Undefined offset: 1 in (site root) /scripts/checkuserlog.php on line 76

[chriscrowe43]

Hello I was wondering if there is anyone that could help me figure out this problem im having. I have been racking my brain for two days trying to figure this out.


Notice: Undefined offset: 1 in (site Root)/scripts/checkuserlog.php on line 76

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in (site Root)/scripts/checkuserlog.php on line 80
Something appears wrong with your stored log in credentials. Log in again here please

Here's the code im dealing with.
lines 72-95

} else if (isset($_COOKIE['idCookie'])) {// If id cookie is set, but no session ID is set yet, we set it below and update stuff

$decryptedID = base64_decode($_COOKIE['idCookie']);
$id_array = explode("nm2c0c4y3dn3727553", $decryptedID);
$userID = $id_array[1];
$userPass = $_COOKIE['passCookie'];
// Get their user first name to set into session var
$sql_uname = mysql_query("SELECT username FROM myMembers WHERE id='$userID' AND password='$userPass' LIMIT 1");
$numRows = mysql_num_rows($sql_uname);
if ($numRows == 0) {
echo 'Something appears wrong with your stored log in credentials. <a href="login.php">Log in again here please</a>';
exit();
}
while($row = mysql_fetch_array($sql_uname)){
$username = $row["username"];
}
$_SESSION['id'] = $userID; // now add the value we need to the session variable
$_SESSION['idx'] = base64_encode("g4p3h9xfn8sq03hs2234$userID");
$_SESSION['username'] = $username;
$logOptions_id = $userID;
$logOptions_uname = $username;
$logOptions_uname = substr('' . $logOptions_uname . '', 0, 15);

im new to php and im totally at a loss. I want to impress that i dont want someone to do my work for me, i just really need to move beyond this. I have used previous versions of the (social website system) that i am currently working with and had no problems but this is a newer version with added coded and features that i need for my site. Please Help. And Thankyou so much ahead of time if you do!!
also if there is anything i might need to add to help me get replies please let me know, i see that my post is getting views but im afraid i need to add something to get a reply that i havnt.

 

[descalzo]

$userID = $userID = $id_array[1]; ;

The error message is saying that there is nothing in $id_array[1];

Hence, explode("nm2c0c4y3dn3727553", $decryptedID) on the previous line only returns one item.

Add

echo "\n<br />" ;
echo $decryptedID;
echo "\n<br />" ;

before the 'explode' line to see what the problem is.

 

[chriscrowe43]

ok thank you ill check it out and update here

---------- Post added at 05:13 PM ---------- Previous post was at 05:04 PM ----------

Ok i stuck the code in and tested it. and got nothing but updated line numbers showing that the code had been moved down.
When you say that its telling that there is nothing in id array 1 im not sure what to thing about that as far as the database goes everything appears correct? unless i just dont understand what it means by nothing being there.

 

[descalzo]

If
echo $decryptedID;

didn't produce anything, then

base64_decode($_COOKIE['idCookie'])

is returning either an empty string or FALSE.

 

[chriscrowe43]

what does that mean exactly ?

 

[descalzo]

It means $_COOKIE['idCookie'] probably is not in the proper format. Try printing it out and see what the value is.

 

[chriscrowe43]

im sorry i feel stupid but what do i need to do? how would i go about printing out what i need to print?

 

[misson]

Please use

, [html] or [code] tags (as appropriate) to separate and format code.

[URL="http://php.net/var_dump"][c]var_dump[/c][/URL] would provide a little more information about the variable contents, such as the type, and make it more obvious whether or not the variable held an empty string.

[c]empty[/c] would be a better test than [c]isset[/c], since a variable can be set but empty. For example:
[php]$foo = '';
isset($foo) && empty($foo); # True.

When you say that its telling that there is nothing in id array 1 im not sure what to thing about that as far as the database goes everything appears correct? unless i just dont understand what it means by nothing being there.

Just what he says. Consider:

$data = 'abc';
$parts = explode('/', $data);

$parts has exactly one item (at index 0). There are no items at indices 1 or above because '/' doesn't appear in $data. Similarly, "nm2c0c4y3dn3727553" must not be appearing in $decryptedID, so $id_array has exactly 1 item (since a negative limit isn't passed to explode).

	$decryptedID = base64_decode($_COOKIE['idCookie']);

Base64 is an encoding. It provides no encryption. A less misleading name for the variable would be $decodedID. If you think this is a minor point, consider that the name is an assertion that the data is protected somehow by encryption, which provides a false sense of security that can result in an unsafe security protocol. Basically, when your users' accounts get hacked, it won't seem so insignificant.

	$userID = $id_array[1]; 
	$userPass = $_COOKIE['passCookie'];
// Get their user first name to set into session var
	$sql_uname = mysql_query("SELECT username FROM myMembers WHERE id='$userID' AND password='$userPass' LIMIT 1");

The sample code is vulnerable to SQL injection, which is a very serious security risk. Both the user ID and password are submitted by the user, so either can be used as an injection vector. To fix this hole, switch from the outdated mysql extension to PDO and use prepared statements. If you need a PDO tutorial, try "Writing MySQL Scripts with PHP and PDO". The site you save may just be your own.

	if ($numRows == 0) {
		echo 'Something appears wrong with your stored log in credentials. <a href="login.php">Log in again here please</a>';
		exit();
	}

Don't use die or exit when outputting HTML. You'll get invalid HTML.

    while($row = mysql_fetch_array($sql_uname)){

Since you fetch at most 1 record, and have previously checked that the result has a row, the while is completely unnecessary. Simply:

    $row = $result->fetch();
    $username = $row["username"];

Note: this example uses PDO rather than the mysql extension.

	$_SESSION['idx'] = base64_encode("g4p3h9xfn8sq03hs2234$userID");

What's the purpose of this value?

 

[chriscrowe43]

I'm sorry mission but your going way over my head. Mabey i have no business messing with this stuff but i really kind of need it, I know it is a probably a pain to deal with someone so uninformed about how php works but once i get passed this issue everything else normally seems to work or has worked with earlier versions of the system im trying to use. I just need someone that will help me work through this one thing one step at a time until i've resolved it. I appreciate your time spent in createing the reply but im lost. please bare in mind i have no offical education concerning all this and im learning as i go. thanks you again though.

---------- Post added at 06:57 PM ---------- Previous post was at 06:32 PM ----------

Good News I figured out my problem yet again! lol, thanks for you help and i would still like to understand more about the security issues you mentioned earlier mission.