Jump to content

knobby2k

Members
  • Posts

    64
  • Joined

  • Last visited

    Never

Everything posted by knobby2k

  1. Hey guys, Does anyone know of a free multiple photo uploader like that used on facebook? Basically a windows explorer type view, tick the photo's you would like to upload then click the upload button?? I want to learn and think i could do the file upload but I've got no idea where to start with getting the windows explorer type view. Cheers
  2. Hi guys, quick and simple question, should you cleanse the data that you recover from a session. i.e. i have my username in a session to ensure the user is logged in... so, on my page should i be cleansing the data with the various striptags, stripslashes, htmlspecialchars, etc... OR as long as I check the data matches what i expect to be entered at the time it is input by the user, will that data still be safe when i call the session? I suppose what I am asking is can a malicious user spoof a session, so I call $_SESSION['username'] and it turn out to be $_SESSION['lots of damaging code'] Thanks
  3. debates like this where you hear one view point against another are perfect for someone learning like me. you hear both sides of an argument and can make a judgement call on what you think is best from peoples advice! keep it up lads. Cheers
  4. cheers mate i'll have a read through. thanks again
  5. Not at all, no. The session is stored on your server and can only be accessed by a user with the proper cookie. Sessions are vulnerable to hijacking, but it's generally not a huge concern. Your site itself will be vulnerable to this sort of attack, the location of the personal data doesn't really matter. Once your site is big enough to where session hijacking (through something like firesheep) is a problem, you'll know enough to roll your own session handler with built-in security and verification. -Dan Cheers Dan, much appreciated
  6. Thanks, What do you mean 'use the query string'? Cheers
  7. Thanks, I'm not leaving myself vulnerable or my users vulnerable by storing a few items of personal data in a session?? much appreciated Pete
  8. Hey people, I know this is going back to basics but i'm just learning and want to make sure I do it all correctly. I want to pass variable's from one page to another. Now currently say I wanted to hold the users age and email address from his record in the database from page A and pass it to page B for it to be displayed back to him I would store each in their own session variable (so for the purpose of the explanation session_user_email=me@email.com and session_user_age=18. On page B I would then call the session and store it in a variable then destroy the session. Just out of curiosity is the the best way to pass the data? or should i use another method? i've read about session hijacking and i'm now worried about holding personal data within a session so i'm wondering what other people do?? Cheers
  9. Ok, so... more worried and confused now!! ...can you tell me if this is secure? [*]user enters username and password [*]the form goes to logincheck.php [*]I use _POST to get the username and password entered [*]username and password is checked against the database [*]if user exists and credentials are correct then: [*]username is stored in username_session [*]password stored in password_session [*]every page after that calls those 2 session variables and then checks the database again to see if they match the user I get what you are saying about session hijacking, i think... and I tried the code you posted which output the username and the hashed password. How can I avoid this? I am still unsure as to what to do now to ensure that it is a correct user logged in! I can see the benefit of having a session_logged_in == 1 now as that doesnt give a hacker someones password if they find a way to hijack the session or find out the data stored within the session but couldn't a hacker then just send a session_logged_in = 1 variable and the username and my system would just let them straight in??? Help! lol Cheers
  10. So reading that the guy recommends using $_SESSION['LoggedIn'] = 1 to check that you have previously logged in... I'm just wondering is that secure enough? Couldn't somebody create/mimic/fabricate that variable so that your site thinks you are already authenticated? I was considering taking the username and password into session variables and simply checking that the session username and password match a record in the database, if it does then your logged in if not then you get redirected to a 'you must log in to view this page' page. Which is better? secure and performance-wise? Cheers
  11. Hi Guys, Quick question. I'm trying to get my head around how I would check that a user has reached a certain page from another page. So for example, the workflow through my site is something like the following: user registers a verification email is sent user clicks the link within the verification email to complete the sign up process user logs in and ONLY on a successful login will the following happen: checks are made to see if account has been verified if user has been verified, go to main menu if user has not been activated his account then he goes to a page that says account has not been activated The bit i'm struggling to get my head around is this... the user should only reach the page 'account has not been activated' page from the login page. If that page was called confirm-account.php. What can i do to stop a random person typing something along the lines of www.mywebsite.com/confirm-account.php and getting straight onto that page? or even upon the registration process if the user is taken to a page that says an email has been sent, how would i stop a random person just typing the url straight to that page and bypassing the pages I would expect them to have gone through before reaching that?? Cheers How
