Re: Re: [PHP] Simple login form with cookies
> > The basic model for password authentication is to use one way crypt > routines. MySql has several, PHP also has them. The basic algorithm > would be like this: > > 1) read the password from the form. > 2) read the password from you datastore that matches the user name or > session > 3) encrypt the password on the form. > 4) do a string comparison between the database data and the encrypted > password from the form. > > This is of course assumes that you have been encrypting your password > when you store them (always good practice) so I think this translates to > php as (forgive me if this is bogus, it's been a while since I've done > any php) > > $salt = 'someglobalsaltstring'; # the salt should be the same salt used > when storing passwords to your database otherwise it won't work > $passwd = crypt($_GET['passwd'], $salt); > if ($passwd == $userObject->getPassword) { return 1} else {return 0} > ?> > > So I've not tested this obviously but you would have to have a > $userObject which is your interface between your software and your user > data. > > Hope it helps, > Carl. > I am encrypting the stored password with SHA1. I am new to programming and PHP so I am unsure what to do with this line $userObject->getPassword -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Try again, and include the actual link this time, dummy. :-) On Wed, Jul 8, 2009 at 5:30 PM, Andrew Ballard wrote: > On Wed, Jul 8, 2009 at 4:45 PM, PJ wrote: >> Andrew Ballard wrote: >>> On Wed, Jul 8, 2009 at 11:53 AM, PJ wrote: I have a couple of questions/comments re all this: > > [snip] > 2. Cleaning is another bloody headache, for me anyway. I have found that almost every time I try to do some cleaning with trim and mysql_real_escape_string and stripslashes wipes out my usernames and passwords. I havent' been able to use them when doing the crypt and encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit lost on this. Specifically, this wipes out my login and password... (I know, this is old code, but it is supposed to work, no? ) //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $login = clean($_POST['login']); $password = clean($_POST['password']); When I echoes the cleaned $login and $password, they looked like they had just gone through an acid bath before being hit by katerina (hurricane)... ;-) rather whitewashed and empty. There was nothing left to work with. >>> >>> One thing to check - I'm pretty sure that mysql_real_escape_string >>> will only work if you have an open connection to mysql, >> It's always open... I think.. do you mean within the active script (the >> one I'm working on) ? Yes. yes, it's open. > > > As long as you have called mysql_connect() prior to using > mysql_real_escape_string() and the result of the former was a valid > connection resource, then the latter should work. Otherwise > mysql_real_escape_string() will try to connect with the default > credentials stored in php.ini, and failing that will generate an > E_WARNING that it was unable to connect. > > Also, if there is no active connection, mysql_real_escape_string() > returns the boolean value false. > > >> the user_name was just plain alphabet soup... no special characters... >> the password, though, had some uppercase weirdos... like @$$ >> (backslashing doesn't seem to help)... oh, well :-\ > > You shouldn't need to escape those specific characters in a MySQL > query, so running them through addslashes(), mysql_escape_string(), or > mysql_real_escape_string() would not escape them, and manually > escaping them would not produce desired results. > >>> because it >>> uses that connection to figure out what character encoding >> Ohmygod not character encoding... it's such a mess for me. I try to >> only use utf8 but theres so much confusion with that that I have stopped >> thinking about it until a problem occurs... like in Firefox ... iget >> emails with the Western encoding and the utf8 so I often have to >> switch... and the prinouts don't follow either... lots of little black >> diamonds... a reat pita. > > Here is a blog post that explains why it is important for > mysql_real_escape_string() to consider character sets. http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string >>> is being >>> used so it can escape the string accordingly. (If unable to connect, >>> it should raise an E_WARNING.) >>> >>> I'm not sure why you would need to use @ with trim(), but that shouldn't >>> matter. >>> >> Frankly, I don't know either. I borrowed the code somewhere; but I >> usually just 86 those @ts so I can see errors. >>> Otherwise, nothing in there should mangle the input. >>> >> mangle does as mangle can mangle... :-D > > The function looks pretty straightforward. I'm curious what input you > are passing and how it's being "mangled" by the function. > > Andrew > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 4:45 PM, PJ wrote: > Andrew Ballard wrote: >> On Wed, Jul 8, 2009 at 11:53 AM, PJ wrote: >>> I have a couple of questions/comments re all this: >>> [snip] >>> 2. Cleaning is another bloody headache, for me anyway. I have found that >>> almost every time I try to do some cleaning with trim and >>> mysql_real_escape_string and stripslashes wipes out my usernames and >>> passwords. I havent' been able to use them when doing the crypt and >>> encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit >>> lost on this. >>> Specifically, this wipes out my login and password... (I know, this is >>> old code, but it is supposed to work, no? ) >>> //Function to sanitize values received from the form. Prevents SQL injection >>> function clean($str) { >>> $str = @trim($str); >>> if(get_magic_quotes_gpc()) { >>> $str = stripslashes($str); >>> } >>> return mysql_real_escape_string($str); >>> } >>> >>> //Sanitize the POST values >>> $login = clean($_POST['login']); >>> $password = clean($_POST['password']); >>> >>> When I echoes the cleaned $login and $password, they looked like they >>> had just gone through an acid bath before being hit by katerina >>> (hurricane)... ;-) rather whitewashed and empty. There was nothing left >>> to work with. >>> >> >> One thing to check - I'm pretty sure that mysql_real_escape_string >> will only work if you have an open connection to mysql, > It's always open... I think.. do you mean within the active script (the > one I'm working on) ? Yes. yes, it's open. As long as you have called mysql_connect() prior to using mysql_real_escape_string() and the result of the former was a valid connection resource, then the latter should work. Otherwise mysql_real_escape_string() will try to connect with the default credentials stored in php.ini, and failing that will generate an E_WARNING that it was unable to connect. Also, if there is no active connection, mysql_real_escape_string() returns the boolean value false. > the user_name was just plain alphabet soup... no special characters... > the password, though, had some uppercase weirdos... like @$$ > (backslashing doesn't seem to help)... oh, well :-\ You shouldn't need to escape those specific characters in a MySQL query, so running them through addslashes(), mysql_escape_string(), or mysql_real_escape_string() would not escape them, and manually escaping them would not produce desired results. >> because it >> uses that connection to figure out what character encoding > Ohmygod not character encoding... it's such a mess for me. I try to > only use utf8 but theres so much confusion with that that I have stopped > thinking about it until a problem occurs... like in Firefox ... iget > emails with the Western encoding and the utf8 so I often have to > switch... and the prinouts don't follow either... lots of little black > diamonds... a reat pita. Here is a blog post that explains why it is important for mysql_real_escape_string() to consider character sets. >> is being >> used so it can escape the string accordingly. (If unable to connect, >> it should raise an E_WARNING.) >> >> I'm not sure why you would need to use @ with trim(), but that shouldn't >> matter. >> > Frankly, I don't know either. I borrowed the code somewhere; but I > usually just 86 those @ts so I can see errors. >> Otherwise, nothing in there should mangle the input. >> > mangle does as mangle can mangle... :-D The function looks pretty straightforward. I'm curious what input you are passing and how it's being "mangled" by the function. