Mutley Posted January 4, 2007 Share Posted January 4, 2007 Does anyone know of any secure scripts, that:RegisterLogin/Logout...and the ability for them to see pages when logged in.I've seen so many and they are so insecure, I'm not good enough at sorting out cookies/sessions, which is the only thing stopping me doing my own. :( Quote Link to comment Share on other sites More sharing options...
rab Posted January 5, 2007 Share Posted January 5, 2007 Then practice sorting out cookies/sessions? Quote Link to comment Share on other sites More sharing options...
Mutley Posted January 5, 2007 Author Share Posted January 5, 2007 The problem I have is encrypting/decrypting, I want to check the users password but it's already encrypted in a cookie and I would need to check the database which is in MD5.Where to start? Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted January 5, 2007 Share Posted January 5, 2007 if its md5 in the database then just select it from the database and compare it against the one from the form but use md5 on the one from the form.[code=php:0]$real_password = mysql_result(mysql_query("SELECT `password` FROM `users` WHERE `username`='{$username}'"),0);$post_password = $_POST['password'];if(md5($post_password) != $real_password){echo "wrong password";}else{echo "logged in";}[/code]is that what you are asking? Quote Link to comment Share on other sites More sharing options...
Mutley Posted January 5, 2007 Author Share Posted January 5, 2007 That doesn't check the cookie though only the database.When someone logs in it creates a "username" and "password" cookie. At the moment I can make a fake cookie with someones username in and view their information, the password I don't want entering every time with a login form, it needs to use the password cookie. Quote Link to comment Share on other sites More sharing options...
alpine Posted January 5, 2007 Share Posted January 5, 2007 Look at this, an example using cookies[code]<?phpif(!empty($_COOKIE['user']) && !empty($_COOKIE['pass'])){ $user = htmlspecialchars($_COOKIE['user'], ENT_QUOTES); $pass = htmlspecialchars($_COOKIE['pass'], ENT_QUOTES); $check = mysql_query("SELECT * FROM users WHERE pass = '$pass' AND user = '$user'"); if(mysql_num_rows($check) <> 1) { echo "No accsess granted with your current userdata"; exit(); } else { echo "Logged in as $user"; }}else{ echo "You have to be logged in to visit this section"; exit();}?>[/code] Quote Link to comment Share on other sites More sharing options...
psychohagis Posted January 5, 2007 Share Posted January 5, 2007 why are you using cookies? sessions are more secure? I have a script that works fine for me.[b]Logging in:[/b] [code]$server = "YOUR SERVER"; // server to connect to.$database = "DATABASE"; // the name of the database.$db_user = "USERNAME"; // mysql username to access the database with.$db_pass = "PASSWORD"; // mysql password to access the database with.$table = "TABLE"; // the table that this script will set up and use.// connect to the mysql server$link = mysql_connect($server, $db_user, $db_pass)or die ("Could not connect to mysql because ".mysql_error());// select the databasemysql_select_db($database)or die ("Could not select database because ".mysql_error());//selects from database using the password and username provided and pulls out verified and id$match = "select id,verified,rank from $table where username = '".$_POST['username']."'and password = '".$_POST['password']."';"; //send query$qry = mysql_query($match)or die ("Could not match data because ".mysql_error());$num_rows = mysql_num_rows($qry); //turns id verified and rank in to variableswhile ($idgrab = mysql_fetch_array($qry)) { $userid= $idgrab['id']; $verified= $idgrab['verified']; $rank= $idgrab['rank'];}//checks that a record was found for the username. If not returns you to sign in with errorif ($num_rows <= 0) { echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/signin.php?error=9>'; /*I have a seperate script for printing errors, you may want to do this differently*/exit; } else {//checks whether thse users email is verified (you may want to edit this out) if ($verified!=1) { echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/signin.php?error=10>'; } else {//sets session variablessession_start();$_SESSION['userid'] = $userid;$_SESSION['username'] = $_POST['username'];$_SESSION['rank'] = $rank;//send them to the nect page if everything is fine.echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/index.php>'; }}[/code][b]Then to check whether someones logged in:[/b][code]//start sessionsession_start();//check for prescence of session variablesif (!isset($_SESSION['userid']) or $_SESSION['userid'] ==''){echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/signin.php?error=12>'; //ask you to sign in if you are not}[/code] Quote Link to comment Share on other sites More sharing options...
alpine Posted January 5, 2007 Share Posted January 5, 2007 [quote author=psychohagis link=topic=121052.msg497564#msg497564 date=1168023521]why are you using cookies? sessions are more secure? [/quote]was that supposed to be a question or a statement ? ...It really doesn't matter much if you do not validate user input from injecting your query, yours is wide open! Quote Link to comment Share on other sites More sharing options...
psychohagis Posted January 5, 2007 Share Posted January 5, 2007 what d'u mean mines wide open? how can i fix this? Quote Link to comment Share on other sites More sharing options...
alpine Posted January 5, 2007 Share Posted January 5, 2007 Follow this one: http://www.phpfreaks.com/forums/index.php/topic,118229.0.html Quote Link to comment Share on other sites More sharing options...
Mutley Posted January 6, 2007 Author Share Posted January 6, 2007 I like yours Alpine but if my cookie is encrypted, does it read it normally or do I need some PHP to decode it? Quote Link to comment Share on other sites More sharing options...
Asheeown Posted January 6, 2007 Share Posted January 6, 2007 $password = $_COOKIE['pass'];$unencrypted = MD5($password); Quote Link to comment Share on other sites More sharing options...
alpine Posted January 6, 2007 Share Posted January 6, 2007 [quote author=Mutley link=topic=121052.msg497868#msg497868 date=1168048065]I like yours Alpine but if my cookie is encrypted, does it read it normally or do I need some PHP to decode it?[/quote]You don't decrypt the cookie value, you simply compare encrypted value (like the cookie value) with another encrypted value (like the encrypted db-value) to see if they match. If they match, the values before encryption is in most cases identical. This is if the encryption methods are the same on both values ofcourse (md5() etc) Quote Link to comment Share on other sites More sharing options...
Mutley Posted January 6, 2007 Author Share Posted January 6, 2007 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource on line 10I've set it up all ok I'm sure, I get "No access granted with your current userdata" but the cookies are there?[code]<?phpif(!empty($_COOKIE['id']) && !empty($_COOKIE['pass'])){ $id = htmlspecialchars($_COOKIE['id'], ENT_QUOTES); $pass = htmlspecialchars($_COOKIE['pass'], ENT_QUOTES); include('secure/sec_con.php'); $check = mysql_query("SELECT * FROM users WHERE pass = '$pass' AND id = '$id'"); if(mysql_num_rows($check) <> 1) { echo "No accsess granted with your current userdata"; exit(); } else { echo "Logged in as $id"; }}else{ echo "You have to be logged in to visit this section"; exit();}?>[/code] Quote Link to comment Share on other sites More sharing options...
alpine Posted January 6, 2007 Share Posted January 6, 2007 replace[code]$check = mysql_query("SELECT * FROM users WHERE pass = '$pass' AND id = '$id'");[/code]with[code]$check = mysql_query("SELECT * FROM users WHERE pass = '$pass' AND id = '$id'") or die(mysql_error());[/code]and see what the mysql error is Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.