rv20
-
Posts
105 -
Joined
-
Last visited
Never
Posts posted by rv20
-
-
What do you mean access the login information, YOU could as you are the code writer if that's what you mean.
Assuming you know how to setup an html form then if using POST to send you data from the form (you can als use GET) then you need to use,
$_GET['element name']
in the PHP.
-
Are you calling it from a form or what?
-
Works for me on IE6
-
I think sessions would work fine.
-
if could steal your cookies.
-
No, POSTS can be faked too easily. Hidden fields are still shown in the HTML. You can fake a hidden field. GETs are the least secure
So what is the point of all these massive hash values you see in sites like youtube, facebook, paypal etc, i am talking about 100's of character long hashes, i think the hash are sent in hidden fields, maybe not though, i just remember looking at source in the past and seeing these huge what, i assume now, were hashes.
-
HTTP_REFERER can be easily faked (it is just a header that is sent with the http request) so it cannot be relied on for any security purposes.
Using session variables to detect failed log in attempts or to count page accesses for any security checking also cannot be relied on because the visitor (or bot script) can simply drop the current session id and establish a new session to reset all the counts.
This is exactly what i thought and hence what i am asking, so you are saying that session_regenerate_id(); will solve this?
If it was a form POST i think you can send a hash in a hidden field i haven't looked into how this works but i assume this method is secure, that leaves a GET request basically....
-
The session_regenerate_id(); look like good advice that is the kind of thing i am looking for, anything else?
-
If you have say a login.php script, or any script, and want to stop it being run directly, or at least check that the referer is coming from your own site then all i can see to secure it are these, depending if it is a GET ot POST method,
$http_referer = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST); if ( ($http_referer == "domain.com") || ($http_referer = "80.80.80.80.80") ){} //POST or GET for example if ($_SERVER['REQUEST_METHOD'] == "POST") {}
Also how about having a max number of times you an access the page before a lockout, i suppose this would technically be a DOS attack which you would really have to fix at the router??
Basically i am being paranoid thinking that someone could try and break into your site by using a whole variety of tricks and techniques which i don't really know what tricks are out there so don't know what i am trying to secure against.
I suppose there is,
xss, css explots, sql injection, query string manipulation??, hacking the db directly, other browser exploits......hmmmm
-
Thanks that has cleared all that up.
So if i have a login script and set a session var if all is validated,
session_start(); $_SESSION['user'] = $_POST['user'];
So that EVERY page that a user then goes to i can add this at the top of the page,
session_start(); if(!isset($_SESSION['user'])){ //whatever i have to do, redirect etc... }
This allows me to see if the user is logged in, i can have a logout link linking to logout.php with logout.php simply,
session_start(); unset($_SESSION['user']); header("location: home.php");
This seems all a bit simple i suppose if someone got hold of your session cookie or maybe there are other exploits (xss) or css injection, to get around this the could compromise your site, what other methods would you use to secure this method of checking for logged into via sessions?
-
If you set a session on some page,
session_start(); $_session['user'] = "someusername";
Then if you unset that session on a different page
unset($_session['user']);
does that clear this 'user' session on every page or just the page you unset it on?
-
Hi,
I don't know what's wrong with this ajax function, but it just won't work, if anyone could help, I'd be very grateful
function ajaxFunction( items ) { var ajaxRequest; item_list = new Array; for ( i = 0; i < items.length; i++ ) { item_list[i] = items[i]; } try { // Opera 8.0+, Firefox, Safari ajaxRequest = new XMLHttpRequest(); } catch (e) { // Internet Explorer Browsers try { ajaxRequest = new ActiveXObject( 'Msxml2.XMLHTTP' ); } catch (e) { try { ajaxRequest = new ActiveXObject( 'Microsoft.XMLHTTP' ); } catch (e) { // Something went wrong alert( 'Your browser not support ajax!' ); return false; } } } ajaxRequest.onreadystatechange = function() { if ( ajaxRequest.readyState == 4 ) { document.getElementById( 'username_available' ).style.display = ''; document.getElementById( 'text' ).innerHTML = ajaxRequest.responseText; } } if ( !username ) { alert( '<?= $lang->No_username_given; ?>' ); } else { ajaxRequest.open( 'GET', './register.php?checkname=' + item_list[0] + '' ); ajaxRequest.send( null ); } }
I'm terribly sorry for the format of the script, I realise that it's very hard to read. My HTML is
<input type="button" onclick="ajaxFunction( new Array( 'username' ) );">
Any ideas? Thanks
The error is that username is not defined at,
if ( !username )
that part doesn't make any sense.
