrand));
$rand_string .= $newrand;
}
$pwd_to_insert = md5($rand_string);
$new_query = mysql_query("UPDATE $table SET userPassword = '$pwd_to_insert' WHERE userName = '$username' AND userMail = '$email'");
if(!$new_query)
{
return "error=unable to update value";
}
return "userName=$username&new_pass=$rand_string";
}

// ---
// decisional switch
// ---
if(isset($HTTP_POST_VARS["action"]))
{
switch($HTTP_POST_VARS["action"])
{
case "register":
$result = register($HTTP_POST_VARS['username'],$HTTP_POST_VARS['pass'],$HTTP_POST_VARS['email'],$HTTP_POST_VARS['question'],$HTTP_POST_VARS['answer']);
print $result;
break;
case "login":
$result = login($HTTP_POST_VARS['username'],$HTTP_POST_VARS['pass']);
print "user=" . $result;
break;
case "forget":
$result = forget($HTTP_POST_VARS['email']);
print $result;
break;
case "new_password":
$result = new_password($HTTP_POST_VARS['username'],$HTTP_POST_VARS['email'],$HTTP_POST_VARS['answer']);
print $result;
break;
}
}
?>

when I run it..nothing comes on the page, which I assume is a good sign that it worked but I'd like to see if it there is a way to manually check in the database if an entry comes up.



Note: This is not my own script, obviously. It belongs to Alessandro Crugnola @ sephiroth.it.

You can make an HTML form like so:



<form action="test.php" method="POST">
<input type="hidden" name="action" value="register">
Username: <input type="text" name="username"> <br>
Password: <input type="text" name="pass"> <br>
Email: <input type="text" name="email"> <br>
Question: <input type="text" name="question"> <br>
Answer: <input type="text" name="answer"> <br>
<input type="submit" value="Test Script">
</form>


That will test the register function of the script, other than that you will not be able to place anything in the url (because the PHP script request POST variables).

Hope this helps.

Watch yourself with that script. You processing page specifically register() function call is not inspecting client input. I would say you'd be open to SQLInjection attack and someone could force an unauthenticated login.

I would look at mysql_real_escape_string() (http://us.php.net/manual/en/function.mysql-real-escape-string.php).

hanji

Watch yourself with that script. You processing page specifically register() function call is not inspecting client input. I would say you'd be open to SQLInjection attack and someone could force an unauthenticated login.

I would look at mysql_real_escape_string() (http://us.php.net/manual/en/function.mysql-real-escape-string.php).

hanji


Thanks for the warning. I did notice that earlier and have fixed it since.

I might be missing something - but why don't you just load your phpinfo.php file. Every system I've seen has one and if they don't - just create a text file with

<? phpinfo();?>
in it. It will give you the status of your server and the dbase

I might be missing something - but why don't you just load your phpinfo.php file. Every system I've seen has one and if they don't - just create a text file with

<? phpinfo();?>
in it. It will give you the status of your server and the dbase

I thought he wanted to know if his specific PHP script was working vs if PHP itself was working on the server. Sorry if I'm jumping to conclusions.

hanji

I thought he wanted to know if his specific PHP script was working vs if PHP itself was working on the server. Sorry if I'm jumping to conclusions.

hanji

You were right. I was indeed asking for the status of this particular script.

Good point. I missunderstood.