Check if entry is available in database - mysql

I have generated a 10 digit number, added it to a database after purchase.
Now I want to make a php page to give users an input box, ask them to enter the 10 digit number, and click submit. After you click submit it should return if the pin is used or has not been used it. (Used if its not available - Not used if its in the table)
I got the following code:
<?php
require_once 'db.php';
function validated_pin($pin)
{
$pin = mysql_real_escape_string($pin); // SECURITY!
$result = mysql_query("SELECT pins FROM pins WHERE pin='$pin' LIMIT 1");
if (mysql_fetch_row($result)) {
return 'This pin has already been used';
} else {
return 'This pin is available for use';
}
}
echo '<html><center>
<form action="' . $_SERVER['SCRIPT_NAME'] . '" method="post">
<table style="border:0px solid black;">
<tr>
<td>PIN*:</td><td><input type="text" name="pin" value="" class="bginput"/></td>
</tr>
<tr>
<td></td><td><input type="submit" id ="submit" name="submit1" value="Check Pin>>" class="button"></td>
</tr>
</table>';
echo validated_pin($pin);
echo '</center></html>';
?>
And PHPmyAdmin looks like this:
http://gyazo.com/67c3df7171c83c677cb221c04d644ed7.png
It's located in _donation and in table name pins
I don't know whats going on tried looking everywhere
The current code will return this error
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in /home/website/public_html/directory/example.php on line 8

Your query is failing to fetch data, resulting in false returned.
Firstly - you should catch this false value and not assume $result has data.
Secondly - var_dump() the query you are running, run that in PhpMyAdmin

Your query is-
$result = mysql_query("SELECT pins FROM pins WHERE pin='$pin' LIMIT 1");
shouldn't it be
$result = mysql_query("SELECT pin FROM pins WHERE pin='$pin' LIMIT 1");
pin is the column name right? not pins
if (mysql_fetch_row($result)) {
if(mysql_num_rows($result)>0)
return 'This pin has already been used';
else
return 'This pin is available for use';
}

This seemed to have solved it:
$pin = $_POST["pin"];
function validated_pin($pin)
{
$pin = mysql_real_escape_string($pin); // SECURITY!
$result = mysql_query("SELECT pin FROM pins WHERE pin='$pin' LIMIT 1");
if(mysql_num_rows($result) == 0) {
return 'This pin has already been used';
} else {
return 'This pin is available for use';
}
}
Still facing the issue of it saying "Already been used" before I execute any code.

Related

MySQL - Using LIKE ? With Multiple Columns Search

I've had a look around Stackoverflow and can't seem to find what I am looking for.
I have a dynamically updating AJAX search form which shows location data from database.
The issue I am having is with this query here:
$sql = "SELECT location FROM location_data WHERE location LIKE ? LIMIT 10";
Let me explain what is happening first. There are 3 different columns in a database table, one called location, one called CRS and one called tiploc.
I would like to display results like the following:
Select location FROM location_data WHERE location(textbox) is LIKE ?(what the person typed in) OR CRS is LIKE ? or TIPLOC is LIKE ?
Now i've only tried it with CRS so far, and ive done the following query:
$sql = "SELECT location FROM location_data WHERE location OR CRS LIKE ? LIMIT 10";
The above only displays the CRS result (exact match) and doesn't provide any suggestions for location, only shows CRS. Does anyone know how I can amend my query, so that it searches both location and CRS and TIPLOC, LIKE on location, but exact match only on CRS and TIPLOC?
if(isset($_REQUEST['term'])){
// Prepare a select statement
$sql = "SELECT location FROM location_data WHERE location LIKE ? LIMIT 10";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_term);
// Set parameters
$param_term = $_REQUEST['term'] . '%';
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
$result = mysqli_stmt_get_result($stmt);
// Check number of rows in the result set
if(mysqli_num_rows($result) > 0){
// Fetch result rows as an associative array
while($row = mysqli_fetch_array($result, MYSQLI_ASSOC)){
echo "<p>" . $row["location"] . "</p>";
}
} else{
echo "<p>No matches found</p>";
}
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// close connection
mysqli_close($link);
Now heres the on page search, the field I am pulling input from is called "location".
--Code for JS AJAX Search--
<script type="text/javascript">
$(document).ready(function(){
$('.search-box input[type="text"]').on("keyup input", function(){
/* Get input value on change */
$(".result").show();
var inputVal = $(this).val();
var resultDropdown = $(this).siblings(".result");
if(inputVal.length >2){
$.get("backend-search.php", {term: inputVal}).done(function(data){
// Display the returned data in browser
resultDropdown.html(data);
});
} else{
resultDropdown.empty();
}
});
// Set search input value on click of result item
$(document).on("click", ".result p", function(){
$(this).parents(".search-box").find('input[type="text"]').val($(this).text());
$(this).parent(".result").empty();
});
});
$(document).click(function(){
$(".result").hide();
});
</script>
You need to repeat the LIKE expression for each column.
$sql = "SELECT location
FROM location_data
WHERE location LIKE ? OR CRS LIKE ? OR TIPLOC LIKE ?
LIMIT 10";
And since there are now 3 placeholders in the query, you need to fill them all in with the binding:
mysqli_stmt_bind_param($stmt, "sss", $param_term, $param_term, $param_term);
For every individual expression in OR, you have to specify their comparison conditions. Note the location LIKE ? instead of LOCATION OR:
$sql = "SELECT location
FROM location_data
WHERE location LIKE ?
OR CRS LIKE ?
OR TIPLOC LIKE ?
LIMIT 10";
Note: LIMIT clause without ORDER BY is non-deterministic in nature, since MySQL stores an unordered dataset. It basically means that, any 10 rows can be returned by MySQL (if not using ORDER BY).

