verror

Thanks Christian. What would be a better option for ending the session onlog out?

So, Sessions are a pretty weak point for me and I just wanted to verify if there is any better method for using them than how I currently am. At the moment this is how I am creating the Session after details have been input (this is only part of the class) public function Login() { $success = false; try{ $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD ); $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION ); $sql = "SELECT * FROM admin WHERE username = :username AND password = :password LIMIT 1"; $user = username; $stmt = $con->prepare( $sql ); $stmt->bindValue( "username", $this->username, PDO::PARAM_STR ); $stmt->bindValue( "password", hash("sha256", $this->password . $this->salt), PDO::PARAM_STR ); $stmt->execute(); $valid = $stmt->fetchColumn(); if( $valid ) { $success = true; session_start(); session_regenerate_id(); $_SESSION['user'] = $user['user']; session_write_close(); header("Location: /admin.php"); exit(); This is how I check the sessions on the secured page: <?php session_start(); if(!isset($_SESSION['user']) || (trim($_SESSION['user']) == '')) { header("location: login.php"); exit(); } ?> And this is how I logout: <?php session_start(); session_destroy(); header("location:/index.php"); exit(); ?> Is that a decent method, if not, how else should I go about doing it?

No luck, still doesn't except the password. I just tried removing salt from both the registration and login script. Registered a new account with only the sha1() function but it still wont login.

Essentially I am receiving the defined error here for incorrect username and password. $user=$_POST['user']; $pass=$_POST['pass']; $salt = 'salthere'; $user = stripslashes($user); $pass = stripslashes($pass); $user = mysql_real_escape_string($user); $pass = mysql_real_escape_string($pass); $sql="SELECT * FROM $tbl WHERE username='$user' and password=sha1('$salt.$pass')"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1){ session_register("user"); session_register("pass"); header("location:loginsuccess.php"); } else { echo "Wrong Username or Password"; } And the HTML form has the correct names and id's. Every login attempt provided the "Wrong username or password error". It is definitely connecting to the database correctly (I have removed that section from the above code).

I have just given that a try but unfortunately it is still not able verify the login details. Any additional thoughts?

Thanks for the reply Muddy, I'll give it a go when I get home from work and see how it runs. I have had a look at crypt() previously, never used it before so at the moment I am just trying to get the system working as is, and then look at refining the security once it is complete.

Hi Guys, Just a quick one (sort of). I am working on a registration + login system, however I am a little stuck when it comes to logging a user in due to the secured password. At the moment my registration snippet is like so (cut out the un-needed stuff), the $salt is just a static value at the moment: $salt = 'salthere'; mysql_query("INSERT INTO members (`id`, `first`, `last`, `email`, `username`, `password`) VALUES (NULL , '$first', '$last', '$email', '$user', sha1('$salt.$pass'))"); When logging a user in though how do I check against the password correctly. At the moment I am checking it like this: $sql="SELECT * FROM $tbl WHERE username='$user' and password='$salt.$pass'"; I obviously have the same $salt sting in the login form as well. However this does not work (it does if I remove the SHA1 and Salt from the registration form), any other way of verifying the password that could work?

Thanks for the reply Zane. It's not exactly what I am looking for whoever, I more-so require the php script to read what has been entered into the text field after the user hits submit to then grab the domain extension that has been placed so that the script can then run the whois check.

