Re: [PHP] Login with Remember me Feature
Thank you for all the helpful input so far! I have now tried to implement the changes you suggested, but I unfortunately keep getting an error in line 114, in {-bracket in the switch statement. I know it is not very desirable to send all the code in a mail, but I think this is the best solution to find where the error(s) are located. Also when it comes to implementing the loggedin-function as Geoff Shang so kindly suggested for the config.php. I keep getting an error message that says that there is an error in the * return true; - line * *function loggedin() {* *if (isset($_SESSIONS['username']) || isset($_COOKIE['username'])) return true; else return false;* *}* So for now this code-block is the same as it used to be, because this done not generate any errors. When it comes to the function loggedin() inside the connexions.php, I am not sure where to call the function. Should this be just before the comparing of the password? ..or before the switch statement? *connextion.php* *?php* *include('config.php');* *?* * * *!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml;* *head meta http-equiv=Content-Type content=text/html; charset=ISO-8859-1 / link href=?php echo $design; ?/style.css rel=stylesheet title=Style / titleConnexion/title /head body div class=header* * a href=?php echo $url_home; ?img src=?php echo $design; ?/images/logo.png alt=Members Area //a* * /div* *?php* *// LOGGOUT: //If the user is logged, we log him out* *if(isset($_SESSION['username'])) { //We log him out by deleting the username and userid sessions unset($_SESSION['username'], $_SESSION['userid'], $_SESSION['usr_level']);* *?* *div class=messageYou have successfuly been loged out.br / a href=?php echo $url_home; ?Home/a/div ?php* *} // close the if-loop user logged in* *else {* *$ousername = '';* *//We check if the form has been sent if(isset($_POST['username'], $_POST['password']))* *{* *//We remove slashes depending on the configuration // And encrypt the password using salt and md5* *if(get_magic_quotes_gpc()) {* *$ousername = stripslashes($_POST['username']); $username = mysql_real_escape_string(stripslashes($_POST['username'])); $password = stripslashes($_POST['password']);* *$salt = sha1(md5($password)); $password = md5($salt.$password);* *} // close the remove slashes and encrypting-loop* *else {* *$username = mysql_real_escape_string($_POST['username']); $password = $_POST['password'];* *$salt = sha1(md5($password)); $password = md5($salt.$password);* *} // close the elese: get_magic_quotes_gpc() - block* * * *//We get the password of the user* *$req = mysql_query('select password,id,usr_level from users where username='.$username.''); $dn = mysql_fetch_array($req);* * //Get user level of the user* *$usr_level = $dn['usr_level'];* * * * // if (loggedin()){ -- should be placed her??* ** *//We compare the submited password and the real one, and we check if the user exists * * if($dn['password']==$password and mysql_num_rows($req)0) {* *//If the password is ok, we set the $loginok var to true $loginok = true;* *//If the password is good, we dont show the form $form = false; * * // If the user is alredy logged in if ($loginok) { if ($remember==on) setcookie(username, $username, time()+3600*48);* * else* * //We save the user name in the session username and the user Id in the session userid* * $_SESSION['username'] = $username; $_SESSION['userid'] = $dn['id']; $_SESSION['usr_level'] = $dn['usr_level']; * * // if (loggedin()){ -- should be placed her?? * * switch ($usr_level) * *
Re: [PHP] Login with Remember me Feature
Hi guys! I have now tried to take some of your hints into consideration, by encrypting the password with md5 adding a salt. As some of you pointed out, this code is the work of a newbie, that is totally correct, so please bear with me ;) I have tried to implement a cookie to remember the login for 48 hours, but it still logs the user out after the default 24min for a session like this: * //We compare the submited password and the real one, and we check if the user exists* *if($dn['password']==$password and mysql_num_rows($req)0)* *{* ** *//If the password is ok, we set the $loginok var to true* *$loginok = true;* *//If the password is good, we dont show the form* *$form = false;* ** *}* * if ($loginok = true)* * {* * if ($remember==on) * *setcookie(username, $username, time()+7200*24);* * elseif ($remember==) * * //We save the user name in the session username and the user Id in the session userid* * $_SESSION('username')=$username; * * $_SESSION['userid'] = $dn['id'];* * $_SESSION['usr_level'] = $dn['usr_level'];* * * *.* *.* *.* *.* *.* *.* *}* Another problem I am now facing, is to check whether to user is logged in, and if it is the user should be redirected from the index-page(with the login-form) to its user area based on the user level(newbie, advanced or admin). For now I have written a function, in the config.php. *function loggedin()* *{* * if (isset($_SESSIONS['username']) || isset($_COOKIE['username']))* * {* * $loggedin = true;* * return $loggedin;* * }* *}* I have both tried to include the config.php into the index-page(login-form) and into the connexions.php script (where cookie is implemented). Along with this code: *?php* * * *if (loggedin==true)* *{* * if($usr_level == admin)* *{* * ?