Perl, SQL, DBI: Why doesn't my UPDATE function work? Code and things I've tried inside

UPDATE 2: I never found the solution to this. Since the instructor's code is readily available for us to use and hack together with our own, and I'd already wasted weeks trying to debug, I just created a new table and started from his code, made changes and tested as I went, until I ended up with that I wanted in functionality. If anyone every comes across a reason for the odd behavior, I'd sincerely appreciate knowing what caused this.
Almost everyone who suggested anything offered up ideas I had already tried, and listed as already tried, in my original post. Thank you to everyone offering their insight, but please do read posts completely before making suggestions.
UPDATE: to present my main question more clearly. The original post is below that with all code, as well as what I've tried.
I designed my updateData() function to update a record. Instead, it returns its error code.
sub updateData {
# and this returns "Update Failed!" for me. I can't figure out why.
$sql = "UPDATE friendface SET first_name = '$first_name',
last_name = '$last_name',
email_address = '$email_address',
password = '$password'
WHERE user_id = $user_id;";
$rc = $dbh->do($sql);
if ($rc != 1) {
print "Update Failed!";
}
}
Ninja editing as I reread through this mess 3:
Code at the bottom. Sorry if the formatting is awful or I'm not descriptive enough. I really tried. Ask if I can provide anything else that is helpful.
Hi everyone,
School assignment here, print a table with records you can edit and delete.
I've got an HTML page with forms for inserting data, then a perl script that displays the table with buttons to update and delete. Delete works fine. The whole script works fine (EXCEPT the link from the block of text you get when you access the .pl directly, but I don't care about that at the moment) without the contents of my UPDATE function. The code for the UPDATE function works fine line by line in MySQL. But I can't get the updateData function with the UPDATE query to work in my .pl file.
We're allowed full access to the instructor's example code. I COULD start with his page, then modify it into my own page. I'd rather be able to write my own page without relying on that crutch. I am, however, comparing my code to his and I don't see where I'm going wrong. Syntax looks good, as far as I know / can find docs for.
I played with varying syntax anyway just in case. Put a comma after the final record before my WHERE clause because it looked wrong without, but apparently without is the way to go. Everything I read says the current syntax is correct.
I thought maybe it was trying to edit a user_id that didn't exist, but printing the user_id showed it was using the correct one.
I think my DBI->connect is working because it doesn't return Connection Failed.
The correct function, updateData(), is running because the final output is the Update Failed return code, unique to that function.
I can trace the code through Edit button > Edit form > Confirm Edit function > updateData function > $dbh authenticates successfully, do($sql), which is my UPDATE query, which looks syntactically correct. But for some reason, $dbh->do($sql); doesn't come out true.
In the updateData function, I thought I'd make sure the problem wasn't that I was only updating 4 of the 6 fields. Well, 5, since the key isn't ever going to be updated. Anyway, I thought that might be tripping it up somehow, but adding a line to update username didn't help, so I took it out again.
I've really been trying to figure this out on my own and I'm pulling my hair out. It's always some dumb little thing. Is it spacing? It usually doesn't matter, but I know ENDFORM had to be the first, and only, thing on the line in order to work for me. But I don't know of any spacing rules for this particular code. Please. Point me in the right direction.
Just to be explicit, printEditButton() and printDeleteButton() are the code for the edit and delete buttons...
DESC table, code for the html page, and the pl script follows:
*********************
*********************
***DESC friendface***
*********************
*********************
Field Type Null Key Default Extra
user_id int(11) NO PRI NULL auto_increment
username char(50) YES NULL
first_name char(20) YES NULL
last_name char(20) YES NULL
email_address char(50) YES NULL
password char(50) YES NULL
*********************
*********************
*friendFaceForm.html*
*********************
*********************
<table bgcolor='antiquewhite' align=center cellpadding=2>
<form action='friendFaceForm.pl' method=GET>
<tr>
<td align=right>Username</td>
<td><input type=text name=username></td>
</tr>
<tr>
<td align=right>First Name</td>
<td><input type=text name=first_name></td>
</tr>
<tr>
<td align=right>Last Name</td>
<td><input type=text name=last_name></td>
</tr>
<tr>
<td align=right>Email Address</td>
<td><input type=text name=email_address></td>
</tr>
<tr>
<td align=right>Password</td>
<td><input type=text name=password></td>
</tr>
<tr>
<td align=center colspan=2> <input type=submit name=action value='Insert Data'></td>
</tr>
</form>
</table>
*********************
*********************
**friendFaceForm.pl**
*********************
*********************
#!/usr/bin/perl
use CGI qw(:standard);
use DBI;
use warnings;
print "Content-type: text/html\n\n";
$dbh = DBI->connect("DBI:mysql:jwiard1:localhost", "jwiard1", "jwiard1")
