Re: [PHP] trying to figure out the best/efficient way to tell who is logged into a site..
- Original Message - From: Ben [EMAIL PROTECTED] Newsgroups: php.general To: Gustav Wiberg [EMAIL PROTECTED] Sent: Wednesday, September 14, 2005 7:35 PM Subject: Re: [PHP] trying to figure out the best/efficient way to tell who is logged into a site.. Gustav Wiberg wrote: All you guys, please comment if the code is well or bad written and why... :-) Since you asked, a few things popped out from a security perspective, though I didn't read through your code very thoroughly ?php function chkIfPasswordTrue($un, $pw, $typeUser) { //Make username and password in-casesensitive // $un = strtolower($un); $pw = strtolower($pw); Why limit your usernames/passwords to lower case? You've just made them significantly easier to brute force. That's a good point. The reason is that our targetgroup users is users with a little knowledge of computers and therefore it might be easy to miss that caps-lock is pushed in, and out... and the combination of small and big letters... But you're right... Probably I'll change this. Thanx! $sql = $sql . SELECT IDAnvandare FROM tbanvandare WHERE; $sql = $sql . Anvandarnamn= . safeQuote($un) . AND; $sql = $sql . Losenord= . safeQuote($pw) . AND; Where is your safeQuote() function coming from? From what I can see of your code you aren't doing any testing against the username and password before they are used as part of your SQL query. Sure would suck to have an unauthenticated user drop or otherwise muck with your db! Hm. The safeQuote() function is always called before these functions are called and is ?php function safeQuote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not integer if (!is_numeric($value)) { $value = ' . mysql_real_escape_string($value) . '; } return $value; } ? if (isset($_REQUEST[frmUsername])) { $un = $_REQUEST[frmUsername]; If you're going to use $_REQUEST you might as well just turn on register globals (no, don't!). *hehe* If you're expecting a post look for a $_POST, if you're expecting a get look for a $_GET. Ditto with cookies. You really need to know where your variables are coming from if you want a measure of security. Yes, you're right. I wrote this code before I came in contact with $_POST and $_GET. Thanx again! It's appreciated! :-) /G http://www.varupiraten.se/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] trying to figure out the best/efficient way to tell who is logged into a site..
Gustav Wiberg wrote: All you guys, please comment if the code is well or bad written and why... :-) Since you asked, a few things popped out from a security perspective, though I didn't read through your code very thoroughly ?php function chkIfPasswordTrue($un, $pw, $typeUser) { //Make username and password in-casesensitive // $un = strtolower($un); $pw = strtolower($pw); Why limit your usernames/passwords to lower case? You've just made them significantly easier to brute force. $sql = $sql . SELECT IDAnvandare FROM tbanvandare WHERE; $sql = $sql . Anvandarnamn= . safeQuote($un) . AND; $sql = $sql . Losenord= . safeQuote($pw) . AND; Where is your safeQuote() function coming from? From what I can see of your code you aren't doing any testing against the username and password before they are used as part of your SQL query. Sure would suck to have an unauthenticated user drop or otherwise muck with your db! if (isset($_REQUEST[frmUsername])) { $un = $_REQUEST[frmUsername]; If you're going to use $_REQUEST you might as well just turn on register globals (no, don't!). If you're expecting a post look for a $_POST, if you're expecting a get look for a $_GET. Ditto with cookies. You really need to know where your variables are coming from if you want a measure of security. - Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] trying to figure out the best/efficient way to tell who is logged into a site..
hi... anybody have pointers to trying to tell who/how long someone is logged into a system/site. i've thought about setting a session var, but i'm not sure how to read/tabulate this var across the entire group of people who'd be logged in. i've also thought about keeping track in a db tbl.. however, i'm still not sure that i've got a good way of tracking who's logged in, and still on... a possible approach would be to have the app periodically update the system whenever a logged in user goes from page to page... so, any thoughts/ideas/etc... -thanks bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] trying to figure out the best/efficient way to tell who is logged into a site..
Close: You mix both of these ideas. Create a custom session handler. This handler creates user entries in a database. Then when you want to know how many are online you do a count on the number of user entries in the table. Play around with different gc_probability values to tune the efficiency. On 9/13/05, bruce [EMAIL PROTECTED] wrote: hi... anybody have pointers to trying to tell who/how long someone is logged into a system/site. i've thought about setting a session var, but i'm not sure how to read/tabulate this var across the entire group of people who'd be logged in. i've also thought about keeping track in a db tbl.. however, i'm still not sure that i've got a good way of tracking who's logged in, and still on... a possible approach would be to have the app periodically update the system whenever a logged in user goes from page to page... so, any thoughts/ideas/etc... -thanks bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] trying to figure out the best/efficient way to tell who is logged into a site..