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Paul M Foster wrote: > On Wed, Jul 08, 2009 at 03:23:49PM -0400, Bob McConnell wrote: > > >> From: Tony Marston >> >> >>> I do not follows rules which cannot be justified beyond the expression >>> >> "It >> >>> is there, so obey it!" Why is it there? What are the alternatives? >>> >> What harm >> >>> does it do? What happens if the rule is disobeyed? Top posting existed >>> >> in >> >>> the early days of the internet, and for a logical reason. Then some >>> >> arrogant >> >>> prat came along and said "I don't like this, so I am going to make a >>> >> rule >> >>> which forbids it!". I don't like this rule, so I choose to disobey it. >>> >> Daniel already explained to you why it is there. Long threads get too >> confusing with top posting. When posted correctly they read >> chronologically from top to bottom so they can be followed and >> understood when referenced a year or two later. >> >> Top posting did not exist in the early days of the Internet. I was >> active on email listserves and Usenet newsgroups 18 years ago, long >> before Microsoft discovered them and decided that top posting should be >> the norm. All of the other news and email clients I have ever used >> defaulted to bottom posting. It was only in Outlook 2003 that Microsoft >> finally removed that option completely. Previous versions allowed bottom >> posting and even handled the attribution markup correctly. >> > > Also, Tony's mail reader is broken-- Microsoft Outlook Express 6. > > Paul > > Actually, I prefer "middle posting" ;-) -- Hervé Kempf: "Pour sauver la planète, sortez du capitalisme." - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Tony Marston wrote: > I do not follows rules which cannot be justified beyond the expression "It > is there, so obey it!" Why is it there? What are the alternatives? What harm > does it do? What happens if the rule is disobeyed? Damn, isn't life frustrating... in case no one has noticed, 99 % of the rules we have in society are made by idiots and power hungry dimwits... how often do you see a politician or "leader" who is an intelligent person, let alone an "intellectual" ? Hate to say it, but "top posting" is about as rrelevant to our exixtence as a bacterial fart. :-D > Top posting existed in > the early days of the internet, and for a logical reason. Then some arrogant > prat came along and said "I don't like this, so I am going to make a rule > which forbids it!". I don't like this rule, so I choose to disobey it. > > -- Hervé Kempf: "Pour sauver la planète, sortez du capitalisme." - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Andrew Ballard wrote: > On Wed, Jul 8, 2009 at 11:53 AM, PJ wrote: > >> Michael A. Peters wrote: >> >>> Daniel Brown wrote: >>> First, a reminder to several (including some in this thread) that top-posting is against the law here. On Wed, Jul 8, 2009 at 09:48, Martin Scotta wrote: > $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' > and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password > .'\'))'; > Second, another, more important reminder: >>> $username = '" OR 1 OR "'; ?> Since the first rows in a database are usually the default administrator logins, the first to match what is basically a 'match if this is a row' statement will be logged in. The moral of the story: don't forget to clean your input (which I'm sure ya'all were doing but with top-posters, you never know ;-P). >>> prepared statements really do a pretty good job at neutering sql >>> injection. But one shouldn't be lazy with input validation anyway. >>> >>> >> I have a couple of questions/comments re all this: >> >> 1. Doing the login and processing through https should add a bit more >> security, it seems to me. >> > > It does add security between your user's web browser and the web > server. It's up to you to keep it secure once you receive it. > > >> 2. Cleaning is another bloody headache, for me anyway. I have found that >> almost every time I try to do some cleaning with trim and >> mysql_real_escape_string and stripslashes wipes out my usernames and >> passwords. I havent' been able to use them when doing the crypt and >> encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit >> lost on this. >> Specifically, this wipes out my login and password... (I know, this is >> old code, but it is supposed to work, no? ) >> //Function to sanitize values received from the form. Prevents SQL injection >>function clean($str) { >>$str = @trim($str); >>if(get_magic_quotes_gpc()) { >>$str = stripslashes($str); >>} >>return mysql_real_escape_string($str); >>} >> >>//Sanitize the POST values >>$login = clean($_POST['login']); >>$password = clean($_POST['password']); >> >> When I echoes the cleaned $login and $password, they looked like they >> had just gone through an acid bath before being hit by katerina >> (hurricane)... ;-) rather whitewashed and empty. There was nothing left >> to work with. >> > > One thing to check - I'm pretty sure that mysql_real_escape_string > will only work if you have an open connection to mysql, It's always open... I think.. do you mean within the active script (the one I'm working on) ? Yes. yes, it's open. the user_name was just plain alphabet soup... no special characters... the password, though, had some uppercase weirdos... like @$$ (backslashing doesn't seem to help)... oh, well :-\ > because it > uses that connection to figure out what character encoding Ohmygod not character encoding... it's such a mess for me. I try to only use utf8 but theres so much confusion with that that I have stopped thinking about it until a problem occurs... like in Firefox ... iget emails with the Western encoding and the utf8 so I often have to switch... and the prinouts don't follow either... lots of little black diamonds... a reat pita. > is being > used so it can escape the string accordingly. (If unable to connect, > it should raise an E_WARNING.) > > I'm not sure why you would need to use @ with trim(), but that shouldn't > matter. > Frankly, I don't know either. I borrowed the code somewhere; but I usually just 86 those @ts so I can see errors. > Otherwise, nothing in there should mangle the input. > mangle does as mangle can mangle... :-D > Andrew > > -- Hervé Kempf: "Pour sauver la planète, sortez du capitalisme." - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 08, 2009 at 03:23:49PM -0400, Bob McConnell wrote: > From: Tony Marston > > > I do not follows rules which cannot be justified beyond the expression > "It > > is there, so obey it!" Why is it there? What are the alternatives? > What harm > > does it do? What happens if the rule is disobeyed? Top posting existed > in > > the early days of the internet, and for a logical reason. Then some > arrogant > > prat came along and said "I don't like this, so I am going to make a > rule > > which forbids it!". I don't like this rule, so I choose to disobey it. > > Daniel already explained to you why it is there. Long threads get too > confusing with top posting. When posted correctly they read > chronologically from top to bottom so they can be followed and > understood when referenced a year or two later. > > Top posting did not exist in the early days of the Internet. I was > active on email listserves and Usenet newsgroups 18 years ago, long > before Microsoft discovered them and decided that top posting should be > the norm. All of the other news and email clients I have ever used > defaulted to bottom posting. It was only in Outlook 2003 that Microsoft > finally removed that option completely. Previous versions allowed bottom > posting and even handled the attribution markup correctly. Also, Tony's mail reader is broken-- Microsoft Outlook Express 6. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
just an observation here, but are we not getting close to breaking another rule? "Do not high-jack threads, by bringing up entirely new topics. Please create an entirely new thread copying anything you wish to quote into the new thread." I know some feel this is important but if i was searching for some help with a simple login form and cookies, this thread would be useless. peace, -Shane On Wed, Jul 8, 2009 at 12:23 PM, Bob McConnell wrote: > From: Tony Marston > > > I do not follows rules which cannot be justified beyond the expression > "It > > is there, so obey it!" Why is it there? What are the alternatives? > What harm > > does it do? What happens if the rule is disobeyed? Top posting existed > in > > the early days of the internet, and for a logical reason. Then some > arrogant > > prat came along and said "I don't like this, so I am going to make a > rule > > which forbids it!". I don't like this rule, so I choose to disobey it. > > Daniel already explained to you why it is there. Long threads get too > confusing with top posting. When posted correctly they read > chronologically from top to bottom so they can be followed and > understood when referenced a year or two later. > > Top posting did not exist in the early days of the Internet. I was > active on email listserves and Usenet newsgroups 18 years ago, long > before Microsoft discovered them and decided that top posting should be > the norm. All of the other news and email clients I have ever used > defaulted to bottom posting. It was only in Outlook 2003 that Microsoft > finally removed that option completely. Previous versions allowed bottom > posting and even handled the attribution markup correctly. > > Bob McConnell > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 3:06 PM, Tony Marston wrote: [snip] > I don't like this rule, so I choose to disobey it. Now that's some scary ideology. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Simple login form with cookies
From: Tony Marston > I do not follows rules which cannot be justified beyond the expression "It > is there, so obey it!" Why is it there? What are the alternatives? What harm > does it do? What happens if the rule is disobeyed? Top posting existed in > the early days of the internet, and for a logical reason. Then some arrogant > prat came along and said "I don't like this, so I am going to make a rule > which forbids it!". I don't like this rule, so I choose to disobey it. Daniel already explained to you why it is there. Long threads get too confusing with top posting. When posted correctly they read chronologically from top to bottom so they can be followed and understood when referenced a year or two later. Top posting did not exist in the early days of the Internet. I was active on email listserves and Usenet newsgroups 18 years ago, long before Microsoft discovered them and decided that top posting should be the norm. All of the other news and email clients I have ever used defaulted to bottom posting. It was only in Outlook 2003 that Microsoft finally removed that option completely. Previous versions allowed bottom posting and even handled the attribution markup correctly. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