or endProgram("Connection Failed!");
$action = param('action');
$user_id = param('user_id');
$username = param('username');
$first_name = param('first_name');
$last_name = param('last_name');
$email_address = param('email_address');
$password = param('password');
if ($action eq 'Insert Data') {
#$action holds this value coming from the html page
#this happens first
insertData();
printTable();
}
elsif ($action eq 'Edit') {
#prints the edit form
printEditForm();
}
elsif ($action eq 'Confirm Edit') {
#then updateData() runs
updateData();
printTable();
}
elsif ($action eq 'Delete') {
deleteData();
printTable();
}
elsif ($action eq 'Print Table') {
printTable();
}
else {
print "Either you are accessing this file directly or \$action has an unaccounted for value.<br><br>
If it's the former, get out of here!<br><br>
If it's the latter... you're getting sleepy. You're getting verrrry sleepy. When you reach the end of this sentence, you'll wake up with no memory of this page and a strong feeling that Joe Wiard's code is perfect.<br><br>
...or did you just want to see the table?";
print "<input type=submit name=action value='Print Table'>";
}
####
#Functions! Yay!
####
sub endProgram {
my ($msg) = #_;
print $msg;
die();
}
sub insertData {
#after inserting data, the user is left to click Edit or Delete
#making $action hold the value of 'Edit' or 'Delete' Go to elsif($action eq 'Edit'
print "Your data has been saved.";
$sql = "INSERT INTO friendface SET user_id='$user_id',
username='$username',
first_name='$first_name',
last_name='$last_name',
email_address='$email_address',
password='$password' ;";
$rc = $dbh->do($sql);
if ($rc != 1) {
print "Insert failed!";
}
}
sub printEditButton {
print "<form>";
print "<input type=hidden name=user_id value='$href->{user_id}'>";
print "<input type=submit name=action value='Edit'>";
print "</form>";
}
sub printDeleteButton {
print "<form>";
print "<input type=hidden name=user_id value='$href->{user_id}'>";
print "<input type=submit name=action value='Delete'>";
print "</form>";
}
sub confirmEdit {
}
sub lookUpRow {
$sql = "SELECT * FROM friendface WHERE user_id=$user_id;";
$sth = $dbh->prepare($sql);
$rc = $sth->execute();
$href = $sth->fetchrow_hashref();
}
sub printEditForm {
#prints fields for 4 of the values in a record. I don't want the user to be able to
#change their username. They can only edit first and last names, email and password.
#after this, $action either holds 'Confirm Edit' or 'Cancel'. Go to elsif
#($action'Confirm Edit')
lookUpRow();
print <<ENDOFFORM;
<form>
First Name: <input type=text name=first_name value='$href->{first_name}'> <br>
Last Name: <input type=text name=last_name value='$href->{last_name}'> <br>
Email Address: <input type=text name=email_address value='$href->{email_address}'> <br>
Password: <input type=text name=password value='$href->{password}'> <br>
<input type=hidden name=user_id value=$href->{user_id}'> <br>
<input type=submit value="Confirm Edit" name=action>
<input type=submit value="Cancel" name=action>
</form>
ENDOFFORM
#It seems that ENDOFFORM *MUST* be at the beginning of the line. No TABS or SPACES
#preceeding, and NOTHING after. Half an hour of debugging lead me to discovery this
#tidbit that I should have just remembered from class. Or Googled. :P
}
sub updateData {
#and this returns "Update Failed!" for me. I can't figure out why.
$sql = "UPDATE friendface SET first_name = '$first_name',
last_name = '$last_name',
email_address = '$email_address',
password = '$password'
WHERE user_id = $user_id ;";
$rc = $dbh->do($sql);
if ($rc != 1) {
print "Update Failed!";
}
}
sub deleteData {
$sql = "DELETE FROM friendface WHERE user_id = $user_id;";
$rc = $dbh->do($sql);
}
sub printTable {
$sql = "SELECT * FROM friendface;";
$sth = $dbh->prepare($sql);
$rc = $sth->execute();
$count = 0;
print "<table>";
#print header
while ($href = $sth->fetchrow_hashref() ) {
$count ++;
if ($count % 2 == 0) {
print "<tr bgcolor=lightblue>";
}
else {
print "<tr bgcolor=lightgray>";
}
print "<td>";
print $href->{'user_id'};
print "</td>";
print "<td>";
print $href->{'username'};
print "</td>";
print "<td>";
print $href->{'first_name'};
print "</td>";
print "<td>";
print $href->{'last_name'};
print "</td>";
print "<td>";
print $href->{'email_address'};
print "</td>";
print "<td>";
print $href->{'password'};
print "</td>";
print "<td>";
printEditButton();
print "</td>";
print "<td>";
printDeleteButton();
print "</td>";
print "</tr>";
}
print "</table>";
From the DBI documentation, it seems that the "do" method does some magic with the return value:
do
If you're doing an UPDATE, INSERT, or DELETE there is no data that
comes back from the database, so there is a short cut. You can say
$dbh->do('DELETE FROM people WHERE age > 65'); for example, and DBI
will prepare the statement, execute it, and finish it. do returns a
true value if it succeeded, and a false value if it failed. Actually,
if it succeeds it returns the number of affected rows. In the example
it would return the number of rows that were actually deleted. (DBI
plays a magic trick so that the value it turns is true even when it is
0. This is bizarre, because 0 is usually false in Perl. But it's convenient because you can use it either as a number or as a
true-or-false success code, and it works both ways.)
Are you sure the update didn't work? Perform a select afterward to double-check. It could just be that you're misinterpreting the return code.

