[PHP] Security Question with my password protected login script...

2004-12-08 Thread Ian Gray 
Hello all,

I have the following script called login.inc which I include at the
beginning of each page on my customer control panel.  Basically it checks to
see if a session has been created with user details and if it has it carries
on with the rest of the page and if not the login screen is printed.

My question is, how secure is this?  I have the password, username etc in a
MYSQL database but I haven't encrypted it (don't know how)

Should I have login.inc in a folder below my public_html directory?

I have removed some details such as passwords and swapped that with question
marks.

Many thanks,

Ian Gray

Here is the code?


?
session_start(); // start session.
if(!isset($username) | !isset($password)) {
// escape from php mode.
?

html xmlns=http://www.w3.org/1999/xhtml;
head
meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /
titleCustomer Login/title
link href=login.css rel=stylesheet type=text/css /

script language=JavaScript type=text/javascript

/head

body onLoad=self.focus();document.customerlogin.username.focus() 



form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}?
method=POST name=customerlogin id=customerlogin

table width=500 height=320  border=1 align=center cellpadding=0
cellspacing=0 bordercolor=#33 background=images/login.jpg
  tr
td valign=toptable width=500 border=0 cellspacing=0
cellpadding=0
  tr
td bgcolor=#343399div align=rightimg src=images/cl.jpg
alt=Customer Logingt;gt;gt; width=400 height=40 //div/td
  /tr
  tr
tdpnbsp;/p
  pnbsp;/p/td
  /tr
  tr
td class=textydiv align=centerCustomer control panel. Please
enter
  your username and password into the boxes below:/div/td
  /tr
  tr
tdtable width=300 border=0 align=center cellpadding=0
cellspacing=5
  tr
tdnbsp;/td
tdnbsp;/td
  /tr
  tr
td class=blueyUsername:/td
tdinput name=username type=text class=formy/td
  /tr
  tr
td class=blueyPassword:/td
tdinput name=password type=password class=formy/td
  /tr
  tr
tdnbsp;/td
td
div align=center
  input type=submit class=formy
value=Logingt;gt;gt;
  /div/td/tr
/table/td
  /tr
  tr
tdnbsp;/td
  /tr

/table/td
  /tr
/table/form
/body
/html
?
exit();
}

// If all is well so far.
session_register(IIDD);
session_register(firstname);
session_register(username);
session_register(password); // register username and password as session
variables.

// Here you would check the supplied username and password against your
database to see if they exist.
// For example, a MySQL Query, your method may differ.
$link = mysql_connect(?, ?, ?) or die(Could not
connect);
mysql_select_db(s??) or die(Could not select database);
$sql = mysql_query(SELECT customerID, password, firstname FROM
customer_details WHERE username = '$username');
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);

if($numrows != 0  $password == $fetch_em[password]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}

$firstname = $fetch_em[firstname];
$IIDD = $fetch_em[customerID];
// If the username exists and pass is correct, don't pop up the login code
again.
// If info can't be found or verified

if (!($valid_user))
{
session_unset();   // Unset session variables.
session_destroy(); // End Session we created earlier.
// escape from php mode.
?
html xmlns=http://www.w3.org/1999/xhtml;
head
meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /
titleCustomer Login/title
link href=login.css rel=stylesheet type=text/css /
/head

body
br /
form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}?
method=POST


table width=500 height=320  border=1 align=center cellpadding=0
cellspacing=0 bordercolor=#33 background=images/login.jpg
  tr
td valign=toptable width=500 border=0 cellspacing=0
cellpadding=0
  tr
td bgcolor=#343399div align=rightimg src=images/cl.jpg
alt=Customer Logingt;gt;gt; width=400 height=40 //div/td
  /tr
  tr
tdpnbsp;/p
  pnbsp;/p/td
  /tr
  tr
td class=textydiv align=centerIncorrect username and/or
password.  Please enter correct ones to log in:/div/td
  /tr
  tr
tdtable width=300 border=0 align=center cellpadding=0
cellspacing=5
  tr
tdnbsp;/td
tdnbsp;/td
  /tr
  tr
td class=blueyUsername:/td
tdinput name=username type=text class=formy/td
  /tr
  tr
td class=blueyPassword:/td
tdinput name=password type=password class=formy/td
  /tr
  tr
tdnbsp;/td
td
div align=center
  input type=submit class=formy
value=Logingt;gt;gt;
  /div/td/tr
/table/td

