casualventures
-
Posts
4 -
Joined
-
Last visited
Never
Posts posted by casualventures
-
-
So when I execute this it'll go for about 130k rows then give a 500 error. Any ideas how to avoid this and get it to complete?
$i=10000000; while($i<=99999999) { $public = $i; $value = rand(10000000, 99999999); mysql_query("INSERT INTO yummy_table (public, value) VALUES('$public', '$value' ) ") or die(mysql_error()); $i++; } echo "done";
-
Okay so I stayed up all night and made it better. Now the script has both a session generated on the fly as well as a constant token. I've got a few finishing touches to do but I actually think it's just about done. I think I need to go through and make the code a little cleaner and maybe throw a few more comments in there but after that I think it's time to move onto phase two. Here's a couple code snippets for your enjoyment, or if you don't wanna download the zip.
So the page structure is as follows:
- Session.php is where all the magic happens, it's always there included in the index.php
- There's a login.php which uses auth.php to log users in
- There's a register.php which uses create.php to create users
Session.php
<?php // Database stuffff mysql_connect("host", "user", "pass") or die(mysql_error()); mysql_select_db("database") or die(mysql_error()); // Check to see if the cookie exists if(isset($_COOKIE['auth'])){ // What does it equal? $cookie = $_COOKIE['auth']; list($token, $session) = split('[-]', $cookie); // Check database to see if cookie value is valid $sql="SELECT * FROM users WHERE token='$token' AND session='$session'"; $result=mysql_query($sql); $count=mysql_num_rows($result); // If the cookie is valid then display the user page content if($count==1){ $row = mysql_fetch_array( $result ); $username = $row['username']; $authenticated = "true"; // Change up the cookie to prevent fixation $session = sha1($username.time()); $cookie = $token."-".$session; setcookie('auth', $cookie, time()+3600); mysql_query("UPDATE users SET session='$session' WHERE username='$username'"); } // If the cookie is not valid then kill it and go back to login else{ setcookie('auth', '', time()-3600); header("location:?page=login"); mysql_query("UPDATE users SET session='' WHERE token='$token'"); } } ?>
Create.php
<?php $username = mysql_real_escape_string(stripslashes($_POST["username"])); $password = sha1(mysql_real_escape_string(stripslashes($_POST["password"]))); $token = sha1($username.time()); $sql="SELECT * FROM users WHERE username='$username'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($username==""){ echo "Username can not be blank<br>"; } elseif($password=="da39a3ee5e6b4b0d3255bfef95601890afd80709"){ echo "Password can not be blank"; } elseif($count==1){ echo "Sorry. That username is already taken."; } else { mysql_query("INSERT INTO users (username, password, token) VALUES('$username', '$password', '$token')") or die(mysql_error()); $session = sha1($username.time()); $cookie = $token."-".$session; setcookie('auth', $cookie, time()+3600); mysql_query("UPDATE users SET session='$session' WHERE username='$username'"); header("location:?page=user"); } ?>
Auth.php
<?php $username = mysql_real_escape_string(stripslashes($_POST["username"])); $password = sha1(mysql_real_escape_string(stripslashes($_POST["password"]))); $sql="SELECT * FROM users WHERE username='$username' and password='$password'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1){ $row = mysql_fetch_array( $result ); $token = $row['token']; $session = sha1($username.time()); mysql_query("UPDATE users SET session='$session' WHERE username='$username'"); $cookie = $token."-".$session; setcookie('auth', $cookie, time()+3600); header("location:?page=user"); } else { echo "Login invalid"; } ?>
- Session.php is where all the magic happens, it's always there included in the index.php
-
I'm working on a user management backend for a web app. My first area of focus is session/cookie security.
I know the main security points I need to take into consideration are:
- Injection
- Session fixation
- Session sidejacking
- Cross-site scripting
Attached is the current version of the script. Not super pretty but gets the point across. Feel free to point out any deficiencies you see.
[attachment deleted by admin]
- Injection
-
Finally decided to get serious about this php stuff and could us a few smart minds to bounce ideas off of. Glad to be part of the community.
Insert data into 100 million rows without 500 error?
in PHP Coding Help
Posted
Because it needs to happen when a web app is getting installed via the browser. Is there a different way you would suggest I go about it?