whiteboikyle Posted August 3, 2008 Share Posted August 3, 2008 Okay so if i had a login form of Username:__________ Password:__________ [Login] and it went to a process.php and if the login/password matched the query and it stored their session like so $myusername = $_POST['username']; $_SESSION['myusername'] = $myusername; the $_POST['username'] being the value of the username.. and when they go to the main.php and it checks to see if the $_SESSION['myusername'] isset() Could it become they use some sort of main.php?PHPSESSID=theusername or is that secure? Quote Link to comment Share on other sites More sharing options...
Stooney Posted August 3, 2008 Share Posted August 3, 2008 You can't change session variables directly via the url, so that's not a problem. I would suggest not only checking that $_SESSION['myusername'] is set, but also has an expected value. if(isset($_SESSION['myusername']) && strlen($_SESSION['myusername'])>0){ Not necessary, just a suggestion. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 3, 2008 Share Posted August 3, 2008 If register_globals are on, under certain conditions you can put - ?myusername=somevalue on the end of the URL and set $_SESSION['myusername'] to whatever somevalue is. This is why register_globals were turned off in php4.2 in the year 2002 and no new code, new books, new tutorials, or new hosting accounts should have been created after that date that relied on register_globals or turned them on. Quote Link to comment Share on other sites More sharing options...
jonsjava Posted August 3, 2008 Share Posted August 3, 2008 if you want to get paranoid about it, which is never a bad idea when it comes to security, a little more security is to sanitize your POST data before using it in a query, with mysql_real_escape_string(). Quote Link to comment Share on other sites More sharing options...
whiteboikyle Posted August 3, 2008 Author Share Posted August 3, 2008 if you want to get paranoid about it, which is never a bad idea when it comes to security, a little more security is to sanitize your POST data before using it in a query, with mysql_real_escape_string(). of course i do that but i was just doing a scenario.. Now what if you use your config in a function like Global $config Could that become a problem? Quote Link to comment Share on other sites More sharing options...
whiteboikyle Posted August 3, 2008 Author Share Posted August 3, 2008 example Class Process(){ function __constructor(){ if(isset($_POST['Login'])){ $this->Username(); } } function Login(){ global $config; $username = $_POST['username']; } } The $config would be Class MySQLDB { var $connection; //The MySQL database connection /* Class constructor */ function MySQLDB(){ /* Make connection to database */ $this->connection = @mysql_connect(*****, *****, *****) or die(mysql_error()); @mysql_select_db(*****, $this->connection) or die(mysql_error()); } /** * query - Performs the given query on the database and * returns the result, which may be false, true or a * resource identifier. */ //Use this function as query("Query line of code"); function query($query){ return mysql_query($query, $this->connection); } }; $config = new MySQLDB; could the global $config become a problem? Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 3, 2008 Share Posted August 3, 2008 never ever ever set a session variable via a raw post data value. I could inject any username I want via cURL and in theory be any user I want. There is no security difference between GET and POST they are only different in their procedure of passing data Quote Link to comment Share on other sites More sharing options...
whiteboikyle Posted August 3, 2008 Author Share Posted August 3, 2008 never ever ever set a session variable via a raw post data value. I could inject any username I want via cURL and in theory be any user I want. There is no security difference between GET and POST they are only different in their procedure of passing data I dont understand what you mean by this.. The form for the login would look something like this <table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor=""> <tr> <form name="form1" method="post" action="process.php"> <td> <table width="100%" border="0" cellpadding="3" cellspacing="0"> <tr> <td colspan="4"><div align="center"><strong>Member Login </strong></div></td> </tr> <tr> <td width="68"><div align="right">Username</div></td> <td width="3">:</td> <td width="205"><input name="myusername" type="text" id="myusername" value=")pH("></td> <td width="205"> </td> </tr> <tr> <td><div align="right">Password</div></td> <td>:</td> <td><input name="mypassword" type="password" id="mypassword"></td> <td> </td> </tr> <tr> <td><input name="login" type="hidden" value="1"></td> <td> </td> <td><input type="submit" name="Submit" value="Login"></td> <td> </td> </tr> </table> </td> </form> </tr> </table> Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 3, 2008 Share Posted August 3, 2008 $myusername = $_POST['username']; $_SESSION['myusername'] = $myusername; The session value = the post value that is bad because I can put anything I want in there and it will set that session. Quote Link to comment Share on other sites More sharing options...
