knobby2k

Hey guys, Does anyone know of a free multiple photo uploader like that used on facebook? Basically a windows explorer type view, tick the photo's you would like to upload then click the upload button?? I want to learn and think i could do the file upload but I've got no idea where to start with getting the windows explorer type view. Cheers

cheers you lot!!

Hi guys, quick and simple question, should you cleanse the data that you recover from a session. i.e. i have my username in a session to ensure the user is logged in... so, on my page should i be cleansing the data with the various striptags, stripslashes, htmlspecialchars, etc... OR as long as I check the data matches what i expect to be entered at the time it is input by the user, will that data still be safe when i call the session? I suppose what I am asking is can a malicious user spoof a session, so I call $_SESSION['username'] and it turn out to be $_SESSION['lots of damaging code'] Thanks

debates like this where you hear one view point against another are perfect for someone learning like me. you hear both sides of an argument and can make a judgement call on what you think is best from peoples advice! keep it up lads. Cheers

cheers mate i'll have a read through. thanks again

Not at all, no. The session is stored on your server and can only be accessed by a user with the proper cookie. Sessions are vulnerable to hijacking, but it's generally not a huge concern. Your site itself will be vulnerable to this sort of attack, the location of the personal data doesn't really matter. Once your site is big enough to where session hijacking (through something like firesheep) is a problem, you'll know enough to roll your own session handler with built-in security and verification. -Dan Cheers Dan, much appreciated

Thanks, What do you mean 'use the query string'? Cheers

Thanks, I'm not leaving myself vulnerable or my users vulnerable by storing a few items of personal data in a session?? much appreciated Pete

Hey people, I know this is going back to basics but i'm just learning and want to make sure I do it all correctly. I want to pass variable's from one page to another. Now currently say I wanted to hold the users age and email address from his record in the database from page A and pass it to page B for it to be displayed back to him I would store each in their own session variable (so for the purpose of the explanation session_user_email=me@email.com and session_user_age=18. On page B I would then call the session and store it in a variable then destroy the session. Just out of curiosity is the the best way to pass the data? or should i use another method? i've read about session hijacking and i'm now worried about holding personal data within a session so i'm wondering what other people do?? Cheers

Ok, so... more worried and confused now!! ...can you tell me if this is secure? [*]user enters username and password [*]the form goes to logincheck.php [*]I use _POST to get the username and password entered [*]username and password is checked against the database [*]if user exists and credentials are correct then: [*]username is stored in username_session [*]password stored in password_session [*]every page after that calls those 2 session variables and then checks the database again to see if they match the user I get what you are saying about session hijacking, i think... and I tried the code you posted which output the username and the hashed password. How can I avoid this? I am still unsure as to what to do now to ensure that it is a correct user logged in! I can see the benefit of having a session_logged_in == 1 now as that doesnt give a hacker someones password if they find a way to hijack the session or find out the data stored within the session but couldn't a hacker then just send a session_logged_in = 1 variable and the username and my system would just let them straight in??? Help! lol Cheers

So reading that the guy recommends using $_SESSION['LoggedIn'] = 1 to check that you have previously logged in... I'm just wondering is that secure enough? Couldn't somebody create/mimic/fabricate that variable so that your site thinks you are already authenticated? I was considering taking the username and password into session variables and simply checking that the session username and password match a record in the database, if it does then your logged in if not then you get redirected to a 'you must log in to view this page' page. Which is better? secure and performance-wise? Cheers

cheers mate

Hi Guys, Quick question. I'm trying to get my head around how I would check that a user has reached a certain page from another page. So for example, the workflow through my site is something like the following: user registers a verification email is sent user clicks the link within the verification email to complete the sign up process user logs in and ONLY on a successful login will the following happen: checks are made to see if account has been verified if user has been verified, go to main menu if user has not been activated his account then he goes to a page that says account has not been activated The bit i'm struggling to get my head around is this... the user should only reach the page 'account has not been activated' page from the login page. If that page was called confirm-account.php. What can i do to stop a random person typing something along the lines of www.mywebsite.com/confirm-account.php and getting straight onto that page? or even upon the registration process if the user is taken to a page that says an email has been sent, how would i stop a random person just typing the url straight to that page and bypassing the pages I would expect them to have gone through before reaching that?? Cheers How

Excellent, i'll give that a go. Cheers lads