dprichard

So, when someone is doing an attack aren't they going to be doing it against your login form? If so, wouldn't you have to add the salt back in to verify the user and wouldn't that make whatever they put in already have the salt in it? Sorry, just trying to understand all this as best as I can. Thanks for any info.

Question, if they are doing a dictionary attack wouldn't your system be adding the salt back onto the password to check it agaisnt the database when the user logs in? So wouldn't a dictionary attack work the same way?

So would you recommend sha1 and salt?

Okay for those of us who have no idea what salt is can you give us a link or a bit more info...

It is actually a windows server running php. Right now it is in the main site folder with read and write permissions, but doesn't allow browsing. So they would have to guess the folder name and the filename. You think that is secure?

Thank you both so much. That seems to have worked perfectly. Are there any other security concerns I should be aware of with storing the sessions in a folder within the site versus its default location?

what if I add a company session and check that with my regular sessions I am checking for access to each page? Will that be secure enough if I make sure each page is looking for it. As for the session_set_cookie_params(), I call that at the top of each page before my session_start()? Then it only works on that domain?

I have two sites on the same server using the same code but using two different databases. I noticed while testing that if I am logged in with the one site, I can get into administrative pages on the other site without logging in. Since they use the same codes all the same session variables are there so it is letting me in. Is there a way to tell PHP not to let it go from site to site or should I make a custom variable and include it in the permissions for each site? I would appreciate any guidance on the best way to secure this obvious problem.

doesn't emp_dob >= CURDATE() mean after todays date, but emp_dob <= DATE_ADD(CURDATE(), INTERVAL 60 DAY) mean before 60 days from now? That is what I was shooting for with that first statement. Thanks for the reply.

I am trying to pull in birthdays coming up in the next 60 days but am not quite sure how to get it to ignore the year and just compare month and day. Any help would be greatly appreciated. SELECT CONCAT(emp_fname,' ',emp_lname) AS emp_name, DATE_FORMAT(emp_dob, '%W, %M %D') AS birthday FROM Employee WHERE emp_dob >= CURDATE() AND emp_dob <= DATE_ADD(CURDATE(), INTERVAL 60 DAY) ORDER BY emp_dob ASC Tried this as well... No workie... SELECT CONCAT(emp_fname,' ',emp_lname) AS emp_name, DATE_FORMAT(emp_dob, '%W, %M %D') AS birthday FROM Employee WHERE DATE_FORMAT(emp_dob, '%m-%d') BETWEEN DATE_FORMAT(CURDATE(), '%m-%d') AND DATE_ADD(DATE_FORMAT(CURDATE(), '%m-%d'), INTERVAL 30 DAY) ORDER BY emp_dob ASC

Kewl, great info. Thank you so much for your help!

So if I start getting tons and tons of users will storing all these sessions cause a strain as well over time or are they pretty much a non issue?

Okay, I have a web app I wrote a while back and it has a bunch of information I use on every page. Username, First Name, Last Name, Status, etc. I have a query in an include at the top of the page so essentially it is querying this information every page as the user goes from page to page. This has worked well for the few small companies we have on it, but now we have the potential for a company to start using it with 10k plus people. I am trying to limit the amount of queries made on the database, but I have like 10 different items I would have to save in sessions. Is it common practice to have 10 session variables saved off and just call them from page to page. I am trying to figure out how to do this with the least amount of load on the server. I really appreciate any thoughts or input on this.

Sorry, I guess more like this TableNewsCategories - CategoryId - CategoryName TableStories - StoryId - StoryName - CategoryId Then in my page like a tree I want to echo out CategoryName1 - Stories under that category CategoryName2 - Stories under that category Just not sure what doing this is called so I dont know how to query it in google to figure out how to do it.

Okay, I have been putting off trying to figure out how to do this and I am at a crossroad where I just gotta figure it out. I have the following Table 1 NewsCategoryId Category Name Table 2 NewsStoryId NewsCategoryId I want to be able to show it on my PHP page page like this: News Category1 - Story 1 - Story 2 - Story 3 News Category2 - Story 1 - Story 2 - Story 3 I have been searching google, but am not sure what I am trying to do is called so I am not getting good results. Any help or direction would be greatly appreciated. I know I can do the following, but I can't imagine doing a query for each result from table 1 is good practice and will probably be a load on the server: Query 1 While $row = mysql fetch array Query 2 But I am sure there is a better way.

very kewl, thank you jonsjava

So, unless they know the allowed IP Address they couldn't get around this? Would there be a way for them to get these from the script at all?

Actually I am not banning one address, but all addresses except those specified. So, they would have to know the IP Address and spoof it to get in right?

I am going to add a username and password as well and have a script for that, but thank you. I just have never tried to restrict via IP address. So, this will keep out the casual user, but not someoen really wanting to get in? Would they just have to guess the IP Addresses you are letting have access?

I am working on a dev site for my company and want to limit access based on the IP Address and was wondering if this script would do the job or if there were other ways people could get around this. <?php function ipauthorize() { $ipaddress = $_SERVER['REMOTE_ADDR']; if( $ipaddress == 'IP ADDRESS GOES HERE') { //Action for allowed IP Addresses echo 'you are authorized here'; echo "<br />IP ADDRESS: ".$_SERVER['REMOTE_ADDR']; } else { //Action for all other IP Addresses echo 'you are not authorized here'; echo "<br />IP ADDRESS: ".$_SERVER['REMOTE_ADDR']; exit; } } ?>

Thank you Rhodesa for your help!

Yes, the PhotoId is coming from a post. Then I query the database for the filename for the photoid. I am doing this before the query though: $PhotoId = ''; $PhotoId = mysql_real_escape_string($_POST['PhotoId']); Then my query. Should I take additional precautions beyond this? Thanks you so much for your input.

OKay, I figured out why it wouldn't delete. My photo name was not coming in. What security concerns should I have in doing deletions? What things should I watch out for?

I am trying to delete a file, but it doesn't seem to be pulling in my file name. if(file_exists("../galleries/uploads/".$row_galleryinfo['Name']."/".$row_photoinfo['FileName'])) { unlink("../galleries/uploads/".$row_galleryinfo['Name']."/".$row_photoinfo['FileName']); }

IIS