cluce
-
Posts
354 -
Joined
-
Last visited
Never
Posts posted by cluce
-
-
I have a query and an if statement that checks for a valid user logged in and matches it with the data in the database at the top of all my protected pages. I use the SESSION in my where clause to identify the user that was logged in at login page.
-
here is an example snippets from my site that may help you..
this stores the date/time in database
$sql2 = "UPDATE employees SET last_login=NOW() WHERE username = '$checkuser' LIMIT 1";
this will select date time from table for display on web page in standard time
$last_login = ("SELECT DATE_FORMAT(last_login, '%b %e %Y at %r') aS last_login FROM employees WHERE username = '$checkuser' LIMIT 1");
-
I agree with Dragen
-
Great. Keep in mind that you will not always need to strip_tags, but you should use a conditional statement to check to see if globals are activated or not. Also, mysqli_real_escape_string a return function, so it should be:
by globals, do you mean check for session variables to validate a user on every page view???
and the return function would be this........
.. I dont know how to use it? or where to put it?
function real_escape($string) {
return get_magic_quotes_gpc()?mysql_real_escape_string(stripslashes($string)):mysql_real_escape_string($string);
}
-
thats what I thought. I think I got it now....This is what I did. this is before all my sql statements. thanks for the feedback
//trims and strips tags and escapes fields
$checkuser = trim(strip_tags($_POST['username']));
$checkpassword = trim(strip_tags($_POST['password']));
mysqli_real_escape_string($mysqli,$checkuser);
mysqli_real_escape_string($mysqli,$checkpassword);
-
IM just using procedural. OOP I dont fully understand yet. I got it to work like this...
//connect to server and select database $mysqli = mysqli_connect("localhost", "root", "", "test"); //trims and strips tags $checkuser = trim(strip_tags($_POST['username'])); $checkpassword = trim(strip_tags($_POST['password'])); //create and issue the query $sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = '$checkpassword' LIMIT 1"; mysqli_real_escape_string($mysqli, $sql); $result = mysqli_query($mysqli, $sql);
will this tolerate an sql injection???
-
I used the mysqlil_real_escape_string.....now I am down to 2 errors..
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\userlogin_e.php on line 11
Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\userlogin_e.php:11) in C:\wamp\www\userlogin_e.php on line 99
-
Published websites do not remove all of their error checking(!), they just make sure it's clean and either isolated from the user, or understandable to the user.
I know. since I am new to this it was easier for me to take all the errors out. I dont know how to customize my error checking yet.
I just realized you're using MySQLi, so, you'll need to use the MySQLi version of real_escape_string:
http://us2.php.net/manual/en/function.mysqli-real-escape-string.php
u kiddin. I should have saw that I will try it.
-
well I took out the error checking because this website is going to be published soon. I know it works because I am able to login and view the other pages and posts topics to my message board I created. I even added the error check back in my code and it passes it right up. I was told I need to watch out for double escaping what ever that may be or if I am doing that
-
no thats not it because eveerything works fine without it.
-
I am also fairly new to php. I only been messing with it for about a month and found this website very helpful...
http://www.w3schools.com/php/default.asp
also, I have this book
-
thats what I hear too but I am getting all kinds of errors with that function...............maybe you can help me with that?/
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\wamp\www\userlogin_e.php on line 10
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\userlogin_e.php on line 10
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\wamp\www\userlogin_e.php on line 11
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\userlogin_e.php on line 11
Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\userlogin_e.php:10) in C:\wamp\www\userlogin_e.php on line 94
here is my code...
