[AphexCCFC]

PHP код:

<?php
/*
Skin me! Make sure to put a skin on this file to make it look smexy!!!11!
Find cool skins for a price at themeforest.net.
Copyright © 2011, 2012 Quin Schurman
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program.  If not, see http://www.gnu.org/licenses/.
*/
//Make sure connection.php is included.
require('connection.php');
//Initialize $_userInfo as a string to be converted to an object.
$_userInfo = "";
//If the user isn't logged in, send them to the index.
if(!isset($_COOKIE['sessid'])) header('Location: index.php');
//Format the query to get the user's session ID matching their cookie.
$_pQuery = "SELECT * FROM `ucpsessids` WHERE sessid = '" . $_COOKIE['sessid'] . "'";
//Query the above formatted string.
$qResult = mysql_query($_pQuery);
//Put the fetched object into $qFetch and then feed into $_userInfo
while($qFetch = mysql_fetch_object($qResult))
{
    $_userInfo = $qFetch;
}
//Format $_userName with $_userInfo->name.
$_userName = $_userInfo->Name;
//Format the query to retrieve the user's info. We don't need WHERE pass = '' because we've already figured that out in checkcreds.php
$szQuery = "SELECT * FROM `" . $_UsersTable . "` WHERE Name = '" . $_userName . "'";
//Query the above formatted object, and die with mysql_error()
$qResult = mysql_query($szQuery) or die(mysql_error());
//Fetch the result object with mysql_fetch_object()
$qFetch = mysql_fetch_object($qResult);
//Format the $_skinImage string with the exact folder location of the skin image.
$_skinImage = 'display/SKINS/';
$_skinImage .= $qFetch->Skin;
$_skinImage .= '.jpg';
/*
Format the page however and echo the user info!
*/
error_reporting(E_ERROR);
?>

Код:

Notice: Trying to get property of non-object in C:\xampp\htdocs\dashboard.php on line 46

Notice: Trying to get property of non-object in C:\xampp\htdocs\dashboard.php on line 59

What does this mean?

[Eth]

show me line 46 and line 59.

[mrtms]

Well my first question do the lines you are having errors on return a specific value? Try print_r(); The error means that you're probably retuning a null value, so try using the isset() method if it returns the value you need whenever you perform an action.

[Vince]

I don't know where you got this script, but it's vulnerable to SQL injection. Cookies can be edited on the client side. This only checks if the cookie exists rather than verifying its validity. If I create the 'sessionid' cookie with contents:

Код:

0' OR 1=1 --

The query will look like:

PHP код:

SELECT * FROM `ucpsessids` WHERE sessid = '0' OR 1=1 --' 


Line 46 is:

PHP код:

$_userName = $_userInfo->Name; 


Which means that $_userInfo isn't an object, which in turn means that the query above it failed it or returned an empty resultset.

PS: Wrong section.

[AphexCCFC]

Vince, why would the "Name" field in the database return null if I logged in with it though?
Oh wait I think I know why aha, I'll try it later.
I use MySQL escape string to log in so thought that prevented SQL injection.