Jump to content

concept of user registry

thankqwerty

By thankqwerty
in PHP Coding Help

Recommended Posts

thankqwerty Member

thankqwerty

Posted
Posted

Hi,

I'm new to php and everything, and i just made a simple message broad website, at the moment the messages are stored in the database with user, time, content ..... etc, but anyone can use edit any post using whatever name they want. So I now want to make a user registry but i have problem with the concept of it.

 

I know i can setup new users account in mysql, is that mean i should do that for each of the user of my website?

Are there any build-in functions in php or mysql that have privilege control?

Or am i supposed to .... for example save the user name and password in the cookie and check everytime when the user want to post something or edit a post? which means i'll have to do all the privilege check myself .... >.<!

 

--------------

 

another question is that, i only know how to send information from one page to another via <form> + <input> or putting it at the end of the forward link in form of $_GET. Is there any other way??

For example, if i want to pass the name of the database an user is currently using from one page to another, i can't use <form> because it's not user input, and i don't want to use $_GET because i don't want to reveal the name of the database to normal users. What would be the better way to pass the information?

Link to comment
https://forums.phpfreaks.com/topic/121903-concept-of-user-registry/
Share on other sites
Fadion Newbie

Fadion

Posted
Posted

For example, if i want to pass the name of the database an user is currently using from one page to another, i can't use <form> because it's not user input, and i don't want to use $_GET because i don't want to reveal the name of the database to normal users. What would be the better way to pass the information?

 

You can pass "invisible" information via a form using hidden inputs. Basically you create a hidden input that gets it's value from the database and retrieve it by standard $_POST. Anyway don't use it for sensitive information as those hidden values can be easily seen. Use what BlueSkyIS said instead, I just wanted to let you know about this option.

kratsg Regular Member

kratsg

Posted
Posted

For example, if i want to pass the name of the database an user is currently using from one page to another, i can't use <form> because it's not user input, and i don't want to use $_GET because i don't want to reveal the name of the database to normal users. What would be the better way to pass the information?

 

You can pass "invisible" information via a form using hidden inputs. Basically you create a hidden input that gets it's value from the database and retrieve it by standard $_POST. Anyway don't use it for sensitive information as those hidden values can be easily seen. Use what BlueSkyIS said instead, I just wanted to let you know about this option.

 

No information is invisible. There are FREE applications out there that will tell you all information being passed via a GET/POST method and allow you to manipulate them. So, be warned, if you use <input type="hidden"> to store some information, you need to make sure that you validate those data inputs as well (otherwise, you can get in a world of trouble with hackers).

Fadion Newbie

Fadion

Posted
Posted

No information is invisible. There are FREE applications out there that will tell you all information being passed via a GET/POST method and allow you to manipulate them. So, be warned, if you use <input type="hidden"> to store some information, you need to make sure that you validate those data inputs as well (otherwise, you can get in a world of trouble with hackers).

 

That makes quite no sense, as i mentioned in my post that one shouldn't use hidden inputs for sensitive information. Validating isn't really enough as long as one can enter whatever he wants; modify a database id or username for example which can pass validation. The choice is just not to use them. I am saying this again, I made the previous post to tell the topic starter that there are possible ways of passing "invisible" (note the double quotes) data via a form.

 

EDIT: There is no need of third party apps to view GET variables, you can see them in the url.

kratsg Regular Member

kratsg

Posted
Posted

No information is invisible. There are FREE applications out there that will tell you all information being passed via a GET/POST method and allow you to manipulate them. So, be warned, if you use <input type="hidden"> to store some information, you need to make sure that you validate those data inputs as well (otherwise, you can get in a world of trouble with hackers).

 

That makes quite no sense, as i mentioned in my post that one shouldn't use hidden inputs for sensitive information. Validating isn't really enough as long as one can enter whatever he wants; modify a database id or username for example which can pass validation. The choice is just not to use them. I am saying this again, I made the previous post to tell the topic starter that there are possible ways of passing "invisible" (note the double quotes) data via a form.

 

EDIT: There is no need of third party apps to view GET variables, you can see them in the url.

 

Validation includes using mysql_real_escape_string, escape, unescape, trim, htmlentities, etc... With proper usage, any user input can be cleaned correctly as well as checking to make sure they even entered what they were supposed to enter (such as alphanumeric characters only, numbers, etc..).

Fadion Newbie

Fadion

Posted
Posted

Validation includes using mysql_real_escape_string, escape, unescape, trim, htmlentities, etc... With proper usage, any user input can be cleaned correctly as well as checking to make sure they even entered what they were supposed to enter (such as alphanumeric characters only, numbers, etc..).

 

mysql_real_escape_string() = escape; unescape isn't something you do for validating

 

No system is secure enough so talking about perfection in web applications is out of place. Even if applications were secure, hidden input values can be modified and one can enter perfect validating data, but change the behavior of the script. Imagine a forum which uses a hidden input in the post message script, to keep track of the username/id. You can change that id and write a post for someone else, while the validation works as the input data is correct. That was my idea of "validation isn't enough".

kratsg Regular Member

kratsg

Posted
Posted

But that's not proper procedure, to allow the id to be out in the open. If anything, it would be used in a session (for short term storage) or cookies (for long term storage) in which case you would have a method to validate that cookie when the user comes back.

 

As long as you think things through, prepare code in a logical format.. you will not have any security issues. (Let's call this 99.9% as there always is some uncertainty).

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.