Daney11 Posted March 14, 2008 Share Posted March 14, 2008 Hey guys. Im using setcookie ('valid_user', $loginrow['member_id'], time()+31536000, '/'); Which works fine. But for example if i use $memberQuery = "SELECT * FROM members WHERE member_id = '".$_COOKIE['valid_user']."'"; That also works fine however if i edit the cookie store on my computer and change the member_id on that cookie... Will that get all the details etc of the user who has the member_id? How would i make it so that people wont be able to hack the cookie etc? Quote Link to comment Share on other sites More sharing options...
Lashiec Posted March 14, 2008 Share Posted March 14, 2008 You could store their password in the cookie too, with some hashing method like md5. When you need to do something that would require validation like grabbing user information out of the database you run a function that would compare the user name and password in the cookie with the user name and password in the database. That way if they did change the cookie to switch user names they'd still have to know that users password, and the hashing method you used. That's just my thought, I haven't done this before, but it was the way I was thinking I would do it on a website I'm building. If anyone has a better method, please let us know. Quote Link to comment Share on other sites More sharing options...
OkBoy Posted March 14, 2008 Share Posted March 14, 2008 Encrypt your cookie. You can't really trust a cookie since it lives on the client. Especially for something like "valid_user". Can you move it to a session? All you can do is try to make it harder for someone to mess with the cookie data. Encrypting the cookie is probably your best bet, though I am kinda new and PHP might have something else that you can do this easily. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 14, 2008 Share Posted March 14, 2008 For authentication purposes, you cannot store a plain text, easily reverse engineered value in a cookie. Either store a salted hashed value or generate a unique id - http://www.php.net/manual/en/function.uniqid.php - that is stored in the database for that user and in the cookie. Edit: Some of the early open source php code that was written by people that did not know better, did things like have a cookie with the value admin=0. It was only necessary to change the cookie to admin=1 to become an administrator and take over the site. Quote Link to comment Share on other sites More sharing options...
Daney11 Posted March 14, 2008 Author Share Posted March 14, 2008 Thanks for all the input. So my next question is. Inside my database id have `member_cookie` Im using <?php // better, difficult to guess $better_token = md5(uniqid(rand(), true)); $better_tokena = md5(uniqid(rand(), true)); echo $better_token; echo "-"; echo $better_tokena; ?> Im getting a code such as "77839cea2b9d48a85ddfad7e8b85180-84250d6196c64f116265e3c8bc3c04aa" $memberQuery = "SELECT * FROM members WHERE member_code = '".$_COOKIE['member_cookie']."'"; Would this be near impossible to hack? Thanks Quote Link to comment Share on other sites More sharing options...
OkBoy Posted March 14, 2008 Share Posted March 14, 2008 Near impossible is a good way to put it, yeah. Just remember since it is a one-way hash you can't get the values from it. All you can do is one way hash the values you have and see if the two values are equal. You might end up doing something like storing user name in plain text and a one-way hash of the password in the cookie. Then when the user visits the site, you grab the username and hashed password from the cookie, lookup the user in your DB and hash the password you have for that user and see if it matches what is in the cookie. If it does match, you can be relatively sure the user is who they say they are, if not they aren't. Quote Link to comment Share on other sites More sharing options...
Daney11 Posted March 14, 2008 Author Share Posted March 14, 2008 When i put this $GetMemberInfoQuery = "SELECT * FROM `members` WHERE member_id = ".$_COOKIE['member_id']." AND member_cookie = ".$_COOKIE['valid_user'].""; I get Unknown column '4d0af9bcb5b94383c62c98c3ba3e661347dad4c22dc708.25568208' in 'where clause' However when i put $GetMemberInfoQuery = "SELECT * FROM `members` WHERE member_id = ".$_COOKIE['member_id']." AND member_cookie = "4d0af9bcb5b94383c62c98c3ba3e661347dad4c22dc708.25568208"; it works fine. I dont understand why when they're both the same values :S Quote Link to comment Share on other sites More sharing options...
Daney11 Posted March 14, 2008 Author Share Posted March 14, 2008 Yes valid_user and member_id cookies are set and the information is correct. Quote Link to comment Share on other sites More sharing options...
Daney11 Posted March 14, 2008 Author Share Posted March 14, 2008 and when i use $GetMemberInfoQuery = "SELECT * FROM `members` WHERE member_id = ".$_COOKIE['member_id']." AND member_cookie = ".$_COOKIE['valid_user'].""; $GetMemberResult = mysql_query($GetMemberInfoQuery, $connect) or die ($GetMemberInfoQuery); It brings SELECT * FROM `members` WHERE member_id = 1 AND member_cookie = 4d0af9bcb5b94383c62c98c3ba3e661347dad4c22dc708.25568208 So its correct :S Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 14, 2008 Share Posted March 14, 2008 i suggest that you quote your values in SQL: $GetMemberInfoQuery = "SELECT * FROM members WHERE member_id = '".$_COOKIE['member_id']."' AND member_cookie = '".$_COOKIE['valid_user']."'"; Quote Link to comment Share on other sites More sharing options...
Daney11 Posted March 14, 2008 Author Share Posted March 14, 2008 Thanks worked. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.