-
Ahhh it works, nice, thanks for that, my PHP knowledge has some huge noob holes in it.
-
this may be a silly question but are you sure that you have
session_start();
on the users.php page?
So I need session_start(); on the users.php as well as the validate_login.php ??
Beacuse no i don't have it on users.php, i thought you just called session_start(); once ever on whatever page you create the session on.
Well that would explain it, i will try.
-
I am using using ajax to POST (not GET) a form so it goes something like,
(1)Form SUBMIT(login.php) -->(2)ajax XMLHttpRequest -->(3) PHP validating script(validate_login.php) --> (4)ajax responsetext --> (5)output reponsetext on page, or whatever you need to do with responsetext.
So if the login is valid, I CAN'T do a
header("location: users.php");
from the validating login script as I just get errors as I am using ajax and not standard form posting.
So what I do is if the login passes the validation is, I set a session and also send an echo from, validate_login.php,
session_start(); $_SESSION['user'] = $_POST['username']; echo "users.php";
and I can see in Firefox cookies that the session is created.
then at (4/5) AJAX (responsetext) I do
if(mypostrequest.responseText == "users.php"){ window.location.href = "users.php"; }
This all works perfect but here is the problem, once i am in users.php if i do a,
echo $_SESSION['user'];
then nothing, no output, I must be doing something wrong or maybe because I am using ajax that is making it not work??
Thanks for any help.
-
Yeah just got it myself, thanks anyway.!
-
I have a form with some input text fields all within two divs wth class names "main" and "main_reg" both divs and the input field use inline css(i don't even know if you should apply inline css to a input text field?? maybe thats where the problem is??)
So if i do this,
input{background-color:#0C6;}
then it changes the bgc of the input as this css sets ALL inputs to whatever css you give it but if i do,
#main_reg input{background-color:#0C6;}
then it has no effect , i thought this was the right syntax??
<div style= "border:solid;width:1000px;height:500px; background-color:#fff" class="main"> <div style ="margin:0 auto;width:600px;height:400px;" class = "main_reg"> <form> Username: <input type="text" id="reg_user" name="reg_user" size="30px" style="font-size: 100%;margin-left:37px;" /> </form> </div> </div>
-
What about:
<?php if(strpos("'", $str) > 0 OR strpos('"', $str) > 0){ // contains either " or ' } ?>
Doesn't work, doesn't detect anything, i don't want to strip out the ' or " i want to detect if the input contains them and i can the send a reply back saying invalid username etc..
-
How do i check a string to see if it contains single or double quotes.
I think this fucntion checks if it is alpha numeric which i don't want i just want to check for ' and " jsut incase you answer with the followng function,
if (preg_match('/[^a-z0-9]/i', $username)) { return false;//quitting a function die('invalid characters');//quit execution }
-
I give up, been trying for hours but cannot get it, can someone give me an example of a login script that can return validation errors to a specific div on the login page and also prevents page refeshing reposting data?
-
ahhh right i see what you mean, thanks.
-
I have downloaded some js library and one js lot of code has been saved as a *.php file and linked as,
<script src="xxxxx.php" type="text/javascript"></script>
of course the *.php file is all js code, no php code.
never seen that before, does that mean that you can hide your js as you cannot view *.php files but it seems to have the effect for linking the js, surely i would have heard of this before as i have googled "hide js" etc... what is the catch?
-
To stop users using a page reload, i set a session to a random code, and add that value to the form in a hidden field, once thats been processed the sessions is removed, so if the form is refreshed the session and the hidden field no longer match. I assume thats what your doing.
Thanks for that, sounds good, about the md5 thing, i didn't even know what a hash was when i started that thread which i think i made clear so i am a novice when it comes to such things, i know a little bit more now than i did.
The salt part answered my question.
-
Page reload seems to be unique if i add an
unset($_SESSION['variable']);
at the top of the page then that session var are still set so i take it this can't be done?
I am trying to prevent a form reload reposting variables without having a redirect somewhere in the script, so i was trying to use sessions to help out with this but i need to session to clear on the reload which it doesn't seem to do.
Complete noob. Wanting to change text on a page without refreshing.
in Javascript Help
Posted
If using ajax it should be very quick you may get a slight delay but for a small bit of text you are talking about you shouldn't notice it. Best place to learn is here,
http://www.w3schools.com/ajax/default.asp