I've written an admin page that allows users who are logged in at the correct admin level to view, add, edit and delete customers in the customer table. The page works fine for me and has, until recently, been working fine for my client. Now, suddenly, the client admin can view and delete but not edit or add customers. The script that checks logged-in and admin status is the same for all functions. There have been no changes to the code and I am the only one with access to the code. The code is attached. What could be going on here? Thanks
I didn't go through your whole code, but I just want to point out a big security issue: if(!$session->logged_in){ header("Location: login.php"); } PHP: Imagine what happens when the user has header redirects disabled. This piece of code would not prevent access to unwanted users. Add exit() after the redirect to make sure the rest of the code can't be executed.
Good point, I'll fix that. I ran a test. The client logged in as me and had the same problems: can view and delete but no add or edit. This can only be an IP issue, right? I don't remember any IP check in my code but I'm reviewing it now. Any other possible reasons? Ran another test. It seems the code is working fine in Mozilla. The problem only occurs in I.E. It had worked fine for weeks in I.E. so don't know what has changed. I see another thread on this browser issue so I'll read that. forums.digitalpoint.com/showthread.php?t=414622
DOES THAT MEAN MY CODE IS UNSECURE ALSO: function redirect( $url) { exit( header('Location: ' . $url)); } PHP:
Thanks from me too, Nico. I've already added the exit() to my code and will not forget to use it in the future. I read the thread on Doctype Declaration and CSS defaults. I have a Doctype Declaration. Is it the wrong one? What's that got to do with PHP code working? At least it's now confirmed. The problem is a browser issue but I don't know why or what to do about it.
Learn something new every day. Seems IE does not like code that has more than one submit button. That's not the case here: there are NO submit buttons. There is an onchange="this.form.submit()". Also the Edit, Delete and Add button images are inputs. And why did the form work in IE just fine for weeks and suddenly stop working?
It's a long shot, but if you know the approximate date that your script stopped working in IE (assuming it did until recently), then look in "add/remove programs" and see if any updates happened near that date. From time to time a security "fix" in IE and/or the OS will break something seemingly unrelated. If platform is Vista, also check for similar complaints in the MS Windows Defender forum - maybe others have observed similar behavior as a result of a Defender patch/update. Sorry I don't have any better suggestions.