Jump to content


  • Posts

  • Joined

  • Last visited


Posts posted by pixy

  1. Okay, someone tell me if this is totally off--but I was able to edit my session file created by my site and it logged me in as someone else. I just changed the number and the name and i was logged in as the other person...

    My question is, couldn't anyone just go in there and change it? If they know the ID of the user and the username they could just log in as anyone.

    How can I make it more secure?
  2. [quote author=thorpe link=topic=101754.msg402966#msg402966 date=1153791940]
    Also... be aware that the use of [url=http://php.net/session_register]session_register[/url]() has long been depricated.

    Thats what I was going to say. There's a new way of doing it now. You just have to set the session...
  3. ^ Dude, that's not what he's talking about.

    You want to show members online, right? There's a PHP tutorial on PHP freaks that tells you how to do it. Basically, you set a cookie with the current time and every time a page is loaded you see if the cookie time is more than 5 minutes different from the current time. If it is, update the database with the new time they were on and update the cookie.

    When you go to select from the database, just select the member whose "timeonline" is within in the last 5 minutes.
  4. [quote author=TEENFRONT link=topic=99858.msg398974#msg398974 date=1153179375]
    iv got a mixed response from the *new* green text lol, some people like it coz it sticks out and its worked becuz the hits to those pages have risen. so its swings n roundabouts .

    Images shouldnt take that long to loads, fair enough theres a few heavy ones i suppose, il look at reducing some of them for faster loading :)

    It's not that there are a few heavy ones, its that your layout is image sliced into a million itsy bitsy pieces. ;)

    DITCH THE GREEN TEXT! You could put little ยป marks in front of the new stuff. Subtle, but still indicates something new...
  5. The first one was dreadful. It had music play--ew. It interrupted "No children" by the Mountain Goats. Shameful Indeed.

    Comments on your design:
    - Not fond on the color scheme. Maybe try using more than two colors? And some that are actually similar and not so intense. And maybe add a pseudo-neautral tone in there, too. So it looks easier on the eyes.
    - the Marquee looks unprofessional. There are better ways to draw attention to that text (but I see you took it out on the new version, thank you)
    - I agree with steve, the "find a tutor" box is too wide.

    Instead of the blue background, try a SOFTER color. Not necessarily pastels, but find a NICE color scheme. Something that looks clean-cut and professional. Perhaps a soft sage, taupe, and an accent of a darker sage.
  6. Is it just me, or would it be WAY easier just to use the $_GET method, and have something like:


    Where 1245 or whatever refers to the category? I know you said that wasn't working, but that's really the only way I could think of doing that easily. You could still do that and pagnate the query results over several pages as you were doing in the code above.
  7. If someone takes someone's session, then both of those things will be set and they will match. That doesn't really improve security.

    Look at this page towards the bottom when he talks about HTTP_USER_AGENT. THAT is what I was trying to explain...
  8. ^ It's exactly what redarrow said.

    You use the $_GET superglobal to track what link to go to. Example:

    if (isset($_GET['link'])) {
       $link = $_GET['link'];
       if ($link == 3) {
           // Include links for page.php?link=3
       elseif ($link == 5) {
           // page.php?link=5
       else {
           die ('You are not using a valid link');
    else {
       // Show page.php

    You can repeat the elseif statement for however many you want different stuff to show up. There are many ways of using the $_GET superglobal to create those kinds of links.
  9. [quote author=redarrow link=topic=100914.msg398867#msg398867 date=1153163656]
    so i can not use my account in a internet cafe no?

    sorry but i still say the idear for that code will restrict a user to use there account sorry.

    I think that businessman should use session as normal and valadate the code properly.

    when it comes to a website going to be hijacked there are thousands of ports that any one can get in even with a firewall installed so i wouldnt worry just valadate data.
    [/quote] To be honest, you are REALLY not getting what I'm talking about. When you log in it sets the session, it doesn't matter where you are. Whatever, I'm tired of explaining it. The point is, you won't have any problems using the site unless you're trying to use someone elses's session.

    As for resetting passwords, here's what I do:
    - Encrypt with SHA() in the database (so that way, even if someone gains access the secure information can't be decoded).
    - When they log in, check the SHA() version of their input against the DB to see if they match.
    - When they forgot their password, randomly generate a new one and SHA() it into the database and send them and email with the random string so they can log in and change it.

    Much safer than actually storing passwords in their unincrypted forms. If you can decrypt it, it means a hacker can decrypt it--and I would suggest against storing the password in a session. Why would you even need it there?
  10. Umm, your sentance is one big run-on and I am not sure if I even understand what you are trying to convey.

    Here's what i'm saying.
    - Set a cookie with an encrpyted version of their HTTP_USER_AGENT information upon log in.
    - Check that the HTTP_USER_AGENT on loggin in the cookie is the same as the current HTTP_USER_AGENT.
    - If they dont match, say bye bye

    The point is, they have to go through the log in process to get the HTTP_USER_AGENT cookie set on their computer and have it match the one they actually are. If someone "steals" someone's session, chances are either the cookie for HTTP_USER_AGENT won't be set because they didn't log in, or it won't match the one in the session.

    I'm pretty sure javascript doesn't have anything to do with it...

    Here an example:
    if (isset($_SESSION['agent'])) {
        if ($_SESSION['agent'] !== md5($_SERVER['HTTP_USER_AGENT'])) {
            die ('You suck.');

    $_SESSION['agent'] is set on login like so:
    $_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']);

    Am I rambling?
  11. [quote author=ChaosXero link=topic=100913.msg398838#msg398838 date=1153161081]
    Wouldn't that evetually create a massive database though?
    For example: 1,000 users w/ 1,000 items = 1million rows.  OUCH that hurts.
    Would you SERIOUSLY let your users each keep 1,000 items? There HAS to be a limit somewhere.

    What I would do is create and items table with all the items information: rarity, value, store, descpription, imagelink, etc. and then a table called inventory with userid as one column and item ID in another. So yea, you'd have a lot but you wouldn't have to put in NEARLY as much information.
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.