I do not follows rules which cannot be justified beyond the expression "It is there, so obey it!" Why is it there? What are the alternatives? What harm does it do? What happens if the rule is disobeyed? Top posting existed in the early days of the internet, and for a logical reason. Then some arrogant prat came along and said "I don't like this, so I am going to make a rule which forbids it!". I don't like this rule, so I choose to disobey it. -- Tony Marston http://www.tonymarston.net http://www.radicore.org "Daniel Brown" wrote in message news:ab5568160907081021x5e88fc74t90351df08b4d3...@mail.gmail.com... > On Wed, Jul 8, 2009 at 13:02, Tony Marston > wrote: >> I do not regard that as a concrete rule, and certainly not one worth >> bothering about. Lots of newsgroups I visited before coming here allowed >> top >> posting, so it is arrogant for someone to say "I personally don't like >> top >> posting, so I'll make a rule that disallows it". A sensible rule, and one >> which I have no problem in following, is that if a question is posted in >> English then I will answer in English. That makes sense, whereas "no top >> posting" does not. > >No matter anymore. You've expressed your distaste for the rules > and your intent on disregarding them, which - in turn - shows that (a) > you believe yourself to be beyond the need to respect the guidelines > the rest of the community follows; and (b) you couldn't give a damn > about contributing to good, solid archives. > >There's certainly no way we can force you to follow the rules, so > I'm done discussing it. It's just a shame that it's not going to work > out in a manner that doesn't speak volumes about your negative > attitude toward others. > >Best of luck in everything you do. > > -- > > daniel.br...@parasane.net || danbr...@php.net > http://www.parasane.net/ || http://www.pilotpig.net/ > Check out our great hosting and dedicated server deals at > http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, 2009-07-08 at 13:03 -0400, Bastien Koert wrote: > On Wed, Jul 8, 2009 at 12:50 PM, Daniel Brown wrote: > > On Wed, Jul 8, 2009 at 12:38, Tony Marston > > wrote: > >> What rules? I never agreed to abide by any rules before I started posting > >> to > >> this group. My newsreader assumes top posting by default, so I have been > >> top > >> posting for the past 10 years. If you don't like it then it is your > >> problem, > >> not mine. > > > >Absolutely 100% completely incorrect, and in all honesty, that's > > quite an ignorant attitude. That's not to say that I think *you* are > > ignorant, but rather the attitude toward established rules and > > guidelines that have been around long before you began posting, and > > will remain long after you leave. > > > >See: > >http://php.net/mailing-lists.php --- which links to: > >http://php.net/reST/php-src/README.MAILINGLIST_RULES > > (Specifically: "General" #3) > > > >So while it's my problem, it is also *your* problem, as the offender. > > > >If you didn't agree to rules beforehand, that's your issue. > > Ignorance is not a defense. You were - or had the opportunity to be - > > made aware of the rules of the list, and as such, agree to abide by > > them by continuing to post in this - or any - public forum. Much the > > same as, by traveling to a foreign country, you agree to be bound by > > their rules and regulations. You cannot simply claim that you did not > > know of a rule. > > > >And for the record, Gmail assumes top-posting as well. It takes > > between one and three seconds to align each message properly, which is > > a pain in the butt each time, I agree, but it's something that has to > > be done. Otherwise, it breaks threads and makes the archives very > > difficult to read --- damning the purpose of even having them there > > for the benefit of others on the Internet. > > > >For years, we've all adapted to this, because they were the rules, > > and because we respect each other enough in the community to follow > > them. Here's hoping that you won't be the odd-man-out of that > > respectful group. > > > >Thanks. > > > > -- > > > > daniel.br...@parasane.net || danbr...@php.net > > http://www.parasane.net/ || http://www.pilotpig.net/ > > Check out our great hosting and dedicated server deals at > > http://twitter.com/pilotpig > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > Gmail on iPhone/iPod touch does the same thing. Fortunately with > copy'n'paste I can now get it to work thru the email interface. The > web version of gmail (while nicer looking) is giving me grief in > moving to the bottom of the message when attempting a reply (hence the > few replies that are top posted, sorry ;-P ) > -- > > Bastien > > Cat, the other other white meat > My email client does the same thing too, and I find it takes me a whole second and a half to move my cursor to the right point in the email. Averaging just over 60 messages in a month, that totals to just over a minute and a half. Damnit phpgeneral, give me that minute and a half back of my life! Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 13:02, Tony Marston wrote: > I do not regard that as a concrete rule, and certainly not one worth > bothering about. Lots of newsgroups I visited before coming here allowed top > posting, so it is arrogant for someone to say "I personally don't like top > posting, so I'll make a rule that disallows it". A sensible rule, and one > which I have no problem in following, is that if a question is posted in > English then I will answer in English. That makes sense, whereas "no top > posting" does not. No matter anymore. You've expressed your distaste for the rules and your intent on disregarding them, which - in turn - shows that (a) you believe yourself to be beyond the need to respect the guidelines the rest of the community follows; and (b) you couldn't give a damn about contributing to good, solid archives. There's certainly no way we can force you to follow the rules, so I'm done discussing it. It's just a shame that it's not going to work out in a manner that doesn't speak volumes about your negative attitude toward others. Best of luck in everything you do. -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 12:50 PM, Daniel Brown wrote: > On Wed, Jul 8, 2009 at 12:38, Tony Marston > wrote: >> What rules? I never agreed to abide by any rules before I started posting to >> this group. My newsreader assumes top posting by default, so I have been top >> posting for the past 10 years. If you don't like it then it is your problem, >> not mine. > > Absolutely 100% completely incorrect, and in all honesty, that's > quite an ignorant attitude. That's not to say that I think *you* are > ignorant, but rather the attitude toward established rules and > guidelines that have been around long before you began posting, and > will remain long after you leave. > > See: > http://php.net/mailing-lists.php --- which links to: > http://php.net/reST/php-src/README.MAILINGLIST_RULES > (Specifically: "General" #3) > > So while it's my problem, it is also *your* problem, as the offender. > > If you didn't agree to rules beforehand, that's your issue. > Ignorance is not a defense. You were - or had the opportunity to be - > made aware of the rules of the list, and as such, agree to abide by > them by continuing to post in this - or any - public forum. Much the > same as, by traveling to a foreign country, you agree to be bound by > their rules and regulations. You cannot simply claim that you did not > know of a rule. > > And for the record, Gmail assumes top-posting as well. It takes > between one and three seconds to align each message properly, which is > a pain in the butt each time, I agree, but it's something that has to > be done. Otherwise, it breaks threads and makes the archives very > difficult to read --- damning the purpose of even having them there > for the benefit of others on the Internet. > > For years, we've all adapted to this, because they were the rules, > and because we respect each other enough in the community to follow > them. Here's hoping that you won't be the odd-man-out of that > respectful group. > > Thanks. > > -- > > daniel.br...@parasane.net || danbr...@php.net > http://www.parasane.net/ || http://www.pilotpig.net/ > Check out our great hosting and dedicated server deals at > http://twitter.com/pilotpig > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Gmail on iPhone/iPod touch does the same thing. Fortunately with copy'n'paste I can now get it to work thru the email interface. The web version of gmail (while nicer looking) is giving me grief in moving to the bottom of the message when attempting a reply (hence the few replies that are top posted, sorry ;-P ) -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
