RE: [PHP] User authentication

Jeff McKeon Thu, 02 Oct 2003 13:35:24 -0700

> Hi,
> 
> > > (2) I would advise not mixing $_SESSION and
> > > session_register() -- it's problematical in some situations. Just 
> > > stick to using the $_SESSION array.
> >
> > I'm not quite sure what you mean here, can you give an example or 
> > elaborate.  Sorry, real newbie here... :o)
> 
>       $_SESSION['userid'] = 254;
> 
>       Where 254 is, that is the value you want to assign it.  
> Its just an array. Think of it more as a global variable 
> accross the entire site.
> 
> -Dan Joseph


So I've replaced my session_register("userid", "userpassword");

With

$_SESSION['userid'] = $userid;
$_SESSION['userpassword'] = $userpassword;

And my:

session_unregister("userid");
session_unregister("userpassword");

With

Session_destroy();

I've also added a field to the user table called "CanEdit" that is set
to "1" or "0".

When the authentication function is called, I run a query that updates
the users idle timestamp, get's his/her CanEdit value and stores it to
$_SESSION['CanEdit'], and returns the username.

[code begin]

function auth_user($userid, $userpassword) {

        global $default_dbname, $user_tablename;
        
        $link_id = db_connect($default_dbname);
        $query = "SELECT username FROM $user_tablename WHERE userid =
'$userid' && userpassword = password('$userpassword')";
        $result = mysql_query($query);
        if(!mysql_num_rows($result)) return 0;
        else {
                //set idle timestamp (using unixtime)
                $stamp = gmmktime();
                $query2 = "update $user_tablename set idle_time = $stamp
where userid = '$userid'";
                $result2 = mysql_query($query2);
                
                //get the users "CanEdit" value
                $query3 = "select CanEdit from $user_tablename where
userid = '$userid'";
                $result3 = mysql_query($query3);
                $query_data3 = mysql_fetch_row($result3);
                $_SESSION['CanEdit'] = $query_data3[0];
                
                //Return the users name to the calling page
                $query_data=mysql_fetch_row($result);
                return $query_data[0];
                                }
        }
[code end]

Then when any new page loads it first checks to see if the user has a
"CanEdit" value of "1", if not it boots them back to the page they came
from, if so it runs a query to check their idle timestamp and subtrack
it from the current unixtimestamp to find the difference.  If it's
greater than X they are booted back to the login screen, if it's less
than X the page is loaded..

Anything look wrong or insecure with all of this?

Thanks for all the help!!!

jeff

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] User authentication

Reply via email to