pixy

Okay, someone tell me if this is totally off--but I was able to edit my session file created by my site and it logged me in as someone else. I just changed the number and the name and i was logged in as the other person... My question is, couldn't anyone just go in there and change it? If they know the ID of the user and the username they could just log in as anyone. How can I make it more secure?

I mean the if (session_is_registered) is associated with the session_register() function... you could just use if (isset($_SESSION['cur_user'])); instead... I dont know if it matters though.

[quote author=thorpe link=topic=101754.msg402966#msg402966 date=1153791940] Also... be aware that the use of [url=http://php.net/session_register]session_register[/url]() has long been depricated. [/quote] Thats what I was going to say. There's a new way of doing it now. You just have to set the session...

You should use the DATETIME or DATE column type for dates. Then, when you take them out of the database use the DATE_FORMAT() function to make them look prettier. I dont know how you would sort through them if it's varchar or other text type.

^ Dude, that's not what he's talking about. You want to show members online, right? There's a PHP tutorial on PHP freaks that tells you how to do it. Basically, you set a cookie with the current time and every time a page is loaded you see if the cookie time is more than 5 minutes different from the current time. If it is, update the database with the new time they were on and update the cookie. When you go to select from the database, just select the member whose "timeonline" is within in the last 5 minutes.

[quote author=TEENFRONT link=topic=99858.msg398974#msg398974 date=1153179375] iv got a mixed response from the *new* green text lol, some people like it coz it sticks out and its worked becuz the hits to those pages have risen. so its swings n roundabouts . Images shouldnt take that long to loads, fair enough theres a few heavy ones i suppose, il look at reducing some of them for faster loading :) [/quote] It's not that there are a few heavy ones, its that your layout is image sliced into a million itsy bitsy pieces. ;) DITCH THE GREEN TEXT! You could put little » marks in front of the new stuff. Subtle, but still indicates something new...

The first one was dreadful. It had music play--ew. It interrupted "No children" by the Mountain Goats. Shameful Indeed. Comments on your design: - Not fond on the color scheme. Maybe try using more than two colors? And some that are actually similar and not so intense. And maybe add a pseudo-neautral tone in there, too. So it looks easier on the eyes. - the Marquee looks unprofessional. There are better ways to draw attention to that text (but I see you took it out on the new version, thank you) - I agree with steve, the "find a tutor" box is too wide. Instead of the blue background, try a SOFTER color. Not necessarily pastels, but find a NICE color scheme. Something that looks clean-cut and professional. Perhaps a soft sage, taupe, and an accent of a darker sage.

Wait, so they only let you have one database? That sucks. Can you run SQL on phpMyAdmin? Even if you have to only use tables, you can still make them. You just have to change the values you were using to connect on localhost.

if (!isset($_COOKIE['my_site_id'])) {     echo 'Gotta log in, dude.';     die(); }

You mean the directory that index.php is in?

^ I usually do that too. :D Whenever I have a really long code I hate having to go back and re-tab everything so it lines up. XD

After you use echo() or print () to show the message, include the footers (whatever stuff you have at the bottom of all pages and use die(); or exit();

Lots and lots of places have HTML tutorials. www.pixel2life.com has a million tutorials for EVERYTHING. Seriously, every program or language you want--it's got it.

I know pretty much nothing about Ajax, but from what I read it sounds very interesting. Bookmarked Ajaxfreaks, it looks fantastic! I'm definately a fan of the green.

Adjust the php.ini file.

^ Agreed about the tabs--they're slightly ridiculous to look at. It seems a lot of people have been posting code that's just all over the map and completely unorginized. O_O

Is it just me, or would it be WAY easier just to use the $_GET method, and have something like: page.php?link=1245 Where 1245 or whatever refers to the category? I know you said that wasn't working, but that's really the only way I could think of doing that easily. You could still do that and pagnate the query results over several pages as you were doing in the code above.

You know, you could always send an email to them whenever they change their password with the new password. That way, they could just search their inbox for the confirmation email from the password change. + You're welcome. :)

If someone takes someone's session, then both of those things will be set and they will match. That doesn't really improve security. Look at this page towards the bottom when he talks about HTTP_USER_AGENT. THAT is what I was trying to explain... http://phpsec.org/projects/guide/4.html

^ It's exactly what redarrow said. You use the $_GET superglobal to track what link to go to. Example: if (isset($_GET['link'])) {    $link = $_GET['link'];    if ($link == 3) {        // Include links for page.php?link=3    }    elseif ($link == 5) {        // page.php?link=5    }    else {        die ('You are not using a valid link');    } } else {    // Show page.php } You can repeat the elseif statement for however many you want different stuff to show up. There are many ways of using the $_GET superglobal to create those kinds of links.

You can use ENCODE() and DECODE() functions in mySQL. Just remember, if you can decode it for them to see--so could potential hackers if they gained access to your database.

[quote author=redarrow link=topic=100914.msg398867#msg398867 date=1153163656] so i can not use my account in a internet cafe no? sorry but i still say the idear for that code will restrict a user to use there account sorry. I think that businessman should use session as normal and valadate the code properly. when it comes to a website going to be hijacked there are thousands of ports that any one can get in even with a firewall installed so i wouldnt worry just valadate data. [/quote] To be honest, you are REALLY not getting what I'm talking about. When you log in it sets the session, it doesn't matter where you are. Whatever, I'm tired of explaining it. The point is, you won't have any problems using the site unless you're trying to use someone elses's session. As for resetting passwords, here's what I do: - Encrypt with SHA() in the database (so that way, even if someone gains access the secure information can't be decoded). - When they log in, check the SHA() version of their input against the DB to see if they match. - When they forgot their password, randomly generate a new one and SHA() it into the database and send them and email with the random string so they can log in and change it. Much safer than actually storing passwords in their unincrypted forms. If you can decrypt it, it means a hacker can decrypt it--and I would suggest against storing the password in a session. Why would you even need it there?

Umm, your sentance is one big run-on and I am not sure if I even understand what you are trying to convey. Here's what i'm saying. - Set a cookie with an encrpyted version of their HTTP_USER_AGENT information upon log in. - Check that the HTTP_USER_AGENT on loggin in the cookie is the same as the current HTTP_USER_AGENT. - If they dont match, say bye bye The point is, they have to go through the log in process to get the HTTP_USER_AGENT cookie set on their computer and have it match the one they actually are. If someone "steals" someone's session, chances are either the cookie for HTTP_USER_AGENT won't be set because they didn't log in, or it won't match the one in the session. I'm pretty sure javascript doesn't have anything to do with it... Here an example: if (isset($_SESSION['agent'])) {     if ($_SESSION['agent'] !== md5($_SERVER['HTTP_USER_AGENT'])) {         die ('You suck.');     } } $_SESSION['agent'] is set on login like so: $_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']); Am I rambling?

^ Since when would turning off javascript not let you log the user's HTTP_USER_AGENT? Or am I missing something here?

[quote author=ChaosXero link=topic=100913.msg398838#msg398838 date=1153161081] Wouldn't that evetually create a massive database though? For example: 1,000 users w/ 1,000 items = 1million rows.  OUCH that hurts. [/quote] Would you SERIOUSLY let your users each keep 1,000 items? There HAS to be a limit somewhere. What I would do is create and items table with all the items information: rarity, value, store, descpription, imagelink, etc. and then a table called inventory with userid as one column and item ID in another. So yea, you'd have a lot but you wouldn't have to put in NEARLY as much information.