I am currently working on/updating a whois script (PHPAjaxwhois) At current you have the ability to enter a domain (without the extension. e.g: www.google) and then select a tld/extension from a list of check boxes before searching. I am working on updating this to not require the selection of a tld/extension via a check box but by just typing it directly in (e.g www.google.com) for the search. The original code is: class AjaxWhois{ var $serverList; var $tr = 0; function CheckWhois($domain){ return " <a href=\"#\" onclick=\"javascript:makeRequest('get.php', '?domain=$domain');\">Whois</a> "; } function tldList(){ $i = 0; foreach ($this->serverList as $value) { if ($value['check'] == true) $checked=" checked='checked' "; else $checked = " "; echo '<td><input type="checkbox" name="tld_'.$value['tld'].'"'.$checked.' />.'.$value['tld'].'</td>'; $i++; if ($i > 4) { $i = 0; echo '</tr><tr>'; } } } function processAjaxWhois(){ $domainName = (isset($_POST['domain'])) ? $_POST['domain'] : ''; for ($i = 0; $i < sizeof($this->serverList); $i++) { $actTop = " _".$this->serverList[$i]['tld']; $check = str_replace(".", "_", $actTop); $this->serverList[$i]['check'] = isset($_POST[$check]) ? true : false; } if (strlen($domainName)>2){ echo '<fieldset><legend class="green">Whois results</legend>'; echo '<table class="tabel">'; echo '<tr><th colspan="2"></th></tr>'; for ($i = 0; $i < sizeof($this->serverList); $i++) { if ($this->serverList[$i]['check']){ $this->showDomainResult($domainName.".".$this->serverList[$i]['tld'], $this->serverList[$i]['server'], $this->serverList[$i]['response']); } } echo '</table></fieldset>'; } } function showDomainResult($domain,$server,$findText){ if ($this->tr == 0){ $this->tr = 1; $class = " class='alt'"; } else { $this->tr = 0; $class = ""; } if ($this->checkDomain($domain,$server,$findText)){ echo "<tr $class><td><span class='td'>$domain</span></td><td class='disponibil'><img src='images/available.png' width='16' height='16' align='absmiddle'/> AVAILABLE | <a href='#'>REGISTER DOMAIN NAME</td></a></tr>"; } else echo "<tr $class><td><span class='ta'>$domain</span></td><td class='ocupat'><img src='images/taken.png' width='16' height='16' align='absmiddle'/> TAKEN <a href='http://www.$domain/' target='_blank'> WWW </a> ".$this->CheckWhois($domain)."</td></tr>"; } function checkDomain($domain,$server,$findText){ $con = fsockopen($server, 43); if (!$con) return false; fputs($con, $domain."\r\n"); $response = ' :'; while(!feof($con)) { $response .= fgets($con,128); } fclose($con); $tld = substr($domain, -3, 3); //echo $tld; if ($tld == ".au") { if (strpos($response, $findText)){ return false; } else { return true; } } else { if (strpos($response, $findText)){ return true; } else { return false; } } } //whois servers and extensions function AjaxWhois(){ $this->serverList[0]['tld'] = 'com.au'; $this->serverList[0]['server'] = 'whois-check.ausregistry.net.au'; $this->serverList[0]['response'] = 'Not'; $this->serverList[0]['check'] = false; $this->serverList[1]['tld'] = 'net.au'; $this->serverList[1]['server'] = 'whois-check.ausregistry.net.au'; $this->serverList[1]['response'] = 'Not'; $this->serverList[1]['check'] = false; $this->serverList[2]['tld'] = 'org.au'; $this->serverList[2]['server'] = 'whois-check.ausregistry.net.au'; $this->serverList[2]['response'] = 'Not'; $this->serverList[2]['check'] = false; $this->serverList[3]['tld'] = 'asn.au'; $this->serverList[3]['server'] = 'whois-check.ausregistry.net.au'; $this->serverList[3]['response'] = 'Not'; $this->serverList[3]['check'] = false; $this->serverList[4]['tld'] = 'id.au'; $this->serverList[4]['server'] = 'whois-check.ausregistry.net.au'; $this->serverList[4]['response'] = 'Not'; $this->serverList[4]['check'] = false; $this->serverList[5]['tld'] = 'com'; $this->serverList[5]['server'] = 'whois.crsnic.net'; $this->serverList[5]['response'] = 'No match for'; $this->serverList[5]['check'] = false; $this->serverList[6]['tld'] = 'net'; $this->serverList[6]['server'] = 'whois.crsnic.net'; $this->serverList[6]['response'] = 'No match for'; $this->serverList[6]['check'] = false; $this->serverList[7]['tld'] = 'org'; $this->serverList[7]['server'] = 'whois.publicinterestregistry.net'; $this->serverList[7]['response'] = 'NOT FOUND'; $this->serverList[7]['check'] = false; $this->serverList[8]['tld'] = 'info'; $this->serverList[8]['server'] = 'whois.afilias.net'; $this->serverList[8]['response'] = 'NOT FOUND'; $this->serverList[8]['check'] = false; $this->serverList[9]['tld'] = 'name'; $this->serverList[9]['server'] = 'whois.nic.name'; $this->serverList[9]['response'] = 'No match'; $this->serverList[9]['check'] = false; $this->serverList[10]['tld'] = 'us'; $this->serverList[10]['server'] = 'whois.nic.us'; $this->serverList[10]['response'] = 'Not found:'; $this->serverList[10]['check'] = false; $this->serverList[11]['tld'] = 'biz'; $this->serverList[11]['server'] = 'whois.nic.biz'; $this->serverList[11]['response'] = 'Not found'; $this->serverList[11]['check'] = false; $this->serverList[12]['tld'] = 'ca'; $this->serverList[12]['server'] = 'whois.cira.ca'; $this->serverList[12]['response'] = 'AVAIL'; $this->serverList[12]['check'] = false; $this->serverList[13]['tld'] = 'nz'; $this->serverList[13]['server'] = 'whois.srs.net.nz'; $this->serverList[13]['response'] = 'No Data Found'; $this->serverList[13]['check'] = false; $this->serverList[14]['tld'] = 'eu'; $this->serverList[14]['server'] = 'whois.eu'; $this->serverList[14]['response'] = 'FREE'; $this->serverList[14]['check'] = false; $this->serverList[15]['tld'] = 'ro'; $this->serverList[15]['server'] = 'whois.rotld.ro'; $this->serverList[15]['response'] = 'No entries found for the selected source'; $this->serverList[15]['check'] = false; $this->serverList[16]['tld'] = 'ws'; $this->serverList[16]['server'] = 'whois.nic.ws'; $this->serverList[16]['response'] = 'No match for'; $this->serverList[16]['check'] = false; $this->serverList[17]['tld'] = 'co.uk'; $this->serverList[17]['server'] = 'whois.nic.uk'; $this->serverList[17]['response'] = 'No match for'; $this->serverList[17]['check'] = false; $this->serverList[18]['tld'] = 'de'; $this->serverList[18]['server'] = 'whois.denic.de'; $this->serverList[18]['response'] = 'not found in database'; $this->serverList[18]['check'] = false; } } ?> And the form: <form id="whois" action="whois.php" method="post" > <div id="domain"> <fieldset> <legend>Search for your domain name</legend> <h2 style="margin-left:10px;"></h2> <div class="l1"> <span style="font-size:18px;">www.</span><input type="text" name="domain" class="input"/> <p align="center" style="font-size:14px;">(e.g yourcompany)</p> </div> <div class="l2"> <table width="580" border="0" cellspacing="0" cellpadding="0"> <tr> <?php $whois->tldList();?> </tr> </table> </div> <div class="r"><br /> <input name="Submit" type="submit" value="Search" class="input" /> </div> </fieldset></div> </form> </div> I assume that to accomplish the change I would need to run a query against what has been entered into the text file to grab anything after the first "." and call that as the tld, something like this: $domaintld = explode(".", $domain); $tld = strtolower(array_pop($domaintld)); But I am unsure on how to implement this into the code. Any help would be appreciated.