phil88

So with mysql_result, it'll return 1 if it finds a matching record, but if it doesn't find a matching record, it'll be false?

[quote] You do not need a field in your database called login_match. Just try the code and you will see that it works and processes the login faster then most other login scripts. See my post on the pervious page for the entire script[/quote] I'm sure it does work. I'm just curious as to know how it works and how it would be better than the standard mysql_num_rows way, is that function more resource intensive or something?

[quote]Is that secure or can a user some way manipulate it. As usual, session_start() on each page, and then a check to see if they have the required level to see it. No cookies set afaik, just session variables. When browser closed, they are "logged out". Also, I didn't see a way to set a time limit on sessions like this - is there one? Or is it a php.ini alteration only? As far as I know to date it's secure, but with this topic tackling sessions and their security just now, I thought it would be a good idea to ask about it as well Smiley[/quote] Well I guess one way to get around the time issue would be to set a cookie when the session is set, to expire after a certain amount of time. Then on each page you could call a function or something that'd check for the cookie, if the cookie is expired/isn't there, then destroy the session.

I read [url=http://www.neowin.net/forum/index.php?showtopic=480257]this[/url] a while ago, it might be helpful because from what I remember, the characters were the same ones that are appearing for you. Something to do with setting the charset, I personally don't entirely get it though :)

tomfmason: I don't understand this line of your code; $login_match= mysql_result($res, 0, 'login_match'); How can there be a row 0, and what should 'login_match' be if there isn't a field in the database called that? HeyRay2: Yes, I was going to use Sessions, but I have a question, how easily can they be modified by the user? I mean, would I need to run some sort of validation on them or could I just do a simple if(isset($_SESSION['logged_in']) to check if the user is logged in? (Assuming I set $_SESSION['logged_in'] when they log in)

[quote author=wildteen88 link=topic=102152.msg405348#msg405348 date=1154115056] To stop html you should use strip_tags which will remove any html in a string. [/quote] The idea wasn't so much to remove HTML, just to stop it being treated as HTML. I mean, some people would like their usernames to be <Username> for example, but if that was parsed as HTML, it would be invisible as it's between < and >.

Would using the function on php.net be a better choice than using mysql_real_escape_string? This function; [code=php:0]function quote_smart($value) {   // Stripslashes   if (get_magic_quotes_gpc()) {       $value = stripslashes($value);   }   // Quote if not a number or a numeric string   if (!is_numeric($value)) {       $value = "'" . mysql_real_escape_string($value) . "'";   }   return $value; }[/code]

[quote] What you currently have looks pretty secure. but if your password is apples, then someone probably already got it, that's a shitty password, try letter's and numbers, you have to remember if someone get's the apssword they can connect from your database even from another website, unless there was a firewall behind it, and even then they sometimes could.  WHat I suggest, is if you haven't already create a good password.  Something with letters, and numbers, starting with a letter though.[/quote] Yeah, it's just a password on a test server I have for developing, totally disconnected from the outside world, only I have physical access to it and there's not really much you can do with it even if you do get access to it  ;D [quote]Also theres no need to use the htmlenties function with the mysql_real_escape_string.[/quote] Does mysql_real_escape_string escape HTML characters aswell then? [quote] However the layout of code could be better.[/quote] What do you mean?

Thanks for all the help. I read up on MySQL injections and such and rewrote it, would this be secure? [code=php:0]<?PHP if($_POST['submit'] == FALSE){ echo "<form method='post' action='login.php'> Username: <input type='text' name='username'><br> Password: <input type='password' name='password'><br> <input type='submit' value='Submit' name='submit'> </form>"; }else{ $username = $_POST['username']; $password = $_POST['password']; if($username == FALSE){ echo "No username was entered."; exit; }elseif($password == FALSE){ echo "No password was entered."; exit; }else{ $username = htmlentities(mysql_real_escape_string($username)); $password = sha1($password); mysql_connect("localhost","phil","apples"); mysql_select_db("usershack"); $query = mysql_query(" SELECT * FROM users WHERE username='$username' AND password='$password' ") or die(mysql_error()); if(mysql_num_rows($query) == 0){ echo "No such user found or login details are incorrect."; exit; }else{ echo "Welcome back ".$username."!"; exit; } } } ?>[/code] Would there be any way to get around the login system or insert something dodgy to retrieve stuff from the database that shouldn't be retrievable? How secure are the $_POST variables? Can they be edited in anyway after the form has been submitted? Also, once the user is logged in, what would be the most secure way of keeping track of them? Could I just create a session variable that'll be set to true when the user is logged in and false when they're logged out? How easy can $_SESSION variables be manipulated by the user? Edit: I just read the sticky in this forum about error checking, so I'll sort out the way I've done it so it works better.

I'm learning PHP and am working on the security side of things so I can make my scripts secure, I understand about using various functions like mysql_real_escape_string() etc, but I want to be able to test stuff. I made a (very) simple login script and was wondering, what could a user of the script do to the form or query from the browser that could; a) Allow them to login without a password and/or username b) Allow them to view passwords of users who aren't them [code=php:0] <?PHP if ($_GET['Submit'] == FALSE){ echo "<form method='get' action='login.php'>"; echo "Username: <input type='text' name='username'>"; echo "<br>Password: <input type='password' name='password'>"; echo "<br><input type='submit' value='Submit' name='Submit'>"; echo "</form>"; }else{ mysql_connect("localhost", "user", "pass"); mysql_select_db("usershack"); $username = $_GET['username']; $password = $_GET['password']; $query = mysql_query(" SELECT * FROM users WHERE username='$username' AND password='$password' "); while($row = mysql_fetch_array($query)){ echo $row['username']; echo "<br>"; echo $row['password']; } } ?>[/code] Like I said, very basic login script, I'm just working from the ground up as far as security goes.