- Original Message - From: Jason Barnett [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Tuesday, September 13, 2005 11:25 PM Subject: Re: [PHP] trying to figure out the best/efficient way to tell who is logged into a site.. Close: You mix both of these ideas. Create a custom session handler. This handler creates user entries in a database. Then when you want to know how many are online you do a count on the number of user entries in the table. Play around with different gc_probability values to tune the efficiency. On 9/13/05, bruce [EMAIL PROTECTED] wrote: hi... anybody have pointers to trying to tell who/how long someone is logged into a system/site. i've thought about setting a session var, but i'm not sure how to read/tabulate this var across the entire group of people who'd be logged in. i've also thought about keeping track in a db tbl.. however, i'm still not sure that i've got a good way of tracking who's logged in, and still on... a possible approach would be to have the app periodically update the system whenever a logged in user goes from page to page... so, any thoughts/ideas/etc... -thanks bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.23/99 - Release Date: 2005-09-12 Hi there! Giving you a bit code... It might come in handy... :-) I don't have time to explain it, but it may be good for experimenting... All you guys, please comment if the code is well or bad written and why... :-) ?php function chkIfPasswordTrue($un, $pw, $typeUser) { //Make username and password in-casesensitive // $un = strtolower($un); $pw = strtolower($pw); $typeUser = strtolower($typeUser); require(phpfunctions/opendb.php); //Get ID for user based on username and password from database // $sql = ; $sql = $sql . SELECT IDAnvandare FROM tbanvandare WHERE; $sql = $sql . Anvandarnamn= . safeQuote($un) . AND; $sql = $sql . Losenord= . safeQuote($pw) . AND; if ($typeUser == customer) { $sql = $sql . Kund='Y'; } else if ($typeUser == reseller) { $sql = $sql . Af='Y'; } else { $sql = $sql . Kund='Y'; } //echo SQL = $sql; $querys = mysql_query($sql); $toarray = mysql_fetch_array($querys); $id = $toarray[IDAnvandare]; if ($id == Null or strlen($id)==0) {$id = 0;} mysql_close(); //Return id for user, zero if incorrect login // return $id; } function getusername() { //Get username from form if form have sent anything //if there is an active usernamesession, then use session-variable //to identifiy user // $un = ; if (isset($_REQUEST[frmUsername])) { $un = $_REQUEST[frmUsername]; } if (isset($_SESSION[unBuy])) { $un = $_SESSION[unBuy]; } return $un; } function getpassword() { //Get password from form if form have sent anything //if there is an active passwordsession, then use session-variable //to identifiy user // $pw = ; if (isset($_REQUEST[frmPassword])) { $pw = $_REQUEST[frmPassword]; } if (isset($_SESSION[pwBuy])) { $pw = $_SESSION[pwBuy]; } return $pw; } function setsessions($username, $password, $typeUser) { $userid = 0; $username = trim($username); $password = trim($password); $typeUser = trim($typeUser); if (strlen($username)0 AND strlen($password)0 AND strlen($typeUser)0) { $userid = chkIfPasswordTrue($username, $password, $typeUser); } //Set session-variable for user-identification // if ($userid0) { $_SESSION[unBuy] = $username; $_SESSION[pwBuy] = $password; $_SESSION{typeUser} = $typeUser; } return $userid; } ? /G http://www.varupiraten.se/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] trying to figure out the best/efficient way to tell who is logged into a site..
any code/pointers to this... i've been doing the google/search thing and haven't come across anything which relates to what i'm searching for... so.. any help in this area would be greatly appreciated!! i would have thought there would be articles/open course code/apps on this!! -thanks bruce -Original Message- From: Jason Barnett [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 2:25 PM Cc: php-general@lists.php.net Subject: Re: [PHP] trying to figure out the best/efficient way to tell who is logged into a site.. Close: You mix both of these ideas. Create a custom session handler. This handler creates user entries in a database. Then when you want to know how many are online you do a count on the number of user entries in the table. Play around with different gc_probability values to tune the efficiency. On 9/13/05, bruce [EMAIL PROTECTED] wrote: hi... anybody have pointers to trying to tell who/how long someone is logged into a system/site. i've thought about setting a session var, but i'm not sure how to read/tabulate this var across the entire group of people who'd be logged in. i've also thought about keeping track in a db tbl.. however, i'm still not sure that i've got a good way of tracking who's logged in, and still on... a possible approach would be to have the app periodically update the system whenever a logged in user goes from page to page... so, any thoughts/ideas/etc... -thanks bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] trying to figure out the best/efficient way to tell who is logged into a site..
