Jump to content

Recommended Posts

I am a newbee. I have a simple login script and I am trying to see if someone is logged in or not.

If not I want to forward them to the login page.

Here is part of the login:

 

if(isset($_POST['logname']))
{
$UserArr = chk_lgn($_POST['logname'],$_POST['passwd']);
$_SESSION['iden'] = $UserArr['UserId'];
$_SESSION['logname'] = $UserArr['logname'];
}

if($_SESSION['iden'] !=0)
{   
$_SESSION['auth'] = 1;
	//echo 8;
	//print_r($_SESSION['auth']);
	header('location:../UserPage/index.php');
}

elseif($_SESSION['iden'] == 0)
{
$_SESSION['auth'] = 0;
if($_POST){echo "Try Again.";}

Here is my check auth function (it is in a global file and loads with every page):
function check_auth()
{

if(isset($_SESSION['auth']))
{
	continue;
}
elseif($_SESSION['auth'] == 0)
	{
	  header('location: ../LogIn/index.php');
	  exit;
	}
}

Link to comment
https://forums.phpfreaks.com/topic/176508-check-auth/
Share on other sites

continue is for loops.. e.g.

$i = 0;

while ($i >= 10) {

  $i++;

  echo $i."<br>";

  if ($i == 11) continue;

}

 

that will give you an extra loop by continuing the loop.

 

where exactly do you use check_auth and why are you going to such an extreme for login? and you're handling it quite wrong aswell.. logins are VERY simple :)

 

you start with ofcourse.. a database connection.

 

pretend we started one in "config.php";

 

<?php
session_start();
include("config.php");
function passThru($x) { return ((magic_quotes_gpc())? stripslashes($x):$x); }
if (strlen($_POST['username']) && strlen($_POST['password'])) {
	// this means the user successfully sent you the user and pass.
	list($user,$pass) = array_map("mysql_real_escape_string",array_map("passThru",array($_POST['username'],$_POST['password'])));
	// mysql_real_escape both strings AFTER we remove the slashes from magicquote.
	$pass = md5($pass);
	// md5 hash the password because security is KEY.. so when a user registers md5 hash the password
	$q = mysql_query("SELECT * FROM table WHERE username = '{$user}' AND password = '{$pass}'");
	// execute the query to see if the user and pass exist in the database
	if ($row = mysql_fetch_assoc($q)) {
		// hes passed authorization... now you set your sessions..
		$_SESSION['username'] = $row['username'];
		$_SESSION['userID'] = $row['userID'];
	} else {
		// he is not in the database.. deny him!
		header("Location: DENIED.html");
	}
} else {
	// missing a field username or password deny him!
	header("Location: DENIED.html");
}
?>

Link to comment
https://forums.phpfreaks.com/topic/176508-check-auth/#findComment-930443
Share on other sites

@RussellReal, and your do that on every page ?

 

Here is my check auth function (it is in a global file and loads with every page):

 

nopes :) just start the session :) if their username and userID is in the session than they're logged in? lol, however, this isn't THE MOST secure but its the BARE BONES of any login script

Link to comment
https://forums.phpfreaks.com/topic/176508-check-auth/#findComment-930452
Share on other sites

why do you dislike array_map.. all it really is is a foreach loop and setting a new array from the values of the function you specify.. which to me is quite nice, however, I could probably have done both array_map's in 1 array_map :) but I'm just thinkin of that now..

 

also, I prefer strlen. empty works also but its just a preference <3 I appreciate the feedback though.

Link to comment
https://forums.phpfreaks.com/topic/176508-check-auth/#findComment-930459
Share on other sites

why do you dislike array_map..

 

I don't dislike array_map, I don't like the way its used.

dislike using array_map to sanitize input fields on a global scale.

 

when people try to create a global function to sanitize all their in 1 hit, without taking into account what data is being passed it normally means they are not paying the right amount of attention to security..

Link to comment
https://forums.phpfreaks.com/topic/176508-check-auth/#findComment-931148
Share on other sites

I used it in this fashion because both expected variables are strings and this array secludes the map to just two with array($_POST['username'],$_POST['password'])

 

now I know this isn't a good practice for such a little bit of values as it woulda been less typing to just escape them 1 by 1, but I was just going with what I was thinking :). but sanitizing 2 values that you EXPECT to be strings with array map shouldn't be taboo, but I can see your concern here for other people reading the data herein, however, even if you did escape every value from $_POST with mysql_real_escape_string via array_map, its still not tampering with the actual $_POST array its returning the array, and furthermore it WOULD be sanitized, and when it comes down to it there is very limited other ways besides type-casting that you can use to sanitize your inputs. so even in that respect it shouldn't be taboo. but I see where you're coming from :)

 

oh and sorry for the paragraph lol I don't want to come across as defensive I'm not being defensive just shedding my thoughts aswell. <3

Link to comment
https://forums.phpfreaks.com/topic/176508-check-auth/#findComment-931308
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.