* *div class=messageYou have successfuly been logged in. You can now access the admin area.br /* *?php header(Location: index_admin.php); ?/div* *?php* *}* * if($usr_level == newbie)* *{* *?* *div class=messageYou have successfuly been logged in. You can now access to the newbie area.br /* *?php header(Location: index_newbe.php); ?/div* *?php* *}* * if($usr_level == advanced)* *{* *?* *div class=messageYou have successfuly been logged in. You can now access the advanced area.br /* *?php header(Location: index_advanced.php); ?/div* *?php* *}* * * *}* * * *? * * * This does not redirect an alredy logged in user to its user area... I know this is messy, but if some of you can spot some improvements that hopfully can fix my cookie and redirect problem, please let me know. Tanks a lot!
Re: [PHP] Login with Remember me Feature
On Aug 14, 2011, at 8:23 AM, Alekto Antarctica wrote: Hi guys! I have now tried to take some of your hints into consideration, by encrypting the password with md5 adding a salt. As some of you pointed out, this code is the work of a newbie, that is totally correct, so please bear with me ;) I have tried to implement a cookie to remember the login for 48 hours, but it still logs the user out after the default 24min for a session like this: * //We compare the submited password and the real one, and we check if the user exists* *if($dn['password']==$password and mysql_num_rows($req)0)* *{* ** *//If the password is ok, we set the $loginok var to true* *$loginok = true;* *//If the password is good, we dont show the form* *$form = false;* ** *}* * if ($loginok = true)* * {* * if ($remember==on) * *setcookie(username, $username, time()+7200*24);* * elseif ($remember==) * * //We save the user name in the session username and the user Id in the session userid* * $_SESSION('username')= $username; * * $_SESSION['userid'] = $dn['id'];* * $_SESSION['usr_level'] = $dn['usr_level'];* * * *.* *.* *.* *.* *.* *.* *}* Another problem I am now facing, is to check whether to user is logged in, and if it is the user should be redirected from the index-page(with the login-form) to its user area based on the user level(newbie, advanced or admin). For now I have written a function, in the config.php. *function loggedin()* *{* * if (isset($_SESSIONS['username']) || isset($_COOKIE['username']))* * {* * $loggedin = true;* * return $loggedin;* * }* *}* I have both tried to include the config.php into the index- page(login-form) and into the connexions.php script (where cookie is implemented). Along with this code: *?php* * * *if (loggedin==true)* *{* * if($usr_level == admin)* *{* * ?* *div class=messageYou have successfuly been logged in. You can now access the admin area.br /* *?php header(Location: index_admin.php); ?/div* *?php* *}* * if($usr_level == newbie)* *{* *?* *div class=messageYou have successfuly been logged in. You can now access to the newbie area.br /* *?php header(Location: index_newbe.php); ?/div* *?php* *}* * if($usr_level == advanced)* *{* *?* *div class=messageYou have successfuly been logged in. You can now access the advanced area.br /* *?php header(Location: index_advanced.php); ?/div* *?php* *}* * * *}* * * *? * * * This does not redirect an alredy logged in user to its user area... I know this is messy, but if some of you can spot some improvements that hopfully can fix my cookie and redirect problem, please let me know. Tanks a lot! You can't issue headers after you've sent output to the client. headers must be sent before any other output. If you have messages to be output based on the current script, you have to pass them to the redirected script for them to be output to the client. You can do this by passing them on the query string or in a session variable; there are likely other ways of doing this as well. Note that you don't have to pass the actual text of the message if you use message codes instead, which would also aid in being able to translate the output if so desired. In the code above, since the message seems tied to the particular area the user has access to and that is tied to a particular script, you could just put the message with each particular script. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] Login with Remember me Feature
On 14 Aug 2011 at 14:23, Alekto Antarctica alekto.antarct...@gmail.com wrote: *function loggedin()* *{* * if (isset($_SESSIONS['username']) || isset($_COOKIE['username']))* * {* * $loggedin = true;* * return $loggedin;* * }* *}* Why not justreturn true; And what happens if your if doesn't evaluate to true? What do you return then? *?php* * * *if (loggedin==true)* *{* Should this be: if ($loggedin==true) ... -- Cheers -- Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login with Remember me Feature
