Jump to content

Is this scirpt safe to use for users?

dlouis95

By dlouis95
in PHP Coding Help

 Share

Recommended Posts

dlouis95 Newbie

dlouis95

Posted
Posted

Last Friday I sat down to make users on my site. With in one hour I had a working prototype. I have refined it since then to make it a very good working script, but I am doubting my system of user login. In the script, when you login, you get a cookie that is named 'dan' and that has your email as its value. When you go to a page, it checks if the cookie exists, and displays all the information that should be their for the user whos email is the same as the cookie's value. Is it possible for a person to edit a cookie on their computer as a way to hack into someone elses account using this system? If it is, does any one have a suggestion as to make this more secure? Thanks!

Link to comment
https://forums.phpfreaks.com/topic/203390-is-this-scirpt-safe-to-use-for-users/
Share on other sites
dlouis95 Newbie

dlouis95

Posted
  • Author
Posted

Without seeing the code, it's hard for us to tell anything.

 

The script is the following....

<?
if(isset($_COOKIE['dan']))
{
$sPattern = '/\s*/m';
$sReplace = '';
$string = $_COOKIE['dan'];
$email=preg_replace( $sPattern, $sReplace, $string );
$host = "";
    $username = "";
    $password = "";
$db_name = "";
$tbl_name = "";
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$user=mysql_real_escape_string($_GET['username']);

if(mysql_num_rows(mysql_query("SELECT username FROM $tbl_name WHERE username = '$user'")))
    	{
	$sql="SELECT * FROM $tbl_name WHERE username='$user'";
	$result=mysql_query($sql);
	$rows=mysql_fetch_array($result);
	$email2=$rows['email'];	
		if($email == $email2)
			{
				?>...html if the account is yours...<?
                                }
                                else
                                {
                                ?>...html if the account isnt yours...<?
                                die();
                                }
                        }
                        else
                        {
                        ?>...html for account that deosnt exist...<?
                        die();
                        }
         }
         else
         {
$host = "";
    $username = "";
    $password = "";
$db_name = "";
$tbl_name = "";
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$name = $_GET['username'];
$sql="SELECT * FROM $tbl_name WHERE username='$name'";
    $result=mysql_query($sql);
    $rows=mysql_fetch_array($result);
if($rows['password']==null)
	{
                ?>...hmtl for account if your not logged in<?
                }
                else
                {
                ?>...html for account that deosnt exist if your not logged in...<?
                 }
         }
?>

dlouis95 Newbie

dlouis95

Posted
  • Author
Posted

Well since cookies are client-side, you have a huge chance of getting 'hacked'.

 

I would suggest sessions.

 

I found a way around it. The program now saves your ip to the server at account creation. When you get to the page with accounts, it checks if your email is the same as the account as well as if your ip is the same as the accounts. If your ip isn't the same, but the email is, it logs you off and sends you to the login page. When you relog in, your ip in the database is changed to what your new ip is. NOw you need to change the cookie as well as know the users ip.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.