HaLo2FrEeEk Posted April 16, 2007 Share Posted April 16, 2007 I am setting up a hosting site for a specific type of files, when the person uploads a file, they will also have to put in information about the file. The files are mod patches for Halo 2, in sppf and ppf format, and the information will be info about the mod itself. I want the uploader to be able to enter a password along with this information which will be put into the database and used when the person wants to edit the information. For example, lets say that the person uploads a mod and misspells a word in the description, and they want to edit it, they entered a password when they uploaded it, so they can enter this password in again to edit it. How can I do this without using a session, I want the password to be active only for the duration of the persons stay n the edit page, after they click the submit button, it would be gone and if they wanted to edit it again, they would have to put in the password again. How would I go about doing this? Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/ Share on other sites More sharing options...
btherl Posted April 16, 2007 Share Posted April 16, 2007 Can't you just destroy the session when the final change is made? Alternativle you can set a session variable to indicate the user is no longer editing. Sessions are by far the best solution for what it sounds like you're trying to do. Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-230188 Share on other sites More sharing options...
HaLo2FrEeEk Posted April 16, 2007 Author Share Posted April 16, 2007 Well, I must admit, I have no clue how to use sessions. I thought that just comparing the entered password with the one in the database would be the best option, if not, can you please tell me how I would do this with sessions? Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-230191 Share on other sites More sharing options...
cyrixware Posted April 16, 2007 Share Posted April 16, 2007 In your log-in page it is very important to use a sessions to prevent the previous or next button of the browser. Create the session field in the dbase. Try to look this tutorials hope it will help you. http://www.softwareprojects.org/php-sessions-17.htm Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-230193 Share on other sites More sharing options...
HaLo2FrEeEk Posted April 16, 2007 Author Share Posted April 16, 2007 I only need the session active for editing that one page, after which it will be completely gone. Could I not use the $_SESSION array and subsequent functions? Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-230194 Share on other sites More sharing options...
HaLo2FrEeEk Posted April 17, 2007 Author Share Posted April 17, 2007 BUMP Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-230910 Share on other sites More sharing options...
rcorlew Posted April 17, 2007 Share Posted April 17, 2007 Do you currently have a login page? If so using sessions is easy like so. <?php $username = $_POST["username"] $pass = $_POST["pass"]; if(isset($username) && ($pass)) { $hashedpass =(sha1($pass)); $link = mysql_connect('localhost', 'user', 'pass'); mysql_select_db(DBname) or die; $result = mysql_query("select count(userid) as Total from users where username='$username' and password='$hashedpass'",$link); $row = mysql_fetch_array($result); if ($row["Total"]=="0") { echo "<h3 style='color: red; text-align: center;'>WARNING: USERID/PASSWORD Failed!</h3> <p align='center'>Please attempt to login below</p>"; } if ($row["Total"]=="1"){ echo "<div align='center'> <h3>You are now logged in</h3> <b>Welcome Back $username</b><br /><br /> </div>"; $_SESSION['username'] = (md5($username)); mysql_close($link); } } } //Then here is how the session plays into it if(isset($_SESSION['username'])){ //Do whatever you want to here, they now have been logged in and have sessions set to use } ?> I do not know if you are incrytping or hashing their passwords, but change the sha1 to whatever you need Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-230918 Share on other sites More sharing options...
HaLo2FrEeEk Posted April 17, 2007 Author Share Posted April 17, 2007 I will be using mysql's password() when inserting it into the database, how would I go about comparing the two? Would I convert the password that they entered to mysql's password encryption then compare or is that insecure? Thank you for the help too, I don't have the login page up yet, I'm still working on organizing the database and securing the upload script, after that I'll create the form to insert the data I need into the database then I will create the page to edit the info, turn it into a login page, then make the display page. Anyways, how would I go about using mysql's password function, I think it works something like this: <?php // Connect to database $username = $_POST['username']; $password = $_POST['password']; if(isset($username) && isset($password)) { $query = "INSERT INTO login (username, password) VALUES ('$username', PASSWORD('$password'))"; if(mysql_query($query)) { echo "Success, password encrypted and entered"; } else { echo "Failure, there was an error inserting the password into the database"; } } ?> I might have made a spelling mistake since I just wrote that from memory, but I think thats how it works. Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-230988 Share on other sites More sharing options...
