knobby2k
-
Posts
64 -
Joined
-
Last visited
Never
Posts posted by knobby2k
-
-
cheers you lot!!
-
Hi guys,
quick and simple question, should you cleanse the data that you recover from a session.
i.e. i have my username in a session to ensure the user is logged in... so, on my page should i be cleansing the data with the various striptags, stripslashes, htmlspecialchars, etc... OR as long as I check the data matches what i expect to be entered at the time it is input by the user, will that data still be safe when i call the session?
I suppose what I am asking is can a malicious user spoof a session, so I call $_SESSION['username'] and it turn out to be $_SESSION['lots of damaging code']
Thanks
-
debates like this where you hear one view point against another are perfect for someone learning like me. you hear both sides of an argument and can make a judgement call on what you think is best from peoples advice! keep it up lads.
Cheers
-
Ok, so...
more worried and confused now!!
...can you tell me if this is secure?
[*]user enters username and password
[*]the form goes to logincheck.php
[*]I use _POST to get the username and password entered
[*]username and password is checked against the database
[*]if user exists and credentials are correct then:
[*]username is stored in username_session
[*]password stored in password_session
[*]every page after that calls those 2 session variables and then checks the database again to see if they match the user
I get what you are saying about session hijacking, i think... and I tried the code you posted which output the username and the hashed password.
How can I avoid this?
I am still unsure as to what to do now to ensure that it is a correct user logged in! I can see the benefit of having a session_logged_in == 1 now as that doesnt give a hacker someones password if they find a way to hijack the session or find out the data stored within the session but couldn't a hacker then just send a session_logged_in = 1 variable and the username and my system would just let them straight in???
Help! lol
Cheers
Ok, i've been doing more reading and think that i am about there!! If I prevent against session hacking using a token type system and use the sessions: session_logged_in and session_username, then i can assume that the sessions are from the intended user. I think the following workflow should explain my understand a bit clearer:
- user enters username and password into the login page
- login script calls the variables from the form using _POST
- user is authenticated
- if user exists:
- create a session ($_SESSION['LoggedIn'] = 1 and $_SESSION['Username'] = $username)
- user is then redirected to membersarea.php
[*]on membersarea.php the script checks the sessions:
if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']))
- you are now logged in.
- else you are redirected to a login page
Is that correct? I feel like I am blindly just assuming the session is valid and giving someone (maybe a hacker) free roaming access to this account.
1 last thing, previously I would have used sessions to hold the username and password and then re-authenticate everytime i hit a new page. If I use the method above (if it is indeed correct) when I query the database for the logged in users data (to take in his surname from the database into a variable for example) would I just use a simple
SELECT * FROM users_table WHERE username='$username'
(ignore the code, i've just typed this as an example).
Thanks
- user enters username and password into the login page
-
Query string is the part of the URL after the page, and before the anchor.
The bold part is the query string
domain.com/folder/file.php?this=that&foo=bar#anchor
Here's a very in depth read on why sessions are generally a bad idea for anything other than static information. It even goes as far as to say avoid sessions completely
http://00f.net/2011/01/19/thoughts-on-php-sessions/
cheers mate i'll have a read through.
thanks again
-
Not at all, no. The session is stored on your server and can only be accessed by a user with the proper cookie. Sessions are vulnerable to hijacking, but it's generally not a huge concern. Your site itself will be vulnerable to this sort of attack, the location of the personal data doesn't really matter. Once your site is big enough to where session hijacking (through something like firesheep) is a problem, you'll know enough to roll your own session handler with built-in security and verification.Thanks,
I'm not leaving myself vulnerable or my users vulnerable by storing a few items of personal data in a session??
much appreciated
Pete
-Dan
Cheers Dan, much appreciated
-
Unless you want this information to persist during and ENTIRE session, DON'T USE SESSIONS.
Sessions aren't good at transferring data from one page to the next, use the query string for that. If you want to keep important static data throughout an entire session, use sessions. Things like user information and access levels are good. Shopping cart information is okay, but still better kept in a DB imo. Things like last page visited, form information, etc are generally not good.
There are exceptions to those rules though, and in the event that it makes sense to use sessions (caching search results to save queries through pagination) you should be using a unique token for that request passed through the query string to keep that information attached to that specific request. You wouldn't want a search result in a separate tab messing with the data of a search result in another.
