gtal3x Posted November 10, 2007 Share Posted November 10, 2007 Hello i have read many articles and i see that people use sessions to register users usernames and passwords, what i have done on my site is that whenever the user logs in i register a session with his (user)id... is it okay or is it very easy to hack? Quote Link to comment Share on other sites More sharing options...
Crew-Portal Posted November 10, 2007 Share Posted November 10, 2007 it depends we need to see some code... if you got alot of isset and dies in your code then likely it will be safe? But we need some code to be better at evaluating your scripts Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted November 10, 2007 Share Posted November 10, 2007 mostly storing data in a Session is quite secure.. if your site a of a small scale its ok you do not want go to lengthy ways to secure it! Quote Link to comment Share on other sites More sharing options...
gtal3x Posted November 10, 2007 Author Share Posted November 10, 2007 <?php include("main.php"); mysql_select_db($dbname,$connect); $username = $_POST['user']; $password = $_POST['pass']; $sql="SELECT * FROM users WHERE username='$username' AND password='$password'"; $result=mysql_query($sql); $row = mysql_fetch_array($result); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" $id = $row['id']; $date = date("d M Y H:i"); $query = "UPDATE users SET lastconnect= NOW() WHERE id='$id'"; $result = mysql_query($query) or die(mysql_error()); session_register("id"); header("location:index.php"); } else { echo "Wrong Username or Password"; } Quote Link to comment Share on other sites More sharing options...
Crew-Portal Posted November 10, 2007 Share Posted November 10, 2007 Not a Hotmail Worthy Login script but safe egnouph. heres the login script I made for all of my sites: <?php if ($action == 'login'){ $connection = @mysql_connect("$db_host", "$db_user", "$db_pass") or die("Couldn't connect."); $db = @mysql_select_db($db_name, $connection) or die("Couldn't select database."); $sql="SELECT * FROM $tbl_user WHERE username = \"$_POST[username]\" AND password = \"$_POST[password]\""; $result = @mysql_query($sql,$connection) or $result = FALSE; if ($result == TRUE){ $num=mysql_num_rows($result); while ($row = mysql_fetch_array($result)) { $active = $row['active']; $confirm = $row['confirm']; $valid_user = $row['username']; $user_id = $row['user_id']; $air_id = $row['air_id']; $admn = $row['administrator']; $mode = $row['moderator']; } } $sql="SELECT name FROM airlines WHERE air_id = $air_id"; $result = @mysql_query($sql,$connection) or $result = FALSE; if ($result == TRUE){ $num=mysql_num_rows($result); while ($row = mysql_fetch_array($result)) { $va = $row['name']; } if($active == "yes") { $valid_password = $_POST['password']; session_register("valid_user"); session_register("valid_password"); session_register("user_id"); session_register("va"); session_register("mode"); session_register("admn"); $sql="UPDATE `pirep`.`user` SET `online` = 'yes' WHERE `user`.`user_id` =$user_id LIMIT 1 ;"; $result = @mysql_query($sql,$connection); $error = $tblstart . 'Login Successful' . $tblend; } } if($active == "no") { $error = $tblstart . 'Were Sorry But Your Account Has Not Yet Been Activated!' . $tblend; } elseif($passpw == NULL) { $error = $tblstart . 'You Did Not Enter A Password' . $tblend; } elseif($userac == NULL) { $error = $tblstart . 'You Did Not Enter A Username' . $tblend; } elseif($valid_user == NULL) { $error = $tblstart . 'You Entered Incorrect Login Information' . $tblend; session_unregister("valid_user"); } ?> Not sure if mines security safe but maybe theres a few things you can learn. But as far as yours goes it dies seem pretty safe? As long as you dont have your credit card number or something important on your site then dont worry Quote Link to comment Share on other sites More sharing options...
gtal3x Posted November 10, 2007 Author Share Posted November 10, 2007 thnx for responce, i think my code is safe as well, the only thing is that i session register the user id only wich could be 1 or 123 and everyone knows users ids and very easy to gess any... isnt there any possiblity to hack the session (i dont really know how the session works all i know is serverside). I can add more sessions like username and password if its more secure like that, but if it doest matter then ill leave it as it is... Quote Link to comment Share on other sites More sharing options...
gtal3x Posted November 10, 2007 Author Share Posted November 10, 2007 also i wont to add an option "Remember Me" at my login page, if anyone knows how to do it.... should i add cookie? should i add cookie that call up a session? should i log the ips? Quote Link to comment Share on other sites More sharing options...
Crew-Portal Posted November 10, 2007 Share Posted November 10, 2007 use MD5 to encript data sent to the sessions but then you will never get them back, this will cause you distress... lol! Nahh Ive only been using PHP5.2.X for like a few weeks and I dont know how to make it safer yet, Sorry... Ask a better PHP Programmer then me. Im sure there has to be a way to make something stronger! There has to be! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.