RE: [PHP] User authentication

Jeff McKeon Fri, 03 Oct 2003 11:49:09 -0700


> --- Jeff McKeon <[EMAIL PROTECTED]> wrote:
> > $_SESSION['userid'] = $userid;
> > $_SESSION['userpassword'] = $userpassword;
> 
> [snip]
> 
> > Anything look wrong or insecure with all of this?
> 
> The only thing that catches my attention is your assignments 
> for $_SESSION['userid'] and $_SESSION['userpassword']. I 
> assume you are performing some strict data validation on 
> $userid and $userpassword before this assignment, right? If 
> not, this presents a significant risk, because $_SESSION is a 
> trusted array (it comes from the server, not the client).
> 
> Hope that helps.
> 
> Chris


Well both variables $userid and $userpassword are bounced off of a user
database table, if the username/password don't match then the session
variables are cleared with a  session_destroy() call.  Is that a good
enough validation?

[code begin]

session_start();
        if(!isset($userid)) {
                login_form();
                exit;
}
else {
        $_SESSION['userid'] = $userid;
        $_SESSION['userpassword'] = $userpassword;
        $username = auth_user($userid, $userpassword);
        if(!$username) {
                echo "user " . $userid . $userpassword . " Authorization
failed. " . 
                         "You must enter a valid userid and password
combo. " .
                         "Click on the following link to try
again.<BR>\n";
                echo "<A HREF=\"$PHP_SELF\">login</A><BR>";
                echo "If you do not have login, please contact
Operations to obtain one.<br>\n";
                session_destroy();
                exit;
        }
        else echo "welcome, $username!";
        echo gmmktime();
        echo "<a href='./test_auth.php'>Continue</a>";
        echo "<a href='./new_ticket.php'>Ticket</a>";
}

function auth_user($userid, $userpassword) {

        global $default_dbname, $user_tablename;
        
        $link_id = db_connect($default_dbname);
        $query = "SELECT username FROM $user_tablename WHERE userid =
'$userid' && userpassword = password('$userpassword')";
        $result = mysql_query($query);
        if(!mysql_num_rows($result)) return 0;
        else {
                $stamp = gmmktime();
                $query2 = "update $user_tablename set idle_time = $stamp
where userid = '$userid'";
                $result2 = mysql_query($query2);

                $query3 = "select CanEdit from $user_tablename where
userid = '$userid'";
                $result3 = mysql_query($query3);
                $query_data3 = mysql_fetch_row($result3);
                $_SESSION['CanEdit'] = $query_data3[0];
                
                $query_data=mysql_fetch_row($result);
                return $query_data[0];
                                }
        }

[code end]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] User authentication

Reply via email to