Thanks,
What do you mean 'use the query string'?
Cheers
-
Thanks,
I'm not leaving myself vulnerable or my users vulnerable by storing a few items of personal data in a session??
much appreciated
Pete
-
Hey people,
I know this is going back to basics but i'm just learning and want to make sure I do it all correctly.
I want to pass variable's from one page to another. Now currently say I wanted to hold the users age and email address from his record in the database from page A and pass it to page B for it to be displayed back to him I would store each in their own session variable (so for the purpose of the explanation session_user_email=me@email.com and session_user_age=18.
On page B I would then call the session and store it in a variable then destroy the session.
Just out of curiosity is the the best way to pass the data? or should i use another method?
i've read about session hijacking and i'm now worried about holding personal data within a session so i'm wondering what other people do??
Cheers
-
Ok, so...
more worried and confused now!!
...can you tell me if this is secure?
[*]user enters username and password
[*]the form goes to logincheck.php
[*]I use _POST to get the username and password entered
[*]username and password is checked against the database
[*]if user exists and credentials are correct then:
[*]username is stored in username_session
[*]password stored in password_session
[*]every page after that calls those 2 session variables and then checks the database again to see if they match the user
I get what you are saying about session hijacking, i think... and I tried the code you posted which output the username and the hashed password.
How can I avoid this?
I am still unsure as to what to do now to ensure that it is a correct user logged in! I can see the benefit of having a session_logged_in == 1 now as that doesnt give a hacker someones password if they find a way to hijack the session or find out the data stored within the session but couldn't a hacker then just send a session_logged_in = 1 variable and the username and my system would just let them straight in???
Help! lol
Cheers
-
So reading that the guy recommends using $_SESSION['LoggedIn'] = 1 to check that you have previously logged in...
I'm just wondering is that secure enough? Couldn't somebody create/mimic/fabricate that variable so that your site thinks you are already authenticated?
I was considering taking the username and password into session variables and simply checking that the session username and password match a record in the database, if it does then your logged in if not then you get redirected to a 'you must log in to view this page' page.
Which is better? secure and performance-wise?
Cheers
-
-
Hi Guys,
Quick question.
I'm trying to get my head around how I would check that a user has reached a certain page from another page.
So for example, the workflow through my site is something like the following:
- user registers
- a verification email is sent
- user clicks the link within the verification email to complete the sign up process
- user logs in and ONLY on a successful login will the following happen:
- checks are made to see if account has been verified
- if user has been verified, go to main menu
- if user has not been activated his account then he goes to a page that says account has not been activated
The bit i'm struggling to get my head around is this...
the user should only reach the page 'account has not been activated' page from the login page. If that page was called confirm-account.php. What can i do to stop a random person typing something along the lines of www.mywebsite.com/confirm-account.php and getting straight onto that page? or even upon the registration process if the user is taken to a page that says an email has been sent, how would i stop a random person just typing the url straight to that page and bypassing the pages I would expect them to have gone through before reaching that??
Cheers
How
- user registers
-
Excellent, i'll give that a go.
Cheers lads
-
Hi guys,
I am going nuts with this!
It HAS to be something dead simple but I can't seem to see what is staring me in the face.
Basically I have made a registration form and when complete you are emailed a link to click on.
When you click on the link you go to a new page. The page takes the email address and the verification code from the URL via _GET. The database is then queried for a match of the email address AND the verification code, if there is a relevant record then success is displayed otherwise unsuccessful is displayed.
Code:
$email = strip_tags(htmlentities($_GET['email'])); $code = strip_tags(htmlentities($_GET['code'])); // confirm the variables hold the correct data echo "email: $email and code: $code"; $query = "SELECT * from userdb WHERE email='$email' AND code ='$code'"; if (mysql_query($query)) { echo "success"; } else { echo "unsuccessful"; }My problem is this query is always returning 'success'... even when the code and/or email does not match what is in my database?
What am i missing?
Thanks
-
You lot are amazing!
Cheers for all your help it's now sorted!!
Thanks
-
Hi guys,
Thanks for your replies.
The code i've posted is only a snippet, the full file is about 300 lines of code and has a lot of other html so won't i need those first 4-5 lines??