HaLo2FrEeEk Posted April 17, 2007 Author Share Posted April 17, 2007 Ahh, nevermind, after messing around with multiple different encryption methods, I found that sha1 is indeed the best, I will be using that, and I have already tested some code out, I put a test username and password (sha1 encrypted) into a test table in my database and then wrote the login script: <?php include($_SERVER['DOCUMENT_ROOT'].'/config.php'); mysql_connect($host, $user, $pass) or die("Could not connect to server: ".mysql_error()); mysql_select_db('mods') or die("Could not select database: ".mysql_error()); if(isset($_POST['login'])) { $username = $_POST['username']; $password = $_POST['password']; if(isset($username) && isset($password)) { $hashedpass =(sha1($password)); $query = mysql_query("select count(username) as Total from login where username='$username' and password='$hashedpass'"); $row = mysql_fetch_array($query); if($row["Total"]=="0") { echo "<font style=\"color:red;\">You have entered an invalid username / password, please try again</font><br /><br />"; echo "<a href=\"{$_SERVER['PHP_SELF']}\">Go Back</a>"; } if($row["Total"]=="1"){ echo "You have been logged in successfully, welcome back ".$username; } } } else { echo <<<EOL <form method="POST" /> Username:<br /> <input type="text" name="username" /><br /> Password:<br /> <input type="password" name="password" /> <input type="hidden" name="login" value="set" /> <input type="submit" value="Login" /> </form> EOL; } ?> I used bits from your code, and changed bits, and wrote a bunch myself, but I got it to work, Thank you for your help with this. I didn't bother with a session yet, I'll come back to that, baby steps now, is all I can handle, this is a big project. Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-231007 Share on other sites More sharing options...
rcorlew Posted April 17, 2007 Share Posted April 17, 2007 Glad I could help. I was trying to give you a good starting point to work from. There are two really good reasons to do a row count and hashed password. 1)SQL injection 2)SQL injection Just my oinion though.Good job getting it to go though. Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-231673 Share on other sites More sharing options...
clown[NOR] Posted April 17, 2007 Share Posted April 17, 2007 hehe... yeah I just found out about hashed passwords ... atleast that's what I thinkit is... the md5("password") ... atleast it changes whatever i write to this unreadable line of numbers and letters .. Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-231681 Share on other sites More sharing options...
MadTechie Posted April 17, 2007 Share Posted April 17, 2007 would like to point out $username = $_POST['username']; $password = $_POST['password']; need some sort of filter to stop sql injection also Hash works well but with rainbow tables its better to use Hash with Salt ie $salt = "Blar" md5(md5("password").$salt) $salt can be stored with in the database with the password (if you use a random salt) Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-231694 Share on other sites More sharing options...
HaLo2FrEeEk Posted April 18, 2007 Author Share Posted April 18, 2007 What filter would you propose, MadTechie? Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-231932 Share on other sites More sharing options...
clown[NOR] Posted April 18, 2007 Share Posted April 18, 2007 well i've been messing around and reading and you could maybe make your own scurity system for passwords.. what i do, is that i take the whole password apart, letter by letter. Then I make a hash for each letter/number in the password. at the end I put everything backtogether and make hasj of the result of ever char in the PW... now when I've done that I reverse the string, then I add it to the database... that makes it way more secure than using only md5() Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-231957 Share on other sites More sharing options...
MadTechie Posted April 18, 2007 Share Posted April 18, 2007 my fav filter for logins is <?php $string = preg_replace("/[^a-zA-Z0-9]/", "", $string); ?> numbers and letters only Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-232023 Share on other sites More sharing options...
HaLo2FrEeEk Posted April 18, 2007 Author Share Posted April 18, 2007 Thank you, techie, but what if they input a password with special symbols? Then it would not work...I guess I'll just have to only allow passwords with numbers and letters then. Thank you. Quote Link to comment https://forums.phpfreaks.com/topic/47200-password-protect-with-or-without-sessions/#findComment-232483 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.