Jump to content

casualventures

New Members
 View Profile  See their activity

  • Posts

    4

  • Joined

  • Last visited

    Never

 Content Type 

Posts posted by casualventures

    Insert data into 100 million rows without 500 error?

    in PHP Coding Help

    Posted

    So when I execute this it'll go for about 130k rows then give a 500 error. Any ideas how to avoid this and get it to complete?

     

    $i=10000000;
while($i<=99999999)
  { 
  $public = $i;
  $value = rand(10000000, 99999999);  
  mysql_query("INSERT INTO yummy_table (public, value) VALUES('$public', '$value' ) ") or die(mysql_error());  
  $i++;
  }
echo "done";

    1st attempt against session security

    in Application Design

    Posted

    Okay so I stayed up all night and made it better. Now the script has both a session generated on the fly as well as a constant token. I've got a few finishing touches to do but I actually think it's just about done. I think I need to go through and make the code a little cleaner and maybe throw a few more comments in there but after that I think it's time to move onto phase two. Here's a couple code snippets for your enjoyment, or if you don't wanna download the zip.

     

    So the page structure is as follows:

    • Session.php is where all the magic happens, it's always there included in the index.php
    • There's a login.php which uses auth.php to log users in
    • There's a register.php which uses create.php to create users

     

    Session.php

    <?php

// Database stuffff
mysql_connect("host", "user", "pass") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

// Check to see if the cookie exists
if(isset($_COOKIE['auth'])){

// What does it equal?
$cookie = $_COOKIE['auth'];

list($token, $session) = split('[-]', $cookie);

// Check database to see if cookie value is valid
$sql="SELECT * FROM users WHERE token='$token' AND session='$session'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);

// If the cookie is valid then display the user page content
if($count==1){ 
	$row = mysql_fetch_array( $result );
	$username = $row['username'];
	$authenticated = "true";

	// Change up the cookie to prevent fixation
	$session = sha1($username.time());
	$cookie = $token."-".$session;
	setcookie('auth', $cookie, time()+3600);
	mysql_query("UPDATE users SET session='$session' WHERE username='$username'");
}

// If the cookie is not valid then kill it and go back to login
else{
	setcookie('auth', '', time()-3600);
	header("location:?page=login");
	mysql_query("UPDATE users SET session='' WHERE token='$token'");
}	
}

?>

     

    Create.php

    <?php

$username = mysql_real_escape_string(stripslashes($_POST["username"]));

$password = sha1(mysql_real_escape_string(stripslashes($_POST["password"])));

$token = sha1($username.time());

$sql="SELECT * FROM users WHERE username='$username'";

$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($username==""){
echo "Username can not be blank<br>";
}

elseif($password=="da39a3ee5e6b4b0d3255bfef95601890afd80709"){
echo "Password can not be blank";
}

elseif($count==1){ 
echo "Sorry. That username is already taken.";
}

else {
mysql_query("INSERT INTO users (username, password, token) VALUES('$username', '$password', '$token')") or die(mysql_error());
$session = sha1($username.time());
$cookie = $token."-".$session;
setcookie('auth', $cookie, time()+3600);
mysql_query("UPDATE users SET session='$session' WHERE username='$username'");
header("location:?page=user");
}

?>

     

    Auth.php

    <?php

$username = mysql_real_escape_string(stripslashes($_POST["username"]));

$password = sha1(mysql_real_escape_string(stripslashes($_POST["password"])));

$sql="SELECT * FROM users WHERE username='$username' and password='$password'";

$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){ 

$row = mysql_fetch_array( $result );

$token = $row['token'];

$session = sha1($username.time());

mysql_query("UPDATE users SET session='$session' WHERE username='$username'");

$cookie = $token."-".$session;

setcookie('auth', $cookie, time()+3600);

header("location:?page=user");

}

else {

echo "Login invalid";

}

?>

    1st attempt against session security

    in Application Design

    Posted

    I'm working on a user management backend for a web app. My first area of focus is session/cookie security.

     

    I know the main security points I need to take into consideration are:

    • Injection
    • Session fixation
    • Session sidejacking
    • Cross-site scripting

     

    Attached is the current version of the script. Not super pretty but gets the point across. Feel free to point out any deficiencies you see.

     

    [attachment deleted by admin]

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.