Jump to content

Secure?

Cooper94

By Cooper94
in PHP Coding Help

 Share

Recommended Posts

Cooper94 Member

Cooper94

Posted
Posted

I know nothing can be 100% secure but is this some what secure?

<?
session_start();  
header("Cache_control: private");

include 'data.php';
// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password']; 

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM pilots WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row

if($count==1){
// Register $username, $password and redirect to file "login_success.php"
session_register("username");
session_register("password"); 
header("location:index.php");
}
else {
echo "Wrong Username or Password";
}
?>

Thank You

Link to comment
https://forums.phpfreaks.com/topic/142000-secure/
Share on other sites
The Little Guy Prolific Member

The Little Guy

Posted
Posted

Just some suggestions...

 

1. Don't Save the password in a session.

2. Save the users id in a session.

3. Use a boolean TRUE/FALSE to check if a user is logged in (TRUE means yes).

4. Save as much info as possible into sessions, this will reduce your number of queries.

Link to comment
https://forums.phpfreaks.com/topic/142000-secure/#findComment-743622
Share on other sites
Cooper94 Member

Cooper94

Posted
  • Author
Posted

Instead of checking the password like you said not too because I do have a area were I only want users so I do a session check. So should I save the user_id into a session and check it as I would as a password? Also I am trying to save the session so that it saves the users name. How would I go about doing this? Cause when I try it wont give out an input.

Link to comment
https://forums.phpfreaks.com/topic/142000-secure/#findComment-743704
Share on other sites
The Little Guy Prolific Member

The Little Guy

Posted
Posted

Example Login Page:

<?php
session_start(); 
header("Cache_control: private");

include 'data.php';
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM pilots WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row

if($count==1){
$row = mysql_fetch_array($sql);
// Register $username, $password and redirect to file "login_success.php"
$_SESSION["username"] = $row['username']; // users name
$_SESSION["id"] = $row['id']; // users id number
// add any other session stuff you would like here
$_SESSION["logged"] = TRUE; // user is logged in because this is "TRUE"
header("location:index.php");
}
else {
echo "Wrong Username or Password";
}
?>

 

 

Example page for a logged in user:

session_start();
if(!$_SESSION['logged']){  // $_SESSION['logged'] will hold your TRUE/FALSE
     header('loginPage.php');
}

// Display information ONLY logged in users can see


echo $_SESSION['id'].'<br />';
echo $_SESSION['username'].'<br />';

// Do what anything else you may need since you now have some sessions

Link to comment
https://forums.phpfreaks.com/topic/142000-secure/#findComment-743709
Share on other sites
Cooper94 Member

Cooper94

Posted
  • Author
Posted

Example Login Page:

<?php
session_start(); 
header("Cache_control: private");

include 'data.php';
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM pilots WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row

if($count==1){
$row = mysql_fetch_array($sql);
// Register $username, $password and redirect to file "login_success.php"
$_SESSION["username"] = $row['username']; // users name
$_SESSION["id"] = $row['id']; // users id number
// add any other session stuff you would like here
$_SESSION["logged"] = TRUE; // user is logged in because this is "TRUE"
header("location:index.php");
}
else {
echo "Wrong Username or Password";
}
?>

 

 

Example page for a logged in user:

session_start();
if(!$_SESSION['logged']){  // $_SESSION['logged'] will hold your TRUE/FALSE
     header('loginPage.php');
}

// Display information ONLY logged in users can see


echo $_SESSION['id'].'<br />';
echo $_SESSION['username'].'<br />';

// Do what anything else you may need since you now have some sessions

I did all of this and still when I got to output the $_SESSION['name']; it still will not show anything. Here is my code:

<?php 
session_start();
if (($_SESSION[username] != "") && ($_SESSION[password] != "")) 
{
}
else {
header ('Location: index.php');
}
?>
<center>Welcome to Republic Virtual Airways pirep system <? echo $_SESSION['name']; ?>!</center>

Link to comment
https://forums.phpfreaks.com/topic/142000-secure/#findComment-743741
Share on other sites
gevans Regular Member

gevans

Posted
Posted

Take a look at the following snippet from your code

 

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

 

You are stripping slashes. Unless you know that magic_quotes is enabled, which I wouldn't recommend there is no reason for doing this. If you want to write flexible code try the following;

 

<?php
if (get_magic_quotes_gpc()) {
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
}
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

 

If you are in control of your server I'd recommend against magic quotes. If you though you were stripping slashes to be safe, this time it's wrong. Imagine your string was allowed backslashes (I wouldn't allow this for a username of password) , this is just an example;

 

<?php
$foo = 'mycool/\string';
$foo = stripslashes($foo);
echo $foo = mysql_real_escape_string($foo);//prints  mycool/string

 

The code stripped a slash that you didn't want to lose.

Link to comment
https://forums.phpfreaks.com/topic/142000-secure/#findComment-743795
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.