Dynamically created checkboxes using ajax from sql result set

I am looking to use ajax to dynamically create checkboxes each time you change your selection from a <select> tag, see the below screenshot for a section of the form that is relevant:
NOTE: The checkboxes under "Queues" should be dynamic.
At the moment, when you change the value for Team it grabs the team name (in this case "Test"), then using ajax (POST) it returns the Manager name for that team.
What I want it to do is look up another table that has a list of the "queues" associated with each team; I am going to add an "onchange" attribute in the tags for the "Manager Name" field.
Below is the code I'm currently using to accomplish the Team => Manager Name dynamic filling:
<script>
window.onload = function() {
getManager($("#team").val());
}
function getManager(team) {
$.ajax({
type: "POST",
url: "getManager.php",
data: {team:team}
}).done(function( manager ) {
$("#manager_name").val(manager);
});
}
</script>
And here is the getManager.php file that it uses:
<?php
require("../../database/db.php");
$mysqli = new db("nab_reporting");
if ($mysqli->connect_errno) {
printf("Connect failed: %s\n", $mysqli->connect_error);
exit();
}
$team=$mysqli->real_escape_string($_POST['team']);
$result = $mysqli->query("SELECT manager_name FROM team WHERE teamname = '".$team."'");
$row = $result->fetch_assoc();
echo $row['manager_name'];
mysqli_close($mysqli);
?>
Keeping in mind that the above works; I now need a way to use the onchange attribute of the Manager Name field that will use ajax (similar to above), passing another php page the value that is currently in the field (in this case Kane Charles) and will return a result set (array or JSON maybe?) containing a list of all queues in the database that match up with that Team name.
Below is the html code for each of the different bits:
TEAM
<select name="team" id="team" required="required" onchange="getManager(this.value)">
<?php
include(__DIR__ . "/../../database/db.php");
$db = new db("nab_reporting");
$result = $db->query("SELECT teamname FROM team");
while ($row = $result->fetch_assoc()) {
echo "
<option value=\"" . $row['teamname'] . "\">" . $row['teamname'] . "</option>
";
}
$db->close();
?>
</select>
MANAGER NAME
<input type="text" name="manager_name" id="manager_name" required="required" onchange="getQueues(this.value)">
QUEUES
<label>
Queues
</label>
<div id="queue_options">
<!-- queues dynamically created here -->
</div>
I need the contents of queue-options to be erased and reset to only the queues associated with the current team; I haven't done a great deal with ajax, hence why I'm posting on here.
This revision should match what you are asking about
PHP
// make an array to hold the queues
$data = Array();
// Fetch the rows of all the queues
$res = $mysqli->query("SELECT * FROM the_queue_table WHERE manager='" . $_GET["manager"] . "'");
// loop through all the rows and push the queues into the data array
while(($row = mysql_fetch_object($res)) !== false)
{
array_push($data, $row->queue);
}
// return the data array as a json object
echo json_encode($data);
JavaScript
// get the page and send the manager name to filter with
$.get("file.php?manager=" + managerName, function(page)
{
// parse the json into an object
var data = $.parseJSON(page);
// remove existing checkboxes
$("#queue_options").children().remove();
// add checkboxes to the div
for (var item in data){
$("#queue_options").append("<input type=\"checkbox\" value=\"" + item + "\" />" + item + "<br />");
