chrispos Posted March 10, 2012 Share Posted March 10, 2012 I am using php 5 and I am having issues with cookies. I have looked at the help pages here but still stuck. A site had been hacked via a database and I am making it more secure with the use of session control ip address and cookies. The issue is this I need to run a database query to test if the two cookies set match that with the data in the database. I am using the following code in the head section. <?php session_start(); $session = session_id(); $ip = $_SERVER['REMOTE_ADDR']; $user = stripslashes(trim($_POST['user'])); $pass = stripslashes(trim($_POST['pass'])); $username="$user"; $encrypt_user=md5($username); $password="$pass"; $encrypt_password=md5($password); include 'config.php'; $query = "SELECT * FROM `users`WHERE `username` = '$encrypt_user' AND `userpass` = '$encrypt_password'"; $result = mysql_query($query) or die (mysql_error()); if (mysql_num_rows($result)>0){ while($row = mysql_fetch_row($result)){ // set the cookies setcookie("cookie[pas]", "$encrypt_password"); setcookie("cookie[user]", "$encrypt_user"); $query = ("UPDATE`users`SET`sid`='$session', `ip` = '$ip'WHERE `username` = '$encrypt_user' AND `userpass` = '$encrypt_password'"); $result = mysql_query($query) or die (mysql_error()); } } else { echo 'No rows found'; } ?> This works fine now when I add this bit of code I can see the cookie name and value. <?php echo "$ip<br>"; if (isset($_COOKIE['cookie'])) { foreach ($_COOKIE['cookie'] as $name => $value) { $name = htmlspecialchars($name); $value = htmlspecialchars($value); echo "$name : $value <br />\n"; } } ?> I can see the ip address and the two cookies named user and pass but when I try to get the individual cookie details nothing comes out and this is the issue as I need to test each of the two individual cookies against the info in the database so I can include pages to make it all secure. I have tried <?php if (isset($_COOKIE['user'])) { echo "$encrypt_user"; } ?> encrypt_user being the username from the form. I have also tried <?php if (isset($_COOKIE['user'])) { echo "$_COOKIE['user']"; } ?> These are not showing. I do not need to see it just run a query to test that each cookie matches the encrypt data in the MySQL. Any ideas would be great if you can help and if not have a great weekend Quote Link to comment https://forums.phpfreaks.com/topic/258644-i-have-been-hacked-and-i-am-trying-to-use-cookies-to-help-with-this-issue/ Share on other sites More sharing options...
trq Posted March 10, 2012 Share Posted March 10, 2012 Firstly, why on earth are you storing a users password (hashed or not) in a cookie? Now your issue, you have not set any cookie named "user". Quote Link to comment https://forums.phpfreaks.com/topic/258644-i-have-been-hacked-and-i-am-trying-to-use-cookies-to-help-with-this-issue/#findComment-1325816 Share on other sites More sharing options...
cpd Posted March 10, 2012 Share Posted March 10, 2012 A few things to think about when making something more secure. 1. Don't use cookies for usernames and passwords as they can be tampered with and are stored on the clients computer. 2. When trying to encrypt passwords or anything I would never use a single md5 hash as it can be easily broken. 3. If your trying to manage the user as they move around the website youn should do it through sessions. I only took a brief look at your code but you should rethink your security methods before going any further. Not sure if anybody else has a different opinion? Security is an extremely large topic. Quote Link to comment https://forums.phpfreaks.com/topic/258644-i-have-been-hacked-and-i-am-trying-to-use-cookies-to-help-with-this-issue/#findComment-1325817 Share on other sites More sharing options...
chrispos Posted March 10, 2012 Author Share Posted March 10, 2012 Firstly, why on earth are you storing a users password (hashed or not) in a cookie? Now your issue, you have not set any cookie named "user". Hi does this not make the cookie? <?php setcookie("cookie[user]", "$encrypt_user"); ?> I understand about the user and password issue I can set any cookie that is not the issue. But if you say a cookie is named user is not there then I guess it is not there but thank you for taking a look :'( Quote Link to comment https://forums.phpfreaks.com/topic/258644-i-have-been-hacked-and-i-am-trying-to-use-cookies-to-help-with-this-issue/#findComment-1325819 Share on other sites More sharing options...
trq Posted March 10, 2012 Share Posted March 10, 2012 Hi does this not make the cookie? <?php setcookie("cookie[user]", "$encrypt_user"); ?> You would need to use: <?php if (isset($_COOKIE['cookie'])) { echo $_COOKIE['cookie']['user']; } ?> to access that value. Quote Link to comment https://forums.phpfreaks.com/topic/258644-i-have-been-hacked-and-i-am-trying-to-use-cookies-to-help-with-this-issue/#findComment-1325821 Share on other sites More sharing options...
chrispos Posted March 10, 2012 Author Share Posted March 10, 2012 Hi does this not make the cookie? <?php setcookie("cookie[user]", "$encrypt_user"); ?> You would need to use: <?php if (isset($_COOKIE['cookie'])) { echo $_COOKIE['cookie']['user']; } ?> to access that value. Thank you so much that is a great help. I have looked all over the net and nothing came back with this. It works great and once again many thanks Quote Link to comment https://forums.phpfreaks.com/topic/258644-i-have-been-hacked-and-i-am-trying-to-use-cookies-to-help-with-this-issue/#findComment-1325823 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.