I do not regard that as a concrete rule, and certainly not one worth bothering about. Lots of newsgroups I visited before coming here allowed top posting, so it is arrogant for someone to say "I personally don't like top posting, so I'll make a rule that disallows it". A sensible rule, and one which I have no problem in following, is that if a question is posted in English then I will answer in English. That makes sense, whereas "no top posting" does not. -- Tony Marston http://www.tonymarston.net http://www.radicore.org "Daniel Brown" wrote in message news:ab5568160907080950o7fa7af0ckbee192b34410e...@mail.gmail.com... > On Wed, Jul 8, 2009 at 12:38, Tony Marston > wrote: >> What rules? I never agreed to abide by any rules before I started posting >> to >> this group. My newsreader assumes top posting by default, so I have been >> top >> posting for the past 10 years. If you don't like it then it is your >> problem, >> not mine. > >Absolutely 100% completely incorrect, and in all honesty, that's > quite an ignorant attitude. That's not to say that I think *you* are > ignorant, but rather the attitude toward established rules and > guidelines that have been around long before you began posting, and > will remain long after you leave. > >See: >http://php.net/mailing-lists.php --- which links to: >http://php.net/reST/php-src/README.MAILINGLIST_RULES > (Specifically: "General" #3) > >So while it's my problem, it is also *your* problem, as the offender. > >If you didn't agree to rules beforehand, that's your issue. > Ignorance is not a defense. You were - or had the opportunity to be - > made aware of the rules of the list, and as such, agree to abide by > them by continuing to post in this - or any - public forum. Much the > same as, by traveling to a foreign country, you agree to be bound by > their rules and regulations. You cannot simply claim that you did not > know of a rule. > >And for the record, Gmail assumes top-posting as well. It takes > between one and three seconds to align each message properly, which is > a pain in the butt each time, I agree, but it's something that has to > be done. Otherwise, it breaks threads and makes the archives very > difficult to read --- damning the purpose of even having them there > for the benefit of others on the Internet. > >For years, we've all adapted to this, because they were the rules, > and because we respect each other enough in the community to follow > them. Here's hoping that you won't be the odd-man-out of that > respectful group. > >Thanks. > > -- > > daniel.br...@parasane.net || danbr...@php.net > http://www.parasane.net/ || http://www.pilotpig.net/ > Check out our great hosting and dedicated server deals at > http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 12:38, Tony Marston wrote: > What rules? I never agreed to abide by any rules before I started posting to > this group. My newsreader assumes top posting by default, so I have been top > posting for the past 10 years. If you don't like it then it is your problem, > not mine. Absolutely 100% completely incorrect, and in all honesty, that's quite an ignorant attitude. That's not to say that I think *you* are ignorant, but rather the attitude toward established rules and guidelines that have been around long before you began posting, and will remain long after you leave. See: http://php.net/mailing-lists.php --- which links to: http://php.net/reST/php-src/README.MAILINGLIST_RULES (Specifically: "General" #3) So while it's my problem, it is also *your* problem, as the offender. If you didn't agree to rules beforehand, that's your issue. Ignorance is not a defense. You were - or had the opportunity to be - made aware of the rules of the list, and as such, agree to abide by them by continuing to post in this - or any - public forum. Much the same as, by traveling to a foreign country, you agree to be bound by their rules and regulations. You cannot simply claim that you did not know of a rule. And for the record, Gmail assumes top-posting as well. It takes between one and three seconds to align each message properly, which is a pain in the butt each time, I agree, but it's something that has to be done. Otherwise, it breaks threads and makes the archives very difficult to read --- damning the purpose of even having them there for the benefit of others on the Internet. For years, we've all adapted to this, because they were the rules, and because we respect each other enough in the community to follow them. Here's hoping that you won't be the odd-man-out of that respectful group. Thanks. -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
What rules? I never agreed to abide by any rules before I started posting to this group. My newsreader assumes top posting by default, so I have been top posting for the past 10 years. If you don't like it then it is your problem, not mine. -- Tony Marston http://www.tonymarston.net http://www.radicore.org "Daniel Brown" wrote in message news:ab5568160907080916o1cf9b60et395458e575ee0...@mail.gmail.com... > On Wed, Jul 8, 2009 at 12:14, Tony Marston > wrote: >> No it isn't. That's just your personal preference. Mine is different. > >Uhh Tony, if that's in response to me, you're wrong. Please > read the rules before posting what you believe to be fact. ;-P > > -- > > daniel.br...@parasane.net || danbr...@php.net > http://www.parasane.net/ || http://www.pilotpig.net/ > Check out our great hosting and dedicated server deals at > http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 12:14, Tony Marston wrote: > No it isn't. That's just your personal preference. Mine is different. Uhh Tony, if that's in response to me, you're wrong. Please read the rules before posting what you believe to be fact. ;-P -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
No it isn't. That's just your personal preference. Mine is different. -- Tony Marston http://www.tonymarston.net http://www.radicore.org "PJ" wrote in message news:4a54c0e8.2080...@videotron.ca... > Michael A. Peters wrote: >> Daniel Brown wrote: >>> First, a reminder to several (including some in this thread) that >>> top-posting is against the law here. >>> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 11:53 AM, PJ wrote: > Michael A. Peters wrote: >> Daniel Brown wrote: >>> First, a reminder to several (including some in this thread) that >>> top-posting is against the law here. >>> >>> On Wed, Jul 8, 2009 at 09:48, Martin Scotta >>> wrote: $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password .'\'))'; >>> >>> Second, another, more important reminder: >>> >>> >> $username = '" OR 1 OR "'; >>> ?> >>> >>> Since the first rows in a database are usually the default >>> administrator logins, the first to match what is basically a 'match if >>> this is a row' statement will be logged in. The moral of the story: >>> don't forget to clean your input (which I'm sure ya'all were doing >>> but with top-posters, you never know ;-P). >>> >> >> prepared statements really do a pretty good job at neutering sql >> injection. But one shouldn't be lazy with input validation anyway. >> > I have a couple of questions/comments re all this: > > 1. Doing the login and processing through https should add a bit more > security, it seems to me. It does add security between your user's web browser and the web server. It's up to you to keep it secure once you receive it. > 2. Cleaning is another bloody headache, for me anyway. I have found that > almost every time I try to do some cleaning with trim and > mysql_real_escape_string and stripslashes wipes out my usernames and > passwords. I havent' been able to use them when doing the crypt and > encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit > lost on this. > Specifically, this wipes out my login and password... (I know, this is > old code, but it is supposed to work, no? ) > //Function to sanitize values received from the form. Prevents SQL injection > function clean($str) { > $str = @trim($str); > if(get_magic_quotes_gpc()) { > $str = stripslashes($str); > } > return mysql_real_escape_string($str); > } > > //Sanitize the POST values > $login = clean($_POST['login']); > $password = clean($_POST['password']); > > When I echoes the cleaned $login and $password, they looked like they > had just gone through an acid bath before being hit by katerina > (hurricane)... ;-) rather whitewashed and empty. There was nothing left > to work with. One thing to check - I'm pretty sure that mysql_real_escape_string will only work if you have an open connection to mysql, because it uses that connection to figure out what character encoding is being used so it can escape the string accordingly. (If unable to connect, it should raise an E_WARNING.) I'm not sure why you would need to use @ with trim(), but that shouldn't matter. Otherwise, nothing in there should mangle the input. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Michael A. Peters wrote: > Daniel Brown wrote: >> First, a reminder to several (including some in this thread) that >> top-posting is against the law here. >> >> On Wed, Jul 8, 2009 at 09:48, Martin Scotta >> wrote: >>> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' >>> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password >>> .'\'))'; >> >> Second, another, more important reminder: >> >> > $username = '" OR 1 OR "'; >> ?> >> >> Since the first rows in a database are usually the default >> administrator logins, the first to match what is basically a 'match if >> this is a row' statement will be logged in. The moral of the story: >> don't forget to clean your input (which I'm sure ya'all were doing >> but with top-posters, you never know ;-P). >> > > prepared statements really do a pretty good job at neutering sql > injection. But one shouldn't be lazy with input validation anyway. > I have a couple of questions/comments re all this: 1. Doing the login and processing through https should add a bit more security, it seems to me. 2. Cleaning is another bloody headache, for me anyway. I have found that almost every time I try to do some cleaning with trim and mysql_real_escape_string and stripslashes wipes out my usernames and passwords. I havent' been able to use them when doing the crypt and encrypt stuff with salt. Without cleaning it works fine... so, I'm a bit lost on this. Specifically, this wipes out my login and password... (I know, this is old code, but it is supposed to work, no? ) //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $login = clean($_POST['login']); $password = clean($_POST['password']); When I echoes the cleaned $login and $password, they looked like they had just gone through an acid bath before being hit by katerina (hurricane)... ;-) rather whitewashed and empty. There was nothing left to work with. -- Hervé Kempf: "Pour sauver la planète, sortez du capitalisme." - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Daniel Brown wrote: First, a reminder to several (including some in this thread) that top-posting is against the law here. On Wed, Jul 8, 2009 at 09:48, Martin Scotta wrote: $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password .'