On Sun, 14 Aug 2011, Alekto Antarctica wrote: I have tried to implement a cookie to remember the login for 48 hours, but it still logs the user out after the default 24min for a session like this: * //We compare the submited password and the real one, and we check if the user exists* *if($dn['password']==$password and mysql_num_rows($req)0)* You don't show us anything before this, so we have to assume it's all good up to here. *{* ** *//If the password is ok, we set the $loginok var to true* *$loginok = true;* *//If the password is good, we dont show the form* *$form = false;* ** *}* Maybe I'm just like this, but I always comment my closing braces. I've been in situations where I'm missing one or I need to review code I wrote months ago and understand its logic, and I find this practice useful. Yes, in this case the opening is a few lines up, but you could have a code block that runs for hundreds of lines, and it's good to remember what started it. * if ($loginok = true)* * {* First, off, as someone else mentioned, this should presumably be: if ($loginok == true) This one mistake will mean that $loginok will always be true. Second, since if statements are always looking for true conditions, you can simply type: if ($loginok) Finally, since $loginok is assigned the true value in the previous block, then, unless it is also possibly assigned elsewhere, you can just put the below code in the same code block as the above code, rather than closing and starting a new one with this if statement. * if ($remember==on) * *setcookie(username, $username, time()+7200*24);* This is not very intuitive. You're saying to add 2 hours times 24, which is a bit strange if you're trying to understand the code. I'dve found 3600*48 much more intuitive. A comment mightn't go astray here either. * elseif ($remember==) Are these the only two values that $remember can have? May as well just use else here without testing for another condition (either the user is remembering or they're not). * * //We save the user name in the session username and the user Id in the session userid* I think we might have an left brace missing here, unless it's gotten lost in translation. Also, I notice you're storing username and userid here, but above only stored username in the cookie. * $_SESSION('username')=$username; * This line should read: $_SESSION['username']=$username; I see the next line has it right. I'm surprised that your code didn't generate an error for this one, and since it didn't, this may indicate that this code is never reached (possibly due to the elseif test above). * $_SESSION['userid'] = $dn['id'];* * $_SESSION['usr_level'] = $dn['usr_level'];* I see a mixing of styles here. While it's all perfectly good syntax, you may want to find a style you like and stick to it. I personally find $foo = $bar; much more readable than $foo=$bar; or $foo = $bar; but each to their own. Another problem I am now facing, is to check whether to user is logged in, and if it is the user should be redirected from the index-page(with the login-form) to its user area based on the user level(newbie, advanced or admin). For now I have written a function, in the config.php. *function loggedin()* *{* * if (isset($_SESSIONS['username']) || isset($_COOKIE['username']))* * {* * $loggedin = true;* * return $loggedin;* * }* *}* As someone else pointed out, you could simply return true instead of assigning to a variable. They also pointed out that you don't return false if the person is not logged in. You could rewrite the above function like so: function loggedin() { if (isset($_SESSIONS['username']) || isset($_COOKIE['username'])) return true; else return false; } However, this doesn't actually check the values of these items, it simply checks to see if they have been set. I have both tried to include the config.php into the index-page(login-form) and into the connexions.php script (where cookie is implemented). Along with this code: *?php* * * *if (loggedin==true)* You need to call a function with parentheses, even if it takes no arguments, like so: if (loggedin() == true) or simply if (loggedin()) *{* * if($usr_level == admin)* *{* * ?* *div class=messageYou have successfuly been logged in. You can now access the
Re: [PHP] Login with Remember me Feature
Hello alekto, I've got several notes to point out: 1. You can't do neither a header(), nor a SetCookie() after any echo on the page. The out-of-php pieces of the page included. 2. Don't, please please don't store raw passwords in the database! Hash them, better even adding a salt. The guy who had been writing code of our project before me stored raw passwords, and I lost an amount of time to encrypt them live so users wouln't notice anything happening. Please don't repeat this mistake) 3. Don't store passwords in the cookies, they can be easily stolen. the username is quite enough: if it is there and it is not empty, then you can verify if such a user exists. -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login with Remember me Feature