Also the link that you sent me didn't work titan. Where would i start and end the ob_start/ob_flush?
Thanks again
-
Hi guys,
I've got a header problem. I've read the header sticky post but i'm still not getting anywhere.
I am currently working on a registration form which loops though checking the data entered meets certain criteria by calling various functions (min length, max length, preg match, etc...), if anything returns 'false' then the form is reproduced with the error message of why it failed and what needs to be changed. If everything returned is 'true' then all day matches what is expected and the code then runs an 'insert' command. If the insert is successful then the code should forward the user to a new page displaying 'registration complete'.
However, the way I have written my code I am finding it near impossible to get the forward to be before anything is output to the browser therefore causing the header error. I have tried moving things around but i'm having no luck.
The error I am getting is:
Warning: Cannot modify header information - headers already sent by (output started at /websites/blahblahblah/register.php:6) in /websites/blahblahblah/register.php on line 77
The code there is relevant though as it is the code that make the connection to my DB.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <?php // *** Connection - START *** // connect to database $connect = @mysql_connect("test", "test", "test") or die(mysql_error()); if (!$connect) { do_error("Could not connect to the server"); } @mysql_select_db("test_db",$connect)or do_error("Could not connect to the database"); // *** Connection - END *** // This file includes all of the check functions for the code to run through include("check.php"); if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) { $data= new check($_POST); $data->name('forename'); $data->name('surname'); if ( $data->pass == true ) { // Now we have the required data in the correct format do the code required to complete registration $forename=$data->input['forename']; $surname=$data->input['surname']; $query="INSERT INTO users ( forename, surname ) VALUES ('$forename' , '$surname' )"; if (mysql_query($query,$connect)) { //echo "success"; // once data is inserted, go to complete page header ("location: complete.php"); exit; } else { echo "Error: Please try again."; } } } else { $data= new check(); } ?>What am I actually doing wrong and how can i possibly get the insert script higher up the code??
Thanks
-
@knobby, don't double post:
http://www.phpfreaks.com/forums/index.php?topic=338621.0;topicseen
& the second part of your question:
http://www.phpfreaks.com/forums/index.php?topic=338621.msg1595762#msg1595762
i've closed off the other post so i'm just relying on this one now
thanks
-
@knobby, don't double post:
http://www.phpfreaks.com/forums/index.php?topic=338621.0;topicseen
& the second part of your question:
http://www.phpfreaks.com/forums/index.php?topic=338621.msg1595762#msg1595762
wasn't sure where best to have the question... the original question was why it wouldn't accept the apostrophe... once i figured that out I wanted to know which was the best way to cleanse the data and thought the question wasn't suitable for the other board.
-
I'd just apply htmlentities once the username has been validated/verified.
so pass through preg_match to validate that the data is what i expect/require then run that variable through htmlentities?
thanks
-
think i know why...
when i go to view source on the page it displays this:
<p>*First Name: <input type="text" name="firstname" value="John&#039;" maxlength="80" />
It's cleansing the data earlier on in the script here:
$data[$key] = trim(htmlspecialchars(strip_tags(stripslashes($value)), ENT_QUOTES, 'UTF-8'));
so converting the apostrophe to '&#039;'. Obviously with me then doing a preg_match it is refusing the '&#;'.
Now my question is...
A) do i allow for '&#;' in the preg_match
OR
B) remove the htmlspecialchars
any suggestions?
cheers
it wouldn't make much sense to sanitize your value before passing it through preg_match
So should i sanitize it once i've passed it through preg_match... just in case?
or just completely really on preg_match?
thanks
-
magic_quotes is deprecated and should be turned off
Hey thanks for the reply,
is there any harm in leaving it on?
-
1. Do you have magic_quotes enabled?
2. Depending on what the code does with $data you should/should not be using htmlspecialchars().
yes it looks like magic_quotes are enabled... is this a good thing or a bad thing??
cheers
FREE multiple photo uploader
in Miscellaneous
Posted
Hey guys,
Does anyone know of a free multiple photo uploader like that used on facebook? Basically a windows explorer type view, tick the photo's you would like to upload then click the upload button??
I want to learn and think i could do the file upload but I've got no idea where to start with getting the windows explorer type view.
Cheers