  12. Excellent, i'll give that a go. Cheers lads
  13. Hi guys, I am going nuts with this! It HAS to be something dead simple but I can't seem to see what is staring me in the face. Basically I have made a registration form and when complete you are emailed a link to click on. When you click on the link you go to a new page. The page takes the email address and the verification code from the URL via _GET. The database is then queried for a match of the email address AND the verification code, if there is a relevant record then success is displayed otherwise unsuccessful is displayed. Code: $email = strip_tags(htmlentities($_GET['email'])); $code = strip_tags(htmlentities($_GET['code'])); // confirm the variables hold the correct data echo "email: $email and code: $code"; $query = "SELECT * from userdb WHERE email='$email' AND code ='$code'"; if (mysql_query($query)) { echo "success"; } else { echo "unsuccessful"; } My problem is this query is always returning 'success'... even when the code and/or email does not match what is in my database? What am i missing? Thanks
  14. You lot are amazing! Cheers for all your help it's now sorted!! Thanks
  15. Hi guys, Thanks for your replies. The code i've posted is only a snippet, the full file is about 300 lines of code and has a lot of other html so won't i need those first 4-5 lines?? Also the link that you sent me didn't work titan. Where would i start and end the ob_start/ob_flush? Thanks again
  16. Hi guys, I've got a header problem. I've read the header sticky post but i'm still not getting anywhere. I am currently working on a registration form which loops though checking the data entered meets certain criteria by calling various functions (min length, max length, preg match, etc...), if anything returns 'false' then the form is reproduced with the error message of why it failed and what needs to be changed. If everything returned is 'true' then all day matches what is expected and the code then runs an 'insert' command. If the insert is successful then the code should forward the user to a new page displaying 'registration complete'. However, the way I have written my code I am finding it near impossible to get the forward to be before anything is output to the browser therefore causing the header error. I have tried moving things around but i'm having no luck. The error I am getting is: Warning: Cannot modify header information - headers already sent by (output started at /websites/blahblahblah/register.php:6) in /websites/blahblahblah/register.php on line 77 The code there is relevant though as it is the code that make the connection to my DB. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <?php // *** Connection - START *** // connect to database $connect = @mysql_connect("test", "test", "test") or die(mysql_error()); if (!$connect) { do_error("Could not connect to the server"); } @mysql_select_db("test_db",$connect)or do_error("Could not connect to the database"); // *** Connection - END *** // This file includes all of the check functions for the code to run through include("check.php"); if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) { $data= new check($_POST); $data->name('forename'); $data->name('surname'); if ( $data->pass == true ) { // Now we have the required data in the correct format do the code required to complete registration $forename=$data->input['forename']; $surname=$data->input['surname']; $query="INSERT INTO users ( forename, surname ) VALUES ('$forename' , '$surname' )"; if (mysql_query($query,$connect)) { //echo "success"; // once data is inserted, go to complete page header ("location: complete.php"); exit; } else { echo "Error: Please try again."; } } } else { $data= new check(); } ?> What am I actually doing wrong and how can i possibly get the insert script higher up the code?? Thanks
  17. i've closed off the other post so i'm just relying on this one now thanks
  18. wasn't sure where best to have the question... the original question was why it wouldn't accept the apostrophe... once i figured that out I wanted to know which was the best way to cleanse the data and thought the question wasn't suitable for the other board.
  19. so pass through preg_match to validate that the data is what i expect/require then run that variable through htmlentities? thanks
  20. it wouldn't make much sense to sanitize your value before passing it through preg_match So should i sanitize it once i've passed it through preg_match... just in case? or just completely really on preg_match? thanks
  21. Hey thanks for the reply, is there any harm in leaving it on?
  22. yes it looks like magic_quotes are enabled... is this a good thing or a bad thing?? cheers
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.