}
});

PHP login issues

I am creating a login which links to a database, when entering information the login then runs a blank page and does nothing, below is my code:
include "conn.php";
session_start();
$email_address = $_POST['email_address'];
$password = $_POST['password'];
if ($email_address && $password)
{
$connect = mysql_connect("computing","i7906890","password") or die ("couldn't connect!");
mysql_select_db("i7906890") or die ("couldn't find database");
$guery = mysql_query("SELECT * FROM UserAccount WHERE email_address = '$email_address'");
if ($numrows!=0) {
//code to login
while ($row = mysql_fetch_assoc($query)) //Password Check
{
$dbemail_address = $row['email_address']
$dbpassword = $row['password']
}
//Check if they match
if ($email_address==$dbemail_address&&$password==$dbpassword)
{
echo "You're in! <a href='user_page.php'>click</a> here to enter the members page";
$_SESSION['user']==$dbemail_address;
}
else
echo "Incorrect Password!";
}
else
die("That user doesn't exist!");
}
else
die("Please enter an email address and password!");
?>
Also here is my form
<form action = "login2.php" method ="POST">
<p><img src="images/space.gif" width="70px" height="1px"/><strong>Log in</strong> or <strong>Register</strong><br>
Email:<img src="images/space.gif" width="34px" height="1px"/><input type="text" name="user" size="33"> <br>
Password:<img src="images/space.gif" width="10px" height="1px"/><input type="password" name="password" size="33"> <br>
<div align="center">
<input type="submit" value="Log in" class="button">
</div>
</p>
</form>
Please help! SOS
You're missing a few ; in your code which is causing the script to crap out and not display anything. (Specifically in the while loop but check elsewhere as well.)
Edit: You may also want to consider losing that while loop all together and putting the password criteria in the SQL statement for better performance. And like the other poster said, watch out for SQL injection.
Please help! SOS Yep, you're in deep sh... But not for what you'd expect...
Even if your code was operating well, you are the 5th or 6th who asks roughly the same question, riddled with SQL injection in a PHP login form using the deprecated mysql_ functions...
And also, $guery is not the same as $query... Check for the q and g letters...
This line:
$guery = mysql_query("SELECT * FROM UserAccount WHERE email_address = '$email_address'");
Should be at least
$query = mysql_query("SELECT * FROM UserAccount WHERE email_address = '".mysql_real_escape($email_address)."'");
to both be correct, and avoid injection...
But you should really be using prepared statements through PDO, like this:
try {
//open connection, this is different than in the old functions
$dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
//***running query
//**step1: create statement
$stmt = $dbh->prepare('SELECT * FROM UserAccount WHERE email_address = :email'); //notice parameter prefixed with ':'
//**step2: bind values (be sure to also check out the bindParameter() function too!)
$stmt->bindValue(':email', $email_address);
//**step3: exexcute statement
$stmt->execute();
//**step4: process results
$result = $stmt->fetch(PDO::FETCH_OBJ);
if($result->PASSWORD==$password) {
//logged in, do whatever reuqired
}
$dbh = null; //don't let it slip out of our hands
} catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
Also, another word of caution: don't store plaintext passwords. Even storing MD5 hashes is out of scope these days, and SHA1 is also declared to be weak...