any code/pointers to this... i've been doing the google/search thing and haven't come across anything which relates to what i'm searching for... so.. any help in this area would be greatly appreciated!! i would have thought there would be articles/open course code/apps on this!! -thanks bruce http://www.php.net/manual/en/function.session-set-save-handler.php Also try zend.com in the tips/articles/code-snippets section. -Original Message- From: Jason Barnett [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 2:25 PM Cc: php-general@lists.php.net Subject: Re: [PHP] trying to figure out the best/efficient way to tell who is logged into a site.. Close: You mix both of these ideas. Create a custom session handler. This handler creates user entries in a database. Then when you want to know how many are online you do a count on the number of user entries in the table. Play around with different gc_probability values to tune the efficiency. On 9/13/05, bruce [EMAIL PROTECTED] wrote: hi... anybody have pointers to trying to tell who/how long someone is logged into a system/site. i've thought about setting a session var, but i'm not sure how to read/tabulate this var across the entire group of people who'd be logged in. i've also thought about keeping track in a db tbl.. however, i'm still not sure that i've got a good way of tracking who's logged in, and still on... a possible approach would be to have the app periodically update the system whenever a logged in user goes from page to page... so, any thoughts/ideas/etc... -thanks bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] trying to figure out the best/efficient way to tell who is logged into a site..
ok still have questions regarding how to handle a user/session of a user who kills their browser. in this case, the user's session information would still be in the db for the session handler... am i correct in understanding/assuming that i could iterate through the list of sessions in the session handler, and the session information for users who aren't on the site, will essentially be invalid??? also, i'm trying to get my hands around the garbage collection function, as it relates to users who aren't on the system any more... information that i've seen in the articles haven't given me insight for this isssue... if i can see how to deal with this situation, then i can craft a way for an admin to more or less be able to generate a list of users/people who are actually on the system/site. as an exercise, i took a look at mambo (the cms) and realized that it doesn't handle users who simply shut down their browser while on the system... thoughts/comments... -bruce -Original Message- From: Philip Hallstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 3:43 PM To: bruce Cc: [EMAIL PROTECTED]; php-general@lists.php.net Subject: RE: [PHP] trying to figure out the best/efficient way to tell who is logged into a site.. any code/pointers to this... i've been doing the google/search thing and haven't come across anything which relates to what i'm searching for... so.. any help in this area would be greatly appreciated!! i would have thought there would be articles/open course code/apps on this!! -thanks bruce http://www.php.net/manual/en/function.session-set-save-handler.php Also try zend.com in the tips/articles/code-snippets section. -Original Message- From: Jason Barnett [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 2:25 PM Cc: php-general@lists.php.net Subject: Re: [PHP] trying to figure out the best/efficient way to tell who is logged into a site.. Close: You mix both of these ideas. Create a custom session handler. This handler creates user entries in a database. Then when you want to know how many are online you do a count on the number of user entries in the table. Play around with different gc_probability values to tune the efficiency. On 9/13/05, bruce [EMAIL PROTECTED] wrote: hi... anybody have pointers to trying to tell who/how long someone is logged into a system/site. i've thought about setting a session var, but i'm not sure how to read/tabulate this var across the entire group of people who'd be logged in. i've also thought about keeping track in a db tbl.. however, i'm still not sure that i've got a good way of tracking who's logged in, and still on... a possible approach would be to have the app periodically update the system whenever a logged in user goes from page to page... so, any thoughts/ideas/etc... -thanks bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] trying to figure out the best/efficient way to tell who is logged into a site..
bruce wrote: as an exercise, i took a look at mambo (the cms) and realized that it doesn't handle users who simply shut down their browser while on the system... thoughts/comments... The only way to deal with such situations is through a garbage collection routine that periodically deletes or marks as stale records for users who haven't requested a new page within a set period of time. - Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php