<?php //initialize the session session_start(); //connect to server and select database $mysqli = mysqli_connect("localhost", "root", "", "test"); //trims and strips tags $checkuser = mysql_real_escape_string(trim(strip_tags($_POST['username']))); $checkpassword = mysql_real_escape_string(trim(strip_tags($_POST['password']))); //create and issue the query $sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = '$checkpassword' LIMIT 1"; $result = mysqli_query($mysqli, $sql); //gets number of unsuccessful logins $sql1 = ("SELECT failed_logins FROM employees WHERE username = '$checkuser' LIMIT 1"); $result1 = mysqli_query($mysqli, $sql1); $resultarr = mysqli_fetch_assoc($result1); $attempts = $resultarr["failed_logins"]; //disables user if failed logins >= 3 if ($attempts >= 3){ //records unsuccessful logins $sql1 = "UPDATE employees SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql1); $_SESSION['disabled'] = "<font color='red'>Your account has been disabled.<br>Please contact the MIS department.</font>"; header("Location: employee_resource.php"); //close connection to MySQL mysqli_close($mysqli); exit(); } else { //get the number of rows in the result set; should be 1 if a match if (mysqli_num_rows($result) == 1) { //if authorized, get the values of f_name l_name while ($info = mysqli_fetch_array($result)) { $f_name = stripslashes($info['f_name']); $l_name = stripslashes($info['l_name']); } //set authorization cookie setcookie("auth", "1", 0, "/", "r.com", 0); $_SESSION['usersname'] = $f_name . " " . $l_name; //get last successful login $last_login = ("SELECT DATE_FORMAT(last_login, '%b %e %Y at %r') aS last_login FROM employees WHERE username = '$checkuser' LIMIT 1"); $result = mysqli_query($mysqli, $last_login); $result_login = mysqli_fetch_assoc($result); $_SESSION['login'] = $result_login["last_login"]; //record last login $sql2 = "UPDATE employees SET last_login=NOW() WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql2); //clears failed logins $sql3 = "UPDATE employees SET failed_logins = 0 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli, $sql3); //sets session to authenticate $_SESSION['loggedin_e'] = "yes"; //sets session to identify $_SESSION['identity'] = $checkuser; //close connection to MySQL mysqli_close($mysqli); //sets login timer $current_time = time(); // get the current time $_SESSION['loginTime']=$current_time; // login time $_SESSION['lastActivity']=$current_time; // last activity //directs authorized user header("Location: resource.php"); exit(); } else { //records unsuccessful logins $sql4 = "UPDATE employees SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql4); //stores a session error message $_SESSION['error'] = "<font color='red'>Invalid username and/or password combination<br>Please remember that your password is case sensitive.</font>"; //close connection to MySQL mysqli_close($mysqli); //redirect back to login form if not authorized header("Location: employee_resource.php"); exit; } } ?>
-
nope no value. I have it working on my php page but I hear this is best defense against an sql injection. so I am doing some modifactions
-
I am thinking of doing a strored procedure in mysql.........CREATE PROCEDURE login() SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = '$checkpassword' LIMIT 1//
and call it in my php page........
//trims and strips tags
$checkuser = trim(strip_tags($_POST['username']));
$checkpassword = trim(strip_tags($_POST['password']));
CALL login()//
can anybody tell me if this will work? If not any recommendations?
-
thanks a bunch. I got it now.
-
really. so I guess this will workthan. I just wasnt sure because some examples I was looking at was more complex in using this function.
//trims and strips tags
$checkuser = mysql_real_escape_string(trim(strip_tags($_POST['username'])));
$checkpassword = mysql_real_escape_string(trim(strip_tags($_POST['password'])));
-
after reading this other topic on a secure login I am questioning my security. I never knew about the mysql_real_escape_string() function or used it before. can someone tell me how I can add that function to my login page code??
