> -----Original Message-----
> From: Kim L. Laage [mailto:[EMAIL PROTECTED]
> Sent: 24 March 2004 10:52
>
> Once again, thanks for the replies...
>
> But I'm afraid I'm not getting this right... I've tested with
> the various
> versions of $_SESSION syntax which I've been recommended by
> the people on
> this group. i.e.:
> $_SESSION['s_user'] = $_POST['s_user'];
> $_SESSION['s_pass'] = $_POST['s_pass'];
Those assignments look good.
> or
>
> $_SESSION['s_user'] = "s_user";
> $_SESSION['s_pass'] = "s_pass";
So do those (assuming you want the value of the s_user session variable to
be "s_user" and the s_pass session variable to be "s_pass"!).
> None of this seems to really make a difference.... I was
> wondering if this
> was due to the nature of the array being used...
> If I understand you right
> session_register("s_user");
> session_register("s_pass");
Don't do that. If you're using the $_SESSION[] array, you shouldn't use
session_register() (or any of its friends such as session_unregister(),
session_is_registered(), etc.). Just assign values to the $_SESSION[]
array, and test its elements directly with, e.g., isset().
> adds the values "s_user" and "s_pass" to an array, I suppose
> by index so the
> key/value pairs would look like this "0/s_user" and
> "1/s_pass" - correct?
No. If anything, these would give you $_SESSION['s_user']==NULL and
$_SESSION['s_pass']==NULL -- but, like I said, just don't bother.
Effectively, $_SESSION[] *is* your session -- assigning a value to an
element of $_SESSION implicitly registers that elements key as a session
variable.
[...]
> As I said I'm not getting any real headway here, so I've
> posted the relevant
> pages below in the hope that someone had the time and
> inclination to take a
> look at them.
> I've added a few comments of my own and removed the MySQL
> credentials 8-)
>
>
> --- START session.php START ---
> <?php
> session_start();
>
> include("_include/loginFunc.php");
>
> /* ==========================================
> * When we got this code, it looked like this:
> *
> * session_register("s_user");
> * session_register("s_pass");
> *
> * ===========================================
> */
> $_SESSION['s_user'] = "s_user";
> $_SESSION['s_pass'] = "s_pass";
Using $_SESSION{}, you don't need an equivalent of session_register(), so
just forget these lines.
[...]
> <?php
> # generic stuff
> /* =========================================
> * Password and Username directly in the code?!?!?
> *
> * I commented on this earlier in the thread, but I would like to
> * your comments on this... personally I think it's a terrible way
> * of handling security!
> *
> * =========================================
> */
I agree with that. I'd definitely set these up in an include file which is
*outside* the Web server hierarchy (or alternatively in my database, or a
config file which I fread).
> $LOGIN_INFO = "<center>LOGIN</center>";
> $HEADER = "ADMIN";
> $USER = "admin";
> $PASS = "admin";
> $WIDTH = 600;
> $logout_text = "<center><h3>You have now logged out from the Admin
> Application</h3></center>";
> $login_page = "adminHome.php";
>
> #-----------------#
> # login functions #
> #-----------------#
>
> function checklogin($s_user, $s_pass)
> {
> global $USER,$PASS;
> if($s_user == $USER && $s_pass == $PASS)
> return "OK";
> else
> return "0";
> }
Ugh! Any function which returns a straight yes/no value should return
Boolean TRUE or FALSE, since that's what those are designed for. The above
could then be written much more simply as:
return ($s_user == $USER && $s_pass == $PASS);
[...]
> function dologout()
> {
> global $logout_text,$login_page;
> session_destroy();
I'd add a session_write_close() here, I think.
> echo $logout_text;
> echo "<a href='$login_page'><center><h3>Log in</h3></center></a>";
> }
>
> function dologin($user,$pass)
> {
> global $s_user, $s_pass;
> if($user && $pass)
> {
> $s_user = $user;
> $s_pass = $pass;
> }
I can't see anywhere in what you've posted that you assign *real* values to
$_SESSION['s_user'] and $_SESSION['s_pass'], so I assume that's what's
supposed to be happening here -- so these two lines should be:
$_SESSION['s_user'] = $user;
$_SESSION['s_pass'] = $pass;
Incidentally, you also don't seem to unpack $user and $pass from the
$_POST[] array, so either you're running with register_globals=On (bad) or
these variables will be undefined (also bad!). In any case, I'd probably
prefer to access the $_POST[] array directly, and write something like:
if (@$_POST['user'] && @$_POST['pass']):
$_SESSION['s_user'] = $_POST['user'];
$_SESSION['s_pass'] = $_POST['pass'];
else:
...
endif;
Which makes it pellucidly clear what's going on (and also eliminates the
need for the ugly "global" statement).
I also notice you appear to have variables called $USER and $user, as well
as $PASS and $pass. This is *terrible* programming style -- differentiating
purely by case is a disaster waiting to happen, and should be avoided by
renaming one of each pair appropriately.
Hope this screed helps you out some.
Cheers!
Mike
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services, JG125, James
Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6
3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