\'))'; Second, another, more important reminder: Since the first rows in a database are usually the default administrator logins, the first to match what is basically a 'match if this is a row' statement will be logged in. The moral of the story: don't forget to clean your input (which I'm sure ya'all were doing but with top-posters, you never know ;-P). prepared statements really do a pretty good job at neutering sql injection. But one shouldn't be lazy with input validation anyway. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 10:44 AM, Andrew Ballard wrote: > On Wed, Jul 8, 2009 at 9:48 AM, Martin Scotta wrote: >> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' >> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password >> .'\'))'; >> >> I use this solution because md5 run faster in Mysql >> >> >> >> >> -- >> Martin Scotta >> > > If you were running a loop to build a rainbow table or brute-force a > password, I could see where that would matter. For authenticating a > single user it seems like premature optimization to me. On my > development machine, where PHP runs slow inside of the IDE, the > average time to perform an md5 hash on a text string of 38 characters > (much longer than most passwords) over 1 iterations is around > 0.00085 seconds. I can live with that. :-) I still like handling the > encryption in PHP and then passing the encrypted value to the database > for storage/comparison. > > Andrew > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > You shouldn't be using md5 or sha1 to hash passwords as both have been attacked and successfully exploited. There are other hashing functions in PHP that you should use. And FWIW, you WANT hashing to be slow. The faster it is, the less complicated the algorithm is (assuming all implementations are equal), the more easy it is to break. And if you're storing hashed passwords as a means of verification, SALT THEM FOR CHRIST'S SAKE. //somewhere where you can access it several places, like config.php define('SALT', '2435kh...@#$@#14asdnaksa10=nsdf'); //random characters, the longer and more random, the better. If it was email compatible, I'd have given a "real" salt read out of /dev/random at some point, like you should be doing. //prepare the password $password = $_POST['password'] . SALT; $password = hash('sha512', $password); //assume you've validated $_POST['password'] //query the database to make sure the password is the right one $stmt = $db->prepare('SELECT password FROM users WHERE user_name=?); $stmt->bindParam(1, $password); list($dbPass) = $stmt->fetch(); if($dbPass == $password) { echo 'success'; } else { echo 'failure'; } The reason you salt passwords, especially with binary characters, is that without knowing what the salt is, it's nearly impossible to create a rainbow table and run rainbow table attacks on your database. It costs nearly nothing to do, in terms of resource usage and any sort of human comprehensible scheme to store those hashes is easily broken. I've seen "{$user}{$randomCharacter}{$password}" used before, and I'd never recommend something so simple. --Eddie -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wed, Jul 8, 2009 at 9:48 AM, Martin Scotta wrote: > $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' > and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password > .'\'))'; > > I use this solution because md5 run faster in Mysql > > > > > -- > Martin Scotta > If you were running a loop to build a rainbow table or brute-force a password, I could see where that would matter. For authenticating a single user it seems like premature optimization to me. On my development machine, where PHP runs slow inside of the IDE, the average time to perform an md5 hash on a text string of 38 characters (much longer than most passwords) over 1 iterations is around 0.00085 seconds. I can live with that. :-) I still like handling the encryption in PHP and then passing the encrypted value to the database for storage/comparison. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
First, a reminder to several (including some in this thread) that top-posting is against the law here. On Wed, Jul 8, 2009 at 09:48, Martin Scotta wrote: > $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' > and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password > .'\'))'; Second, another, more important reminder: Since the first rows in a database are usually the default administrator logins, the first to match what is basically a 'match if this is a row' statement will be logged in. The moral of the story: don't forget to clean your input (which I'm sure ya'all were doing but with top-posters, you never know ;-P). -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
$sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password .'\'))'; I use this solution because md5 run faster in Mysql On Wed, Jul 8, 2009 at 10:28 AM, Andrew Ballard wrote: > On Tue, Jul 7, 2009 at 11:05 PM, Michael A. Peters wrote: >> Carl Furst wrote: >> >>> >>> >> $salt = 'someglobalsaltstring'; # the salt should be the same salt used >>> when storing passwords to your database otherwise it won't work >>> $passwd = crypt($_GET['passwd'], $salt); >> >> I personally use the username and the salt. >> That way two users with identical passwords have different hashes. >> >> With large databases, many users will have the same password, there are some >> that are just commonly used. The hackers know what they are, and if they get >> your hash dump, they try their list of commonly used passwords against the >> user names that have the common hashes. >> >> By using the username as part of the salt, you avoid that issue because >> identical passwords will have different hashes. >> >> It does mean the password has to be reset if you allow them to change their >> login name. >> > > The password does not need to be reset. You could require that they > provide the password again (even though they are already > authenticated) on the same form with the new username. Then you can do > the same encrypt/compare that you do for authentication, and if it > matches you just update the username and the hash at the same time. > > Andrew > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Martin Scotta -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Tue, Jul 7, 2009 at 11:05 PM, Michael A. Peters wrote: > Carl Furst wrote: > >> >> > $salt = 'someglobalsaltstring'; # the salt should be the same salt used >> when storing passwords to your database otherwise it won't work >> $passwd = crypt($_GET['passwd'], $salt); > > I personally use the username and the salt. > That way two users with identical passwords have different hashes. > > With large databases, many users will have the same password, there are some > that are just commonly used. The hackers know what they are, and if they get > your hash dump, they try their list of commonly used passwords against the > user names that have the common hashes. > > By using the username as part of the salt, you avoid that issue because > identical passwords will have different hashes. > > It does mean the password has to be reset if you allow them to change their > login name. > The password does not need to be reset. You could require that they provide the password again (even though they are already authenticated) on the same form with the new username. Then you can do the same encrypt/compare that you do for authentication, and if it matches you just update the username and the hash at the same time. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Wednesday 08 July 2009 04:25:46 Carl Furst wrote: > These are great ideas. > > Another option would be to have the user choose a pin number and use > either the literal pin or the encrypted pin as part of the salt. This > way only when you change the pin do you need to change the password, > which is probably what you would want anyway. > > Michael A. Peters wrote: > > Carl Furst wrote: > >> >> $salt = 'someglobalsaltstring'; # the salt should be the same salt used > >> when storing passwords to your database otherwise it won't work > >> $passwd = crypt($_GET['passwd'], $salt); > > > > I personally use the username and the salt. > > That way two users with identical passwords have different hashes. > > > > With large databases, many users will have the same password, there > > are some that are just commonly used. The hackers know what they are, > > and if they get your hash dump, they try their list of commonly used > > passwords against the user names that have the common hashes. > > > > By using the username as part of the salt, you avoid that issue > > because identical passwords will have different hashes. > > > > It does mean the password has to be reset if you allow them to change > > their login name. and then make a visit to their house to give them a secondary password that they have to use. Make sure you're not tailed on the way to avoid the password being intercepted... Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
