password protect with (or without) sessions?

[HaLo2FrEeEk]

I am setting up a hosting site for a specific type of files, when the person uploads a file, they will also have to put in information about the file.  The files are mod patches for Halo 2, in sppf and ppf format, and the information will be info about the mod itself.  I want the uploader to be able to enter a password along with this information which will be put into the database and used when the person wants to edit the information.  For example, lets say that the person uploads a mod and misspells a word in the description, and they want to  edit it, they entered a password when they uploaded it, so they can enter this password in again to edit it.  How can I do this without using a session, I want the password to be active only for the duration of the persons stay n the edit page, after they click the submit button, it would be gone and if they wanted to edit it again, they would have to put in the password again.  How would I go about doing this?

[btherl]

Can't you just destroy the session when the final change is made?  Alternativle you can set a session variable to indicate the user is no longer editing.  Sessions are by far the best solution for what it sounds like you're trying to do.

[HaLo2FrEeEk]

Well, I must admit, I have no clue how to use sessions.  I thought that just comparing the entered password with the one in the database would be the best option, if not, can you please tell me how I would do this with sessions?

[cyrixware]

In your log-in page it is very important to use a sessions to prevent the previous or next button of the browser. Create the session field in the dbase. Try to look this tutorials hope it will help you. http://www.softwareprojects.org/php-sessions-17.htm

[HaLo2FrEeEk]

I only need the session active for editing that one page, after which it will be completely gone.  Could I not use the $_SESSION array and subsequent functions?

[HaLo2FrEeEk]

BUMP

[rcorlew]

Do you currently have a login page?

 

If so using sessions is easy like so.

 

<?php  
$username = $_POST["username"]
$pass = $_POST["pass"];
if(isset($username) && ($pass)) {
$hashedpass =(sha1($pass));
      $link = mysql_connect('localhost', 'user', 'pass');
              mysql_select_db(DBname) or die;
      $result = mysql_query("select count(userid) as Total from users where username='$username' and password='$hashedpass'",$link);

      $row = mysql_fetch_array($result);  
            
if ($row["Total"]=="0")
{  
    echo "<h3 style='color: red; text-align: center;'>WARNING: USERID/PASSWORD Failed!</h3>
     <p align='center'>Please attempt to login below</p>";

}

if ($row["Total"]=="1"){	
echo "<div align='center'>
<h3>You are now logged in</h3>
            <b>Welcome Back $username</b><br /><br /> </div>";
          
$_SESSION['username'] = (md5($username));
  
mysql_close($link);
   }

  }

}

//Then here is how the session plays into it

if(isset($_SESSION['username'])){
//Do whatever you want to here, they now have been logged in and have sessions set to use
}
?>

 

I do not know if you are incrytping or hashing their passwords, but change the sha1 to whatever you need

[HaLo2FrEeEk]

I will be using mysql's password() when inserting it into the database, how would I go about comparing the two?  Would I convert the password that they entered to mysql's password encryption then compare or is that insecure?  Thank you for the help too, I don't have the login page up yet, I'm still working on organizing the database and securing the upload script, after that I'll create the form to insert the data I need into the database then I will create the page to edit the info, turn it into a login page, then make the display page.  Anyways, how would I go about using mysql's password function, I think it works something like this:

 

<?php
// Connect to database

$username = $_POST['username'];
$password = $_POST['password'];

if(isset($username) && isset($password)) {
  $query = "INSERT INTO login (username, password) VALUES ('$username', PASSWORD('$password'))";
  if(mysql_query($query)) {
    echo "Success, password encrypted and entered";
    } else {
    echo "Failure, there was an error inserting the password into the database";
    }
  }
?>

 

I might have made a spelling mistake since I just wrote that from memory, but I think thats how it works.

[HaLo2FrEeEk]

Ahh, nevermind, after messing around with multiple different encryption methods, I found that sha1 is indeed the best, I will be using that, and I have already tested some code out, I put a test username and password (sha1 encrypted) into a test table in my database and then wrote the login script:

 

<?php
include($_SERVER['DOCUMENT_ROOT'].'/config.php');
mysql_connect($host, $user, $pass) or die("Could not connect to server: ".mysql_error());
mysql_select_db('mods') or die("Could not select database: ".mysql_error());


if(isset($_POST['login'])) {
  $username = $_POST['username'];
  $password = $_POST['password'];
  if(isset($username) && isset($password)) {
    $hashedpass =(sha1($password));
    $query = mysql_query("select count(username) as Total from login where username='$username' and password='$hashedpass'");
    $row = mysql_fetch_array($query);
    if($row["Total"]=="0") {
      echo "<font style=\"color:red;\">You have entered an invalid username / password, please try again</font><br /><br />";
      echo "<a href=\"{$_SERVER['PHP_SELF']}\">Go Back</a>";
      }
    if($row["Total"]=="1"){
      echo "You have been logged in successfully, welcome back ".$username;
      }
    }
  } else {
  echo <<<EOL
<form method="POST" />
Username:<br />
<input type="text" name="username" /><br />
Password:<br />
<input type="password" name="password" />
<input type="hidden" name="login" value="set" />
<input type="submit" value="Login" />
</form>
EOL;
  }
?>

 

I used bits from your code, and changed bits, and wrote a bunch myself, but I got it to work, Thank you for your help with this.  I didn't bother with a session yet, I'll come back to that, baby steps now, is all I can handle, this is a big project.

[rcorlew]

Glad I could help. I was trying to give you a good starting point to work from. There are two really good reasons to do a row count and hashed password.

 

1)SQL injection

2)SQL injection

 

Just my oinion though.Good job getting it to go though.

[clown[NOR]]

hehe... yeah I just found out about hashed passwords ... atleast that's what I thinkit is... the md5("password") ... atleast it changes whatever i write to this unreadable line of numbers and letters ..

[MadTechie]

would like to point out

 

  $username = $_POST['username'];

  $password = $_POST['password'];

 

need some sort of filter to stop sql injection

 

also

Hash works well but with rainbow tables its better to use Hash with Salt ie

 

$salt = "Blar"

md5(md5("password").$salt)

$salt can be stored with in the database with the password (if you use a random salt)

 

 

 

[HaLo2FrEeEk]

What filter would you propose, MadTechie?

[clown[NOR]]

well i've been messing around and reading and you could maybe make your own scurity system for passwords.. what i do, is that i take the whole password apart, letter by letter. Then I make a hash for each letter/number in the password. at the end I put everything backtogether and make hasj of the result of ever char in the PW... now when I've done that I reverse the string, then I add it to the database... that makes it way more secure than using only md5()

[MadTechie]

my fav filter for logins is

<?php
  $string = preg_replace("/[^a-zA-Z0-9]/", "", $string);
?>

 

numbers and letters only

[HaLo2FrEeEk]

Thank you, techie, but what if they input a password with special symbols?  Then it would not work...I guess I'll just have to only allow passwords with numbers and letters then.

 

Thank you.