I have created a CMS with a ban feature to ban accounts who violate the rules.
However, when I ban someone, I will ban the user but also myself. The unstyled text will appear only if you're an administrator:
You have been banned.
and if you're an user which is being banned, you'll get
Your account has been disabled and cannot be used anymore.
You find the details below.
Date: 13-04-2016 16:06:27
Reason: Violation of the EULA.
If you have questions, feel free to contact the administrator.
And now it's getting spooky: the text above is the only text I have in my scripts. The "You have been banned" is some old, pre-alpha text but it's still spooking around. So for the record, I have deleted this text a long time ago. I have searched every file, every include and every database.
I have even done a map search for the "You have been banned" sentence. No luck, he couldn't find anything! I have also restarted XAMPP and the databases and I also have logged out and logged in again; didn't work either.
Details about the issue.
Text is fully blanco, no styles or anything.
Only appears at admin.php
Appears when a user is banned - I have double checked the ban script and everything is running OK. Queries are pointing to the right database, etc.
Because the text only appears on admin.php, we need to take a look at admin.php. It's a file of 520 lines.
The ban script is on the top:
$sql = "SELECT * FROM bans WHERE user_name='".$_SESSION['user_name']."'";
$result = $conn->query($sql);
if(mysqli_num_rows($result) != 0) {
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$blocked = "
<div class='modal-inner' style='width:500px'>
<h2>Account disabled</h2>
Your account has been disabled and cannot be used anymore.<br />You find the details below.<br /><br />
Processed: ". $row["user_dateofban"] ."<br />
Reason: ". $row["reason"] ."<br /><br />
If you have questions, feel free to contact the administrator.
</div>
";
exit($blocked);
}
}
}
Hope someone can help me out, it's super frustrating!
admin.php
the top.php & bot.php both are just html files. No php.
<?php
include("loginsys.php");
if ($login->isUserLoggedIn() == true) {
//ban config
$sql = "SELECT * FROM bans WHERE user_name='".$_SESSION['user_name']."'";
$result = $conn->query($sql);
if(mysqli_num_rows($result) != 0) {
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$blocked = "
<div class='modal-inner' style='width:500px'>
<h2>Account disabled</h2>
Your account has been disabled and cannot be used anymore.<br />You find the details below.<br /><br />
Processed: ". $row["user_dateofban"] ."<br />
Reason: ". $row["reason"] ."<br /><br />
If you have questions, feel free to contact the administrator.
</div>
";
exit($blocked);
}
}
}
if(isset($_SESSION['user_rank']) && $_SESSION['user_rank'] == "3") {
if(isset($_GET["page"]) && $_GET["page"] == "customization") {
include("assets/top.php");
if(isset($_POST['editcustom'])) {
$sql = "UPDATE customization SET iam='".$_POST["iam"]."', iam2='".$_POST["iam2"]."', about='".$_POST["about"]."', about2='".$_POST["about2"]."', about3='".$_POST["about3"]."', recentwork='".$_POST["recentwork"]."', recentwork2='".$_POST["recentwork2"]."', getintouch='".$_POST["getintouch"]."', getintouch2='".$_POST["getintouch2"]."', address='".$_POST["address"]."', phone='".$_POST["phone"]."', email='".$_POST["email"]."', sendbutton='".$_POST["sendbutton"]."', copyright='".$_POST["copyright"]."'";
$updateuser = $conn->query($sql);
if ($updateuser) {
echo '<div class="alert alert-success">Settings saved.</div>';
} else {
echo '<div class="alert alert-danger">Something went wrong executing the query. Try again.</div>';
}
}
$sql = "SELECT * FROM customization LIMIT 1";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
?>
<h1>Header</h1>
<form method="post">
<table>
<tr>
<td>Header 1</td>
<td><input type="text" value="<?php echo $row["iam"]; ?>" name="iam" />
</tr>
<tr>
<td>Header 2</td>
<td><input type="text" value="<?php echo $row["iam2"]; ?>" name="iam2" />
</tr>
</table>
<h1>About</h1>
<table>
<tr>
<td>About heading</td>
<td><input type="text" value="<?php echo $row["about"]; ?>" name="about" />
</tr>
<tr>
<td>About text</td>
<td><input type="text" value="<?php echo $row["about2"]; ?>" name="about2" />
</tr>
<tr>
<td>About button</td>
<td><input type="text" value="<?php echo $row["about3"]; ?>" name="about3" />
</tr>
</table>
<h1>Recent Work</h1>
<table>
<tr>
<td>Recent Work heading</td>
<td><input type="text" value="<?php echo $row["recentwork"]; ?>" name="recentwork" />
</tr>
<tr>
<td>Recent Work button</td>
<td><input type="text" value="<?php echo $row["recentwork2"]; ?>" name="recentwork2" />
</tr>
</table>
<h1>Contact</h1>
<table>
<tr>
<td>Heading</td>
<td><input type="text" value="<?php echo $row["getintouch"]; ?>" name="getintouch" />
</tr>
<tr>
<td>Text</td>
<td><input type="text" value="<?php echo $row["getintouch2"]; ?>" name="getintouch2" />
</tr>
<tr>
<td>Address</td>
<td><input type="text" value="<?php echo $row["address"]; ?>" name="address" />
</tr>
<tr>
<td>Phone</td>
<td><input type="text" value="<?php echo $row["phone"]; ?>" name="phone" />
</tr>
<tr>
<td>Email</td>
<td><input type="text" value="<?php echo $row["email"]; ?>" name="email" />
</tr>
<tr>
<td>Button text</td>
<td><input type="text" value="<?php echo $row["sendbutton"]; ?>" name="sendbutton" />
</tr>
</table>
<h1>Copyright</h1>
<table>
<tr>
<td>Copyright</td>
<td><input type="text" value="<?php echo $row["copyright"]; ?>" name="copyright" />
</tr>
</table>
<input type="submit" value="Save changes" name="editcustom" />
</form>
<?php
}
} else {
echo "No customization yet.";
}
include("assets/bot.php");
} else {
?>
<iframe src="admin.php?page=dashboard" style="width:700px;height:500px;">
Your browser doesn't support iframes. Please upgrade.
</iframe>
<?php
}
} else {
echo "Error: No permissions";
}
} else {
echo "Error: Not signed in";
}
?>
This is a small guide for improving your code, through which you will probably find the error evaporates or is more easily identified:
In no particular order:
run Error Logging on your PHP!!! Seriously. One of the very first fundamentals to learn.
You should be writing in HTML5 which means your code needs the correct syntax so <br/> becomes <br> and /> closing of tags does not need the slash.
Use correct attributes in your HTML, your <form> should have enctype and action and accept attributes as a minimum. Likewise other HTML tags can do with having more correct ettributes associated with them.
Try and avoid using select * and instead specify the name of each MySQL column you need to select. It is a bit more long winded but saves lots of 'umms' and 'aahs' on larger projects.
Good points: You are escaping PHP variable placements correctly and you are using Object Orientated DB connections, BUT the way you are setting up your database queries is very unsafe and should be improved as a priority:
Instead of putting the variable into the Query string directly you want to bind it to the query. please research this with prejudice (different methods depending on your connection type).
Leading on from the point above you really, really should be cleaning your input / POST data as much as reasonably possible, never ever trust any user input, ever. The $_POST values can be anything, so use a REGEX cleaner or a PHP cleaning function to remove unwanted / damaging characters from form and text inputs.
Add lines to query your MySQL commands and feedback errors to your eyes.