mysql_affected_rows sometimes returns 0 instead of 1

I have a strange problem with php scripts - mysql_affected_rows() sometimes returns "0" for no reason.
There is a similar question #stackoverflow and answer to this question is:
MySQL only actually updates a row if there would be a noticeable difference before and after the updat.
But this is not my case. For example, if value before update is 1320402744 and value after update is 1320402944 mysql_affected_rows() anyway return "0". Is this difference not enough noticable?
Below are 3 files. As you can see, all files include file "functions.inc.php" which calls function "online()".
File "login.php" is working fine. It inserts a new row in "session" table correctly.
File "content.php" is working fine - it displays content and correctly runs function "online() in "functions.inc.php".
Then I call file "test.php". It deletes "something from sometable" correctly. Then it refreshes itself (Header("Location: /test.php");). After refreshing I am logged off.
I added this to "online()" function:
echo "affected_rows";
It returns 0.
I added more code to "online() function:
$checkuser = mysql_query("SELECT userid FROM session WHERE userid = '" . $_SESSION['id'] . "'") or die('Error');
$found = mysql_num_rows($checkuser);
echo $found;
$result = mysql_query("UPDATE session SET time='$ctime' WHERE userid='".$_SESSION['id']."'") or die('Error');
$affected_rows = mysql_affected_rows();
if ($affected_rows != 1) #session_destroy();
echo $affected_rows;
The result is 1 and 0.
I checked the database. "time" field in session table has been updated.
So, I can't understand how is it possible that the row exists, it updates correctly but mysql_affected_rows(); returns 0, and why this happends only if te same page has been refreshed.
functions.inc.php
<?php
#ob_start();#session_start();
#mysql_connect(C_HOST, C_USER, C_PASS) or die('Cant connect');
#mysql_select_db(C_BASE) or die('Cant select DB');
function online() {
$ctime = time()+1800;
if((isset($_SESSION['id']))&&(is_numeric($_SESSION['id']))) {
$query = mysql_query("UPDATE session SET time='$ctime2' WHERE userid='".$_SESSION['id']."'") or die('Error');
$affected_rows = mysql_affected_rows();
if ($affected_rows != 1) #session_destroy();
}
}
//many other functions go here
online();
?>
login.php
<?php
include_once 'configuration.inc.php';
include_once 'functions.inc.php';
//many things go here
$upd = mysql_query("INSERT INTO session VALUES ('" . $i['id'] . "','$ctime')") or die('Error2');
Header("Location: /content.php?justlogged=1");
die;
?>
content.php
<?php
include_once 'configuration.inc.php';
include_once 'functions.inc.php';
//many thing go here
echo "content";
?>
test.php
<?php
include_once 'configuration.inc.php';
include_once 'functions.inc.php';
if (isset($_GET['tid'])&&(is_numeric($_GET['tid']))){
$result = mysql_query("delete from some_table where something = '" . $_GET['tid'] . "'") or die('Error123a');
Header("Location: /test.php");
die;
}
//file content
?>
In your function.inc.php you call online() - session time is changed every second. But can it be that you're switching between pages (login, content, test) more faster than 1 second? In that case time would be the same and you'd get session destroy because of unaffected rows
Edit:
Yes. As I thought.
See how it comes:
you call login.php: after successful login it creates new session with time X. After this you're immediately redirected to content.php (time is still X) which calls online again. And of course, as you redirected immediately - time is the same.. so already at point of content.php session is already destroyed, because time wasn't changed.