<?php //initialize the session session_start(); //connect to server and select database $mysqli = mysqli_connect("localhost", "root", "", "test"); //trims and strips tags $checkuser = trim(strip_tags($_POST['username'])); $checkpassword = trim(strip_tags($_POST['password'])); //create and issue the query $sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = '$checkpassword' LIMIT 1"; $result = mysqli_query($mysqli, $sql); //gets number of unsuccessful logins $sql1 = ("SELECT failed_logins FROM employees WHERE username = '$checkuser' LIMIT 1"); $result1 = mysqli_query($mysqli, $sql1); $resultarr = mysqli_fetch_assoc($result1); $attempts = $resultarr["failed_logins"]; //disables user if failed logins >= 3 if ($attempts >= 3){ //records unsuccessful logins $sql1 = "UPDATE employees SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql1); $_SESSION['disabled'] = "<font color='red'>Your account has been disabled.<br>Please contact the MIS department.</font>"; header("Location: employee_resource.php"); //close connection to MySQL mysqli_close($mysqli); exit(); } else { //get the number of rows in the result set; should be 1 if a match if (mysqli_num_rows($result) == 1) { //if authorized, get the values of f_name l_name while ($info = mysqli_fetch_array($result)) { $f_name = stripslashes($info['f_name']); $l_name = stripslashes($info['l_name']); } //set authorization cookie setcookie("auth", "1", 0, "/", "dom.com", 0); $_SESSION['usersname'] = $f_name . " " . $l_name; //get last successful login $last_login = ("SELECT DATE_FORMAT(last_login, '%b %e %Y at %r') aS last_login FROM employees WHERE username = '$checkuser' LIMIT 1"); $result = mysqli_query($mysqli, $last_login); $result_login = mysqli_fetch_assoc($result); $_SESSION['login'] = $result_login["last_login"]; //record last login $sql2 = "UPDATE employees SET last_login=NOW() WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql2); //clears failed logins $sql3 = "UPDATE employees SET failed_logins = 0 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli, $sql3); //sets session to authenticate $_SESSION['loggedin_e'] = "yes"; //sets session to identify $_SESSION['identity'] = $checkuser; //close connection to MySQL mysqli_close($mysqli); //sets login timer $current_time = time(); // get the current time $_SESSION['loginTime']=$current_time; // login time $_SESSION['lastActivity']=$current_time; // last activity //directs authorized user header("Location: resource.php"); exit(); } else { //records unsuccessful logins $sql4 = "UPDATE employees SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; mysqli_query($mysqli,$sql4); //stores a session error message $_SESSION['error'] = "<font color='red'>Invalid username and/or password combination<br>Please remember that your password is case sensitive.</font>"; //close connection to MySQL mysqli_close($mysqli); //redirect back to login form if not authorized header("Location: employee_resource.php"); exit; } } ?>
-
I agree with the other guy. you are allowing the users to enter whatever they want. you might want to think about using strip_tags() function
-
I do agree DW does add a bunch of BS in the code. thats why I hard code most of my code. I just use DW for the designing aspects of my web site. I dont write code for the layout and designing part of my web pages only the dynamic sections of it. ..I never used it but Zenstudio does look like a winner
-
I use dreamweaver as an html editor and php editor and I don't any problems with it. I have downloaded a php editor and it looks like it could be useful but since I designed the website with dreamweaver, I just do everything with DW. I have no major issues with it except I wish it had more intellisense with php code/syntax. I guess I am not a serioius php programmer. I guess they do have something better than dreamweaver for php editing but its not all that bad. for designing simple web pages and for an html editor I would recommend DW.
-
thanks for teh reply but my first code did work.
-
The code I found does not work. I am trying to log out user after five minutes of idle time. here is what I have .
IAm including this on all pages...
<?php $timeout_min = 5; //5 minutes of inactivity $timeout_length = $timeout_min * 60; $current_time = time(); // get the current time if ($current_time - $_SESSION['lastActivity'] > $timeout_length) { $_SESSION = array(); if (isset($_COOKIE[session_name()])) { unset($_COOKIE[session_name()]); } session_destroy(); $_SESSION['logout']="You have been logged out"; header ("Location: employee_resource.php"); exit; } else $_SESSION['lastActivity'] = $current_time; ?>
and this code is on my login page to set the sessions....
//sets login timer $current_time = time(); // get the current time $_SESSION['loginTime']=$current_time; // login time $_SESSION['lastActivity']=$current_time; // last activity
your help is always apprecited
-
the header will redirect you to the specified page.
info on header....http://us2.php.net/manual/en/function.header.php
-
I know......... it will stop a person from submitting blank fields
can some one explain this code line by line
in PHP Coding Help
Posted
sql="INSERT INTO person (FirstName, LastName, Age)
VALUES
you sql says their is a table called "person"
you need to add a table in your database called person for this to work