These are great ideas. Another option would be to have the user choose a pin number and use either the literal pin or the encrypted pin as part of the salt. This way only when you change the pin do you need to change the password, which is probably what you would want anyway. Michael A. Peters wrote: > Carl Furst wrote: > >> >> > $salt = 'someglobalsaltstring'; # the salt should be the same salt used >> when storing passwords to your database otherwise it won't work >> $passwd = crypt($_GET['passwd'], $salt); > > I personally use the username and the salt. > That way two users with identical passwords have different hashes. > > With large databases, many users will have the same password, there > are some that are just commonly used. The hackers know what they are, > and if they get your hash dump, they try their list of commonly used > passwords against the user names that have the common hashes. > > By using the username as part of the salt, you avoid that issue > because identical passwords will have different hashes. > > It does mean the password has to be reset if you allow them to change > their login name. > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Carl Furst wrote: I personally use the username and the salt. That way two users with identical passwords have different hashes. With large databases, many users will have the same password, there are some that are just commonly used. The hackers know what they are, and if they get your hash dump, they try their list of commonly used passwords against the user names that have the common hashes. By using the username as part of the salt, you avoid that issue because identical passwords will have different hashes. It does mean the password has to be reset if you allow them to change their login name. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Carl Furst wrote: The basic model for password authentication is to use one way crypt routines. MySql has several, PHP also has them. The basic algorithm would be like this: 1) read the password from the form. 2) read the password from you datastore that matches the user name or session 3) encrypt the password on the form. 4) do a string comparison between the database data and the encrypted password from the form. Read the password on the form. Encrypt the password on the form using same salt and algorythm you use to generate the hash. Then - $sql = "SELECT id FROM userdb WHERE user='$user' AND pass='$pass'"; If your query returns a result, you now have a user id to store in the session. Otherwise, the login fails. No need to read from the database and do a string compare. Of course you need to watch out for injection when doing it that way, but that's what prepared statements are for. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] Simple login form with cookies
The basic model for password authentication is to use one way crypt routines. MySql has several, PHP also has them. The basic algorithm would be like this: 1) read the password from the form. 2) read the password from you datastore that matches the user name or session 3) encrypt the password on the form. 4) do a string comparison between the database data and the encrypted password from the form. This is of course assumes that you have been encrypting your password when you store them (always good practice) so I think this translates to php as (forgive me if this is bogus, it's been a while since I've done any php) getPassword) { return 1} else {return 0} ?> So I've not tested this obviously but you would have to have a $userObject which is your interface between your software and your user data. Hope it helps, Carl. PJ wrote: > PJ wrote: > >> Jason Carson wrote: >> >> On Mon, Jul 6, 2009 at 02:19, Jason Carson wrote: > ok, I have two sets of scripts here. One uses setcookie() for logging > into > the admin panel and the other uses session_start(). Both are working > fine, > is one more secure than the other? > > > $_COOKIE data is written to a file that is readable/writeable and stored on the user's side of things. $_SESSION data is written to the server, with a cookie stored on the user's side containing just the PHPSESSID (session ID) string to identify the session file on the server. So determining which is better and/or more secure is really a matter of the data held there and how it's handled. If storing things like usernames or you absolutely want to store personal data in an active session, do so in $_SESSION. If you're storing a password or credit card number in the active session, you may as well do it in $_COOKIE, because you're already using an insecure model. ;-P -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php >>> Well I'm a newbie when it comes to PHP and programming. I guess I need to >>> read up on login security. Do you know of, or recommend, any websites that >>> will show me how to secure my login model (Using cookies or sessions). >>> >>> >>> >>> >> Hi Jason, >> I'm probably not any wiser than you, but I have just (today) discovered >> an interesting site that seems to have some really clear explanations >> and tutorials re php, MySsql et al. >> It's worth looking at (I'm trying to implement something like what you >> are, as well): >> http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html >> HTH, >> PJ >> >> >> > I just found another site which is easier to deal with (chapter > references) and seems to be the original source of the brainbell site: > http://home.bolink.org/ebooks/webP/webdb/index.htm > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
PJ wrote: > Jason Carson wrote: > >>> On Mon, Jul 6, 2009 at 02:19, Jason Carson wrote: >>> >>> ok, I have two sets of scripts here. One uses setcookie() for logging into the admin panel and the other uses session_start(). Both are working fine, is one more secure than the other? >>> $_COOKIE data is written to a file that is readable/writeable and >>> stored on the user's side of things. $_SESSION data is written to the >>> server, with a cookie stored on the user's side containing just the >>> PHPSESSID (session ID) string to identify the session file on the >>> server. >>> >>> So determining which is better and/or more secure is really a >>> matter of the data held there and how it's handled. If storing things >>> like usernames or you absolutely want to store personal data in an >>> active session, do so in $_SESSION. If you're storing a password or >>> credit card number in the active session, you may as well do it in >>> $_COOKIE, because you're already using an insecure model. ;-P >>> >>> -- >>> >>> daniel.br...@parasane.net || danbr...@php.net >>> http://www.parasane.net/ || http://www.pilotpig.net/ >>> Check out our great hosting and dedicated server deals at >>> http://twitter.com/pilotpig >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >>> >>> >> Well I'm a newbie when it comes to PHP and programming. I guess I need to >> read up on login security. Do you know of, or recommend, any websites that >> will show me how to secure my login model (Using cookies or sessions). >> >> >> > Hi Jason, > I'm probably not any wiser than you, but I have just (today) discovered > an interesting site that seems to have some really clear explanations > and tutorials re php, MySsql et al. > It's worth looking at (I'm trying to implement something like what you > are, as well): > http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html > HTH, > PJ > > I just found another site which is easier to deal with (chapter references) and seems to be the original source of the brainbell site: http://home.bolink.org/ebooks/webP/webdb/index.htm -- Hervé Kempf: "Pour sauver la planète, sortez du capitalisme." - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
> Jason Carson wrote: >>> On Mon, Jul 6, 2009 at 02:19, Jason Carson wrote: >>> ok, I have two sets of scripts here. One uses setcookie() for logging into the admin panel and the other uses session_start(). Both are working fine, is one more secure than the other? >>> $_COOKIE data is written to a file that is readable/writeable and >>> stored on the user's side of things. $_SESSION data is written to the >>> server, with a cookie stored on the user's side containing just the >>> PHPSESSID (session ID) string to identify the session file on the >>> server. >>> >>> So determining which is better and/or more secure is really a >>> matter of the data held there and how it's handled. If storing things >>> like usernames or you absolutely want to store personal data in an >>> active session, do so in $_SESSION. If you're storing a password or >>> credit card number in the active session, you may as well do it in >>> $_COOKIE, because you're already using an insecure model. ;-P >>> >>> -- >>> >>> daniel.br...@parasane.net || danbr...@php.net >>> http://www.parasane.net/ || http://www.pilotpig.net/ >>> Check out our great hosting and dedicated server deals at >>> http://twitter.com/pilotpig >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >>> >> Well I'm a newbie when it comes to PHP and programming. I guess I need >> to >> read up on login security. Do you know of, or recommend, any websites >> that >> will show me how to secure my login model (Using cookies or sessions). >> >> > Hi Jason, > I'm probably not any wiser than you, but I have just (today) discovered > an interesting site that seems to have some really clear explanations > and tutorials re php, MySsql et al. > It's worth looking at (I'm trying to implement something like what you > are, as well): > http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html > HTH, > PJ > > -- > Hervé Kempf: "Pour sauver la planète, sortez du capitalisme." > - > Phil Jourdan --- p...@ptahhotep.com >http://www.ptahhotep.com >http://www.chiccantine.com/andypantry.php > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > I'll check it out this evening when I have some time. Thanks for the link. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
Jason Carson wrote: >> On Mon, Jul 6, 2009 at 02:19, Jason Carson wrote: >> >>> ok, I have two sets of scripts here. One uses setcookie() for logging >>> into >>> the admin panel and the other uses session_start(). Both are working >>> fine, >>> is one more secure than the other? >>> >> $_COOKIE data is written to a file that is readable/writeable and >> stored on the user's side of things. $_SESSION data is written to the >> server, with a cookie stored on the user's side containing just the >> PHPSESSID (session ID) string to identify the session file on the >> server. >> >> So determining which is better and/or more secure is really a >> matter of the data held there and how it's handled. If storing things >> like usernames or you absolutely want to store personal data in an >> active session, do so in $_SESSION. If you're storing a password or >> credit card number in the active session, you may as well do it in >> $_COOKIE, because you're already using an insecure model. ;-P >> >> -- >> >> daniel.br...@parasane.net || danbr...@php.net >> http://www.parasane.net/ || http://www.pilotpig.net/ >> Check out our great hosting and dedicated server deals at >> http://twitter.com/pilotpig >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> >> > Well I'm a newbie when it comes to PHP and programming. I guess I need to > read up on login security. Do you know of, or recommend, any websites that > will show me how to secure my login model (Using cookies or sessions). > > Hi Jason, I'm probably not any wiser than you, but I have just (today) discovered an interesting site that seems to have some really clear explanations and tutorials re php, MySsql et al. It's worth looking at (I'm trying to implement something like what you are, as well): http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html HTH, PJ -- Hervé Kempf: "Pour sauver la planète, sortez du capitalisme." - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
