Check auth

[AL123]

I am a newbee. I have a simple login script and I am trying to see if someone is logged in or not.

If not I want to forward them to the login page.

Here is part of the login:

 

if(isset($_POST['logname']))
{
$UserArr = chk_lgn($_POST['logname'],$_POST['passwd']);
$_SESSION['iden'] = $UserArr['UserId'];
$_SESSION['logname'] = $UserArr['logname'];
}

if($_SESSION['iden'] !=0)
{   
$_SESSION['auth'] = 1;
	//echo 8;
	//print_r($_SESSION['auth']);
	header('location:../UserPage/index.php');
}

elseif($_SESSION['iden'] == 0)
{
$_SESSION['auth'] = 0;
if($_POST){echo "Try Again.";}

Here is my check auth function (it is in a global file and loads with every page):
function check_auth()
{

if(isset($_SESSION['auth']))
{
	continue;
}
elseif($_SESSION['auth'] == 0)
	{
	  header('location: ../LogIn/index.php');
	  exit;
	}
}

[redarrow]

<?php
session_start();
if(!$_SESSION['session_name']){
header("location: index.php");
}
?>

[MadTechie]

something like this

<?php
function check_auth()
{
   session_start();
   //if auth is not set or 0 then goto login.php
   if(empty($_SESSION['auth'])) 
   {
      header("location login.php");
      exit();
   }
}
?>

[RussellReal]

continue is for loops.. e.g.

$i = 0;

while ($i >= 10) {

  $i++;

  echo $i."<br>";

  if ($i == 11) continue;

}

 

that will give you an extra loop by continuing the loop.

 

where exactly do you use check_auth and why are you going to such an extreme for login? and you're handling it quite wrong aswell.. logins are VERY simple

 

you start with ofcourse.. a database connection.

 

pretend we started one in "config.php";

 

<?php
session_start();
include("config.php");
function passThru($x) { return ((magic_quotes_gpc())? stripslashes($x):$x); }
if (strlen($_POST['username']) && strlen($_POST['password'])) {
	// this means the user successfully sent you the user and pass.
	list($user,$pass) = array_map("mysql_real_escape_string",array_map("passThru",array($_POST['username'],$_POST['password'])));
	// mysql_real_escape both strings AFTER we remove the slashes from magicquote.
	$pass = md5($pass);
	// md5 hash the password because security is KEY.. so when a user registers md5 hash the password
	$q = mysql_query("SELECT * FROM table WHERE username = '{$user}' AND password = '{$pass}'");
	// execute the query to see if the user and pass exist in the database
	if ($row = mysql_fetch_assoc($q)) {
		// hes passed authorization... now you set your sessions..
		$_SESSION['username'] = $row['username'];
		$_SESSION['userID'] = $row['userID'];
	} else {
		// he is not in the database.. deny him!
		header("Location: DENIED.html");
	}
} else {
	// missing a field username or password deny him!
	header("Location: DENIED.html");
}
?>

[MadTechie]

@RussellReal, and your do that on every page ?

 

Here is my check auth function (it is in a global file and loads with every page):

[RussellReal]

@RussellReal, and your do that on every page ?

 

Here is my check auth function (it is in a global file and loads with every page):

 

nopes just start the session if their username and userID is in the session than they're logged in? lol, however, this isn't THE MOST secure but its the BARE BONES of any login script

[MadTechie]

Personally (and don't take this the wrong way) I would change strlen($_POST['username']) to !empty($_POST['username']) also a dislike using array_map to sanitize input fields on a global scale.

[RussellReal]

why do you dislike array_map.. all it really is is a foreach loop and setting a new array from the values of the function you specify.. which to me is quite nice, however, I could probably have done both array_map's in 1 array_map but I'm just thinkin of that now..

 

also, I prefer strlen. empty works also but its just a preference <3 I appreciate the feedback though.

[corbin]

strlen will throw a notice if the variable doesn't exist; empty will not.

[RussellReal]

o sweet I never knew that most of my hosting plans and my php installation I really never had that problem, but I'll remember that kudos

[MadTechie]

why do you dislike array_map..

 

I don't dislike array_map, I don't like the way its used.

dislike using array_map to sanitize input fields on a global scale.

 

when people try to create a global function to sanitize all their in 1 hit, without taking into account what data is being passed it normally means they are not paying the right amount of attention to security..

[RussellReal]

I used it in this fashion because both expected variables are strings and this array secludes the map to just two with array($_POST['username'],$_POST['password'])

 

now I know this isn't a good practice for such a little bit of values as it woulda been less typing to just escape them 1 by 1, but I was just going with what I was thinking . but sanitizing 2 values that you EXPECT to be strings with array map shouldn't be taboo, but I can see your concern here for other people reading the data herein, however, even if you did escape every value from $_POST with mysql_real_escape_string via array_map, its still not tampering with the actual $_POST array its returning the array, and furthermore it WOULD be sanitized, and when it comes down to it there is very limited other ways besides type-casting that you can use to sanitize your inputs. so even in that respect it shouldn't be taboo. but I see where you're coming from

 

oh and sorry for the paragraph lol I don't want to come across as defensive I'm not being defensive just shedding my thoughts aswell. <3