Cooper94 Posted January 22, 2009 Share Posted January 22, 2009 I know nothing can be 100% secure but is this some what secure? <? session_start(); header("Cache_control: private"); include 'data.php'; // username and password sent from form $username=$_POST['username']; $password=$_POST['password']; // To protect MySQL injection (more detail about MySQL injection) $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $sql="SELECT * FROM pilots WHERE username='$username' and password='$password'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count==1){ // Register $username, $password and redirect to file "login_success.php" session_register("username"); session_register("password"); header("location:index.php"); } else { echo "Wrong Username or Password"; } ?> Thank You Quote Link to comment Share on other sites More sharing options...
DeanWhitehouse Posted January 22, 2009 Share Posted January 22, 2009 Yes except session_register is deprecated, so it should now be $_SESSION['session_name'] = $session_value; And try to use <?php instead of <? just better coding practice Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted January 22, 2009 Share Posted January 22, 2009 Just some suggestions... 1. Don't Save the password in a session. 2. Save the users id in a session. 3. Use a boolean TRUE/FALSE to check if a user is logged in (TRUE means yes). 4. Save as much info as possible into sessions, this will reduce your number of queries. Quote Link to comment Share on other sites More sharing options...
Cooper94 Posted January 22, 2009 Author Share Posted January 22, 2009 Is there a way you could give me a code snippet as to include the online so I dont have to use the password or instead of the password should I make it check the user_id? Thank You Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted January 22, 2009 Share Posted January 22, 2009 Im not sure I follow... Quote Link to comment Share on other sites More sharing options...
Cooper94 Posted January 22, 2009 Author Share Posted January 22, 2009 Instead of checking the password like you said not too because I do have a area were I only want users so I do a session check. So should I save the user_id into a session and check it as I would as a password? Also I am trying to save the session so that it saves the users name. How would I go about doing this? Cause when I try it wont give out an input. Quote Link to comment Share on other sites More sharing options...
DeanWhitehouse Posted January 22, 2009 Share Posted January 22, 2009 If it saves the id you then query on each page to get the user details using the ID as a reference. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted January 22, 2009 Share Posted January 22, 2009 Example Login Page: <?php session_start(); header("Cache_control: private"); include 'data.php'; // username and password sent from form $username=$_POST['username']; $password=$_POST['password']; // To protect MySQL injection (more detail about MySQL injection) $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $sql="SELECT * FROM pilots WHERE username='$username' and password='$password'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count==1){ $row = mysql_fetch_array($sql); // Register $username, $password and redirect to file "login_success.php" $_SESSION["username"] = $row['username']; // users name $_SESSION["id"] = $row['id']; // users id number // add any other session stuff you would like here $_SESSION["logged"] = TRUE; // user is logged in because this is "TRUE" header("location:index.php"); } else { echo "Wrong Username or Password"; } ?> Example page for a logged in user: session_start(); if(!$_SESSION['logged']){ // $_SESSION['logged'] will hold your TRUE/FALSE header('loginPage.php'); } // Display information ONLY logged in users can see echo $_SESSION['id'].'<br />'; echo $_SESSION['username'].'<br />'; // Do what anything else you may need since you now have some sessions Quote Link to comment Share on other sites More sharing options...
DeanWhitehouse Posted January 22, 2009 Share Posted January 22, 2009 Another example http://djw-webdesign.awardspace.com/code.php?snippet=9 Quote Link to comment Share on other sites More sharing options...
Cooper94 Posted January 22, 2009 Author Share Posted January 22, 2009 Example Login Page: <?php session_start(); header("Cache_control: private"); include 'data.php'; // username and password sent from form $username=$_POST['username']; $password=$_POST['password']; // To protect MySQL injection (more detail about MySQL injection) $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $sql="SELECT * FROM pilots WHERE username='$username' and password='$password'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count==1){ $row = mysql_fetch_array($sql); // Register $username, $password and redirect to file "login_success.php" $_SESSION["username"] = $row['username']; // users name $_SESSION["id"] = $row['id']; // users id number // add any other session stuff you would like here $_SESSION["logged"] = TRUE; // user is logged in because this is "TRUE" header("location:index.php"); } else { echo "Wrong Username or Password"; } ?> Example page for a logged in user: session_start(); if(!$_SESSION['logged']){ // $_SESSION['logged'] will hold your TRUE/FALSE header('loginPage.php'); } // Display information ONLY logged in users can see echo $_SESSION['id'].'<br />'; echo $_SESSION['username'].'<br />'; // Do what anything else you may need since you now have some sessions I did all of this and still when I got to output the $_SESSION['name']; it still will not show anything. Here is my code: <?php session_start(); if (($_SESSION[username] != "") && ($_SESSION[password] != "")) { } else { header ('Location: index.php'); } ?> <center>Welcome to Republic Virtual Airways pirep system <? echo $_SESSION['name']; ?>!</center> Quote Link to comment Share on other sites More sharing options...
gevans Posted January 22, 2009 Share Posted January 22, 2009 Take a look at the following snippet from your code $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); You are stripping slashes. Unless you know that magic_quotes is enabled, which I wouldn't recommend there is no reason for doing this. If you want to write flexible code try the following; <?php if (get_magic_quotes_gpc()) { $password = stripslashes($password); $username = mysql_real_escape_string($username); } $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); If you are in control of your server I'd recommend against magic quotes. If you though you were stripping slashes to be safe, this time it's wrong. Imagine your string was allowed backslashes (I wouldn't allow this for a username of password) , this is just an example; <?php $foo = 'mycool/\string'; $foo = stripslashes($foo); echo $foo = mysql_real_escape_string($foo);//prints mycool/string The code stripped a slash that you didn't want to lose. Quote Link to comment Share on other sites More sharing options...
redarrow Posted January 22, 2009 Share Posted January 22, 2009 where the md5 for the password aswelll Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.