> On Mon, Jul 6, 2009 at 02:19, Jason Carson wrote: >>> >> ok, I have two sets of scripts here. One uses setcookie() for logging >> into >> the admin panel and the other uses session_start(). Both are working >> fine, >> is one more secure than the other? > > $_COOKIE data is written to a file that is readable/writeable and > stored on the user's side of things. $_SESSION data is written to the > server, with a cookie stored on the user's side containing just the > PHPSESSID (session ID) string to identify the session file on the > server. > > So determining which is better and/or more secure is really a > matter of the data held there and how it's handled. If storing things > like usernames or you absolutely want to store personal data in an > active session, do so in $_SESSION. If you're storing a password or > credit card number in the active session, you may as well do it in > $_COOKIE, because you're already using an insecure model. ;-P > > -- > > daniel.br...@parasane.net || danbr...@php.net > http://www.parasane.net/ || http://www.pilotpig.net/ > Check out our great hosting and dedicated server deals at > http://twitter.com/pilotpig > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Well I'm a newbie when it comes to PHP and programming. I guess I need to read up on login security. Do you know of, or recommend, any websites that will show me how to secure my login model (Using cookies or sessions). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 6, 2009 at 02:19, Jason Carson wrote: >> > ok, I have two sets of scripts here. One uses setcookie() for logging into > the admin panel and the other uses session_start(). Both are working fine, > is one more secure than the other? $_COOKIE data is written to a file that is readable/writeable and stored on the user's side of things. $_SESSION data is written to the server, with a cookie stored on the user's side containing just the PHPSESSID (session ID) string to identify the session file on the server. So determining which is better and/or more secure is really a matter of the data held there and how it's handled. If storing things like usernames or you absolutely want to store personal data in an active session, do so in $_SESSION. If you're storing a password or credit card number in the active session, you may as well do it in $_COOKIE, because you're already using an insecure model. ;-P -- daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
> On Mon, Jul 6, 2009 at 2:01 AM, Jason Carson wrote: >>> On Mon, Jul 6, 2009 at 1:45 AM, Jason Carson >>> wrote: > Hello everyone, > > I am trying to create a PHP login script using cookies but am having > some > troubles. Here is my setup > > Â Â index.php -> authenticate.php -> admin.php > > I want a login form on index.php that allows me to login with my > username > and password and then passes $_POST['username'] and > $_POST['password'] > to > authenticate.php > > Then authenticate.php authenticates against a database of allowed > users > (Which I already have setup and it works fine), if a valid user has > entered the correct information then admin.php is loaded... > > header("location:admin.php"); > > ...the admin.php code would look something like the following.. > > Code: [Select] > if (isset($_COOKIE['username'])) { > echo "success!"; > } else { > echo "Failure"; > } > ?> > > So basically I think I need to create a cookie from index.php OR > authenticate.php and then pass the information to admin.php. > I set the cookie like this... > > setcookie("Admin", $username); > > Which file(index.php OR authenticate.php) do I create the cookie and > how > do I access the information in the cookie on admin.php? > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > I finally got it working. I needed to setcookie() in login.php. Also, the names of the cookies(Using setcookie()) where wrong (The names where "Admin" when they should have been "adminuser" and "adminpass") Once I fixed that then the following worked in admin.php... >>> if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) { echo "Success"; } else { echo "Failed"; } ?> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> You're not storing anything usable in the adminpass cookie, are you? >>> It sort of sounds like you're storing a password, or even a passhash, >>> in the cookie and you might want to rethink what that cookie contains >>> to prevent session hijacking. >>> >> Yeah, I am storing an unencrypted password in the cookie. Should I >> encrypt >> it, if so how, if not what should I do? >> >> I am new to programming and PHP web development so I am not aware of all >> the security problems that can occur. >> >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > That's an enormous question without an easy, or even a correct answer. > I'd start by googling around for "session hijacking." One of the > things that's probably not PC to say, is don't learn to prevent > session hijacking, learn to hijack sessions. Once you know how to > hijack a session, you can audit your own code and fix the security > holes. > > Although the best advice would probably be to find someone else's > session implementation and use that, seeing as there's no real reason > to recreate such a worn-in wheel. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > ok, I have two sets of scripts here. One uses setcookie() for logging into the admin panel and the other uses session_start(). Both are working fine, is one more secure than the other? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 6, 2009 at 2:01 AM, Jason Carson wrote: >> On Mon, Jul 6, 2009 at 1:45 AM, Jason Carson wrote: Hello everyone, I am trying to create a PHP login script using cookies but am having some troubles. Here is my setup index.php -> authenticate.php -> admin.php I want a login form on index.php that allows me to login with my username and password and then passes $_POST['username'] and $_POST['password'] to authenticate.php Then authenticate.php authenticates against a database of allowed users (Which I already have setup and it works fine), if a valid user has entered the correct information then admin.php is loaded... header("location:admin.php"); ...the admin.php code would look something like the following.. Code: [Select] >>> if (isset($_COOKIE['username'])) { echo "success!"; } else { echo "Failure"; } ?> So basically I think I need to create a cookie from index.php OR authenticate.php and then pass the information to admin.php. I set the cookie like this... setcookie("Admin", $username); Which file(index.php OR authenticate.php) do I create the cookie and how do I access the information in the cookie on admin.php? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php >>> I finally got it working. I needed to setcookie() in login.php. Also, >>> the >>> names of the cookies(Using setcookie()) where wrong (The names where >>> "Admin" when they should have been "adminuser" and "adminpass") Once I >>> fixed that then the following worked in admin.php... >>> >> if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) { >>> echo "Success"; >>> } else { >>> echo "Failed"; >>> } >>> ?> >>> >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> >> You're not storing anything usable in the adminpass cookie, are you? >> It sort of sounds like you're storing a password, or even a passhash, >> in the cookie and you might want to rethink what that cookie contains >> to prevent session hijacking. >> > Yeah, I am storing an unencrypted password in the cookie. Should I encrypt > it, if so how, if not what should I do? > > I am new to programming and PHP web development so I am not aware of all > the security problems that can occur. > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > That's an enormous question without an easy, or even a correct answer. I'd start by googling around for "session hijacking." One of the things that's probably not PC to say, is don't learn to prevent session hijacking, learn to hijack sessions. Once you know how to hijack a session, you can audit your own code and fix the security holes. Although the best advice would probably be to find someone else's session implementation and use that, seeing as there's no real reason to recreate such a worn-in wheel. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