whiteboikyle Posted August 3, 2008 Author Share Posted August 3, 2008 $myusername = $_POST['username']; $_SESSION['myusername'] = $myusername; The session value = the post value that is bad because I can put anything I want in there and it will set that session. lol dude listen its a login form.. So once you put the username / password it does the mysql_real_escape string and also to checks to see if the username / password match would you like to see the full code? trust me you cant put "anything" this is just an example Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 3, 2008 Share Posted August 3, 2008 yup I would cause you shouldn't use the post value u should use the returned mysql row for consistency Quote Link to comment Share on other sites More sharing options...
whiteboikyle Posted August 3, 2008 Author Share Posted August 3, 2008 function login(){ global $config; ob_start(); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; # Allows letters, numbers if(!preg_match('/^[a-zA-Z0-9]+$/i', $myusername)) { session_register(bad_char); $_SESSION['bad_char'] = "<center><font color='red' size='1'>Invalid Charcter; Only Letters Or Numbers Can Be Used!</font></center>"; header("location:login.php"); } // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $myusername = strip_tags($myusername); $mypassword = strip_tags($mypassword); $encrypt_password = md5($mypassword); $query = $config->query("SELECT * FROM members WHERE username='".$myusername."' and password='".$encrypt_password."'"); // Mysql_num_row is counting table row $count=mysql_num_rows($query); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusernam session_register("myusername"); $_SESSION['myusername'] = $myusername; header("location:main.php"); } else { session_register(error); $_SESSION['error'] = "<center><font color='red' size='4'>Wrong Username or Password</font></center>"; header("location:login.php"); } ob_end_flush(); } Btw still if the Username/Password dont match it wont make a session lol Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 3, 2008 Share Posted August 3, 2008 session_register is depreciated so don't use it now it is unneeded Also strip tags/stripslashes is unneed if you are running mysql_real_escape Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted August 3, 2008 Share Posted August 3, 2008 What I do when a user logs in, is simple: include '../incl/includes.php'; $query = sprintf("SELECT * FROM users WHERE email = '%s' AND password = '%s'", mysql_real_escape_string($_POST['email']), mysql_real_escape_string(md5($_POST['password']))); $sql = mysql_query($query)or die(mysql_error()); if(mysql_num_rows($sql) > 0){ $row = mysql_fetch_array($sql); $_SESSION['name'] = $row['name']; $_SESSION['id'] = $row['id']; $_SESSION['group'] = $row['group']; $_SESSION['gender'] = $row['gender']; $_SESSION['logged'] = TRUE; }else{ header("Location: /login.php"); exit; } Notice this line: $_SESSION['logged'] = TRUE; On all my pages that require a user to be logged in, I just use this code: session_start(); if($_SESSION['logged']){ header("Location: /"); exit; } // Place the rest of the HTML/PHP here Hope this helps.. Quote Link to comment Share on other sites More sharing options...
whiteboikyle Posted August 4, 2008 Author Share Posted August 4, 2008 session_register is depreciated so don't use it now it is unneeded Also strip tags/stripslashes is unneed if you are running mysql_real_escape How would you register an error then to send back to the last page? Quote Link to comment Share on other sites More sharing options...
DarkWater Posted August 4, 2008 Share Posted August 4, 2008 You should just process the login form on the same page, in the same PHP file. By the way, your "Process" class is ridiculously useless, not gonna lie. >_> You should read up on OOP principles. There's no point in the class whatsoever, because it just does random things and has no direct task. Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 4, 2008 Share Posted August 4, 2008 no registering sessions is not used any more to add to the superglobal array you simply put <?php session_start(); $_SESSION['var'] = "Value"; ?> instead of <?php session_start(); session_register('var'); $_SESSION['var'] = "Value"; ?> the registration will produce an error called to undefined function as of php 6.0 Quote Link to comment Share on other sites More sharing options...
Andy-H Posted August 4, 2008 Share Posted August 4, 2008 if(!preg_match('/^[a-zA-Z0-9]+$/i', $myusername)) Why not just use if(!ctype_alnum($myusername)) Quote Link to comment Share on other sites More sharing options...
whiteboikyle Posted August 4, 2008 Author Share Posted August 4, 2008 no registering sessions is not used any more to add to the superglobal array you simply put <?php session_start(); $_SESSION['var'] = "Value"; ?> instead of <?php session_start(); session_register('var'); $_SESSION['var'] = "Value"; ?> the registration will produce an error called to undefined function as of php 6.0 Well on the next page i go if(session_is_registered(error)){ echo $_SESSION['error']; } and Andy-H i will look into the "ctype_alnum" Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.