[PHP] Converting a string to formatted html

2003-10-27 Thread Ian Gray 
Hi all,
 
I know this can be done somehow but I am not sure.  I have a form being submitted to a 
php file and I wanted a textfield to be converted to formatted html.  At the moment 
none of the line breaks are being submitted and inverted commas have slashes.  I know 
the slashes can be removed using stripslashes function.  I thought line breaks would 
come through with \n but that isn't being transmitted over the form.  Can anyone help?
 
Best wishes,
 
Ian Gray



-
Ian A. Gray
Manchester, UK
Telephone: +44 (0) 161 224 1635 - Fax: +44 (0) 870 135 0061 - Mobile: +44 (0) 7900 996 
328
Business Enquiries:  +44(0)870 770 8832
E-mail: [EMAIL PROTECTED]: www.baritone.uk.com   (Performance) www.vocalstudio.co.uk   
(Vocal Tuition)www.selectperformers.com   (Web design for professional musicians)
-

[PHP] Converting a string to formatted html

2003-10-27 Thread Ian Gray 
(I'm re-submitting this 'cos I sent it in html- woops!)

Hi all,
 
I know this can be done somehow but I am not sure.  I have
a form being 
submitted to a php file and I wanted a textfield to be
converted to formatted html.  
At the moment none of the line breaks are being submitted
and inverted commas 
have slashes.  I know the slashes can be removed using
stripslashes function.  I 
thought line breaks would come through with \n but that
isn't being transmitted 
over the form.  Can anyone help?
 
Best wishes,
 
Ian Gray


=

-
Ian A. Gray
Manchester, UK
Telephone: +44 (0) 161 224 1635 - Fax: +44 (0) 870 135 0061 - Mobile: +44 (0) 7900 996 
328
Business Enquiries:  +44(0)870 770 8832
E-mail: [EMAIL PROTECTED]: www.baritone.uk.com   (Performance) www.vocalstudio.co.uk   
(Vocal Tuition)www.selectperformers.com   (Web design for professional musicians)
-

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Randomizing 3 different numbers.

2003-10-27 Thread Ian Gray 
I am tring to output 3 different random numbers between 1
and 20 into 3 different strings.  Using Rand() for each
string isn't sufficient as I may get the same number
repeated for one of the other strings- eg 1,1,3 or 5,3,3 .
It's important that I get three different numbers outputted
into for example $one, $two, $three.

Can anyone help?

Ian

=

-
Ian A. Gray
Manchester, UK
Telephone: +44 (0) 161 224 1635 - Fax: +44 (0) 870 135 0061 - Mobile: +44 (0) 7900 996 
328
Business Enquiries:  +44(0)870 770 8832
E-mail: [EMAIL PROTECTED]: www.baritone.uk.com   (Performance) www.vocalstudio.co.uk   
(Vocal Tuition)www.selectperformers.com   (Web design for professional musicians)
-

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] PHP- Converting to and from TIMESTAMPS

2003-05-30 Thread Ian Gray 
I am wanting one field on a table in one of my MYSQL databases to contain different 
dates and times as a epoch timestamps.

Firstly how do I convert a particular time and date which the user will enter on the 
website into the epoch timestamp.

And secondly, how do I convert it back once taken of the table.  I'd like to use the 
date function to print out this particular date and time- for example $a = date('g:IA 
l, jS F, Y') so that $a could say '7:30PM Saturday, 23rd August, 2003'  Does date only 
work by outputting the current date or time?  Can you get it to output the format of 
any date and time you would like?

I'd be grateful for any help!

Ian Gray