> On Mon, Jul 6, 2009 at 1:45 AM, Jason Carson wrote: >>> Hello everyone, >>> >>> I am trying to create a PHP login script using cookies but am having >>> some >>> troubles. Here is my setup >>> >>> Â Â index.php -> authenticate.php -> admin.php >>> >>> I want a login form on index.php that allows me to login with my >>> username >>> and password and then passes $_POST['username'] and $_POST['password'] >>> to >>> authenticate.php >>> >>> Then authenticate.php authenticates against a database of allowed users >>> (Which I already have setup and it works fine), if a valid user has >>> entered the correct information then admin.php is loaded... >>> >>> header("location:admin.php"); >>> >>> ...the admin.php code would look something like the following.. >>> >>> Code: [Select] >>> >> if (isset($_COOKIE['username'])) { >>> echo "success!"; >>> } else { >>> echo "Failure"; >>> } >>> ?> >>> >>> So basically I think I need to create a cookie from index.php OR >>> authenticate.php and then pass the information to admin.php. >>> I set the cookie like this... >>> >>> setcookie("Admin", $username); >>> >>> Which file(index.php OR authenticate.php) do I create the cookie and >>> how >>> do I access the information in the cookie on admin.php? >>> >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> I finally got it working. I needed to setcookie() in login.php. Also, >> the >> names of the cookies(Using setcookie()) where wrong (The names where >> "Admin" when they should have been "adminuser" and "adminpass") Once I >> fixed that then the following worked in admin.php... >> > if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) { >> echo "Success"; >> } else { >> echo "Failed"; >> } >> ?> >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > You're not storing anything usable in the adminpass cookie, are you? > It sort of sounds like you're storing a password, or even a passhash, > in the cookie and you might want to rethink what that cookie contains > to prevent session hijacking. > Yeah, I am storing an unencrypted password in the cookie. Should I encrypt it, if so how, if not what should I do? I am new to programming and PHP web development so I am not aware of all the security problems that can occur. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 6, 2009 at 1:45 AM, Jason Carson wrote: >> Hello everyone, >> >> I am trying to create a PHP login script using cookies but am having some >> troubles. Here is my setup >> >> index.php -> authenticate.php -> admin.php >> >> I want a login form on index.php that allows me to login with my username >> and password and then passes $_POST['username'] and $_POST['password'] to >> authenticate.php >> >> Then authenticate.php authenticates against a database of allowed users >> (Which I already have setup and it works fine), if a valid user has >> entered the correct information then admin.php is loaded... >> >> header("location:admin.php"); >> >> ...the admin.php code would look something like the following.. >> >> Code: [Select] >> > if (isset($_COOKIE['username'])) { >> echo "success!"; >> } else { >> echo "Failure"; >> } >> ?> >> >> So basically I think I need to create a cookie from index.php OR >> authenticate.php and then pass the information to admin.php. >> I set the cookie like this... >> >> setcookie("Admin", $username); >> >> Which file(index.php OR authenticate.php) do I create the cookie and how >> do I access the information in the cookie on admin.php? >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > I finally got it working. I needed to setcookie() in login.php. Also, the > names of the cookies(Using setcookie()) where wrong (The names where > "Admin" when they should have been "adminuser" and "adminpass") Once I > fixed that then the following worked in admin.php... > if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) { > echo "Success"; > } else { > echo "Failed"; > } > ?> > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > You're not storing anything usable in the adminpass cookie, are you? It sort of sounds like you're storing a password, or even a passhash, in the cookie and you might want to rethink what that cookie contains to prevent session hijacking. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
>> Hello everyone, >> >> I am trying to create a PHP login script using cookies but am having >> some >> troubles. Here is my setup >> >> index.php -> authenticate.php -> admin.php >> >> I want a login form on index.php that allows me to login with my >> username >> and password and then passes $_POST['username'] and $_POST['password'] >> to >> authenticate.php >> >> Then authenticate.php authenticates against a database of allowed users >> (Which I already have setup and it works fine), if a valid user has >> entered the correct information then admin.php is loaded... >> >> header("location:admin.php"); >> >> ...the admin.php code would look something like the following.. >> >> Code: [Select] >> > if (isset($_COOKIE['username'])) { >> echo "success!"; >> } else { >> echo "Failure"; >> } >> ?> >> >> So basically I think I need to create a cookie from index.php OR >> authenticate.php and then pass the information to admin.php. >> I set the cookie like this... >> >> setcookie("Admin", $username); >> >> Which file(index.php OR authenticate.php) do I create the cookie and how >> do I access the information in the cookie on admin.php? >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > I finally got it working. I needed to setcookie() in login.php. Also, the oops, I typed login.php when I meant authenticate.php > names of the cookies(Using setcookie()) where wrong (The names where > "Admin" when they should have been "adminuser" and "adminpass") Once I > fixed that then the following worked in admin.php... > if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) { > echo "Success"; > } else { > echo "Failed"; > } > ?> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
> Hello everyone, > > I am trying to create a PHP login script using cookies but am having some > troubles. Here is my setup > > index.php -> authenticate.php -> admin.php > > I want a login form on index.php that allows me to login with my username > and password and then passes $_POST['username'] and $_POST['password'] to > authenticate.php > > Then authenticate.php authenticates against a database of allowed users > (Which I already have setup and it works fine), if a valid user has > entered the correct information then admin.php is loaded... > > header("location:admin.php"); > > ...the admin.php code would look something like the following.. > > Code: [Select] > if (isset($_COOKIE['username'])) { > echo "success!"; > } else { > echo "Failure"; > } > ?> > > So basically I think I need to create a cookie from index.php OR > authenticate.php and then pass the information to admin.php. > I set the cookie like this... > > setcookie("Admin", $username); > > Which file(index.php OR authenticate.php) do I create the cookie and how > do I access the information in the cookie on admin.php? > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > I finally got it working. I needed to setcookie() in login.php. Also, the names of the cookies(Using setcookie()) where wrong (The names where "Admin" when they should have been "adminuser" and "adminpass") Once I fixed that then the following worked in admin.php... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Simple login form with cookies
On Mon, Jul 06, 2009 at 12:03:34AM -0400, Jason Carson wrote: > Hello everyone, > > I am trying to create a PHP login script using cookies but am having some > troubles. Here is my setup > > index.php -> authenticate.php -> admin.php > > I want a login form on index.php that allows me to login with my username > and password and then passes $_POST['username'] and $_POST['password'] to > authenticate.php > > Then authenticate.php authenticates against a database of allowed users > (Which I already have setup and it works fine), if a valid user has > entered the correct information then admin.php is loaded... > > header("location:admin.php"); > > ...the admin.php code would look something like the following.. > > Code: [Select] > if (isset($_COOKIE['username'])) { > echo "success!"; > } else { > echo "Failure"; > } > ?> > > So basically I think I need to create a cookie from index.php OR > authenticate.php and then pass the information to admin.php. > I set the cookie like this... > > setcookie("Admin", $username); > > Which file(index.php OR authenticate.php) do I create the cookie and how > do I access the information in the cookie on admin.php? Just think about it. I assume you're not going to allow someone to run admin.php unless they're authenticated. And you plan to determine whether they're authenticated by checking a cookie. So you can only set that cookie *after* you've authenticated them. Which means you'll need to set the cookie after you've processed the results from authenticate.php. My practice is generally to make forms re-entrant. That is, the data returned from authenticate.php would be processed by authenticate.php. You'd need to put a branch in authenticate.php to determine if this is a fresh invocation of the file, or if the user is returning data to you. The second time through, you check the returned values against your database and set your cookie. Checking the value in the cookie is as you detail it above: $_COOKIE['blahblah']. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Simple login form with cookies
Hello everyone, I am trying to create a PHP login script using cookies but am having some troubles. Here is my setup index.php -> authenticate.php -> admin.php I want a login form on index.php that allows me to login with my username and password and then passes $_POST['username'] and $_POST['password'] to authenticate.php Then authenticate.php authenticates against a database of allowed users (Which I already have setup and it works fine), if a valid user has entered the correct information then admin.php is loaded... header("location:admin.php"); ...the admin.php code would look something like the following.. Code: [Select] So basically I think I need to create a cookie from index.php OR authenticate.php and then pass the information to admin.php. I set the cookie like this... setcookie("Admin", $username); Which file(index.php OR authenticate.php) do I create the cookie and how do I access the information in the cookie on admin.php? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php