alekto wrote: Hi, I have implemented a remember me feature in my login-script, but I can't get it to function! If I might be so bold... then you haven't implemented the feature yet, right? ;-) I want to make it possible for the users to stay logged in for 30 days. This is what I got this far: You have a logic problem... If I were you, I would write it out more simplistically first... something like: if session cookie keep logged in else, if remember me if verifiable set session cookie and redirect Of course, that is not an example of exact logic to use, and is just a method example of how you can solve your problem. As others have suggested, I would first start reading about ob_start,ob_end_clean(which works well before a header redirect), and ob_end_flush. I agree about only needing to store the user ID in your cookie's (session and rememberme) (hashed perhaps), and not the password. My last comment would be a kind request to strip out all unnecessary html etc.. when posting questions to the list. I usually would not take the time to look through a mess like that. ;-) Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login with Remember me Feature
On Sun, Aug 7, 2011 at 10:03 PM, Donovan Brooke li...@euca.us wrote: alekto wrote: Hi, I have implemented a remember me feature in my login-script, but I can't get it to function! If I might be so bold... then you haven't implemented the feature yet, right? ;-) I want to make it possible for the users to stay logged in for 30 days. This is what I got this far: You have a logic problem... If I were you, I would write it out more simplistically first... something like: if session cookie keep logged in else, if remember me if verifiable set session cookie and redirect Of course, that is not an example of exact logic to use, and is just a method example of how you can solve your problem. As others have suggested, I would first start reading about ob_start,ob_end_clean(which works well before a header redirect), and ob_end_flush. I agree about only needing to store the user ID in your cookie's (session and rememberme) (hashed perhaps), and not the password. My last comment would be a kind request to strip out all unnecessary html etc.. when posting questions to the list. I usually would not take the time to look through a mess like that. ;-) Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I'm going to play the third side of this thread and ask if anyone other than me sees any clear security issues with code like that, even if username and password were taken out of the cookie, and it was hashed in the DB, there is still a security issue with thinking this way which in today's world should not be an overlooked practice. And i mean i see that the person here is a newbie, the code looks pretty bad, but i think it's worth mentioning that looking at best security practices for the situation is as trivial as figuring out your classes and methods. Knowing how to prevent people like, well even me, from running sql scripts from your website via forms, or stealing user sessions is essential in today's web world... You're writing some client-facing code, maybe you should look at how to write it and keep the client secure? You could at least add session and request tokens to make the persistent sessions at least a bit more secure, that's of course on top of hashing passwords (with a salt), and not storing user names and passwords in the cookie. Also escaping doesn't work, if you don't believe me, listen to the keynote that Dan Kaminsky gave at the last HOPE conference, he gives a good overview of why... Please either use parameterized queries, or the awesome hack that is base 64, don't assume that just because the function is called mysql_real_escape_string, that it actually knows what it is doing; unicode is a powerful weapon in the wrong hands! Also use === for string comparison as 42 == test! ~Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] login to protected directory by php
On Mon, 2010-08-16 at 09:27 +0530, kranthi wrote: i would configure apache to let php interpreter handle all kinds of extensions ( http://httpd.apache.org/docs/2.0/mod/mod_mime.html#addhandler ) even then u'll have go through all the steps pointed out by Ash. the only advantage of this method is more user friendly URL That would be very slow and prone to failure. What happens when Apache comes across a binary file that contains ?php inside? It seems unlikely, but I've found the more unlikely something should be, the more often it occurs at just the wrong moment! For example, a document that talks about PHP, or an image that randomly contains those characters as part of the bitmap data? Also, the idea of tying an ID into the DB does still allow you to use friendly URLs, but is the ability to guess filenames really something you want in a security system? It would be more prone to brute force attacking I think. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] login to protected directory by php
On Sun, 2010-08-15 at 22:15 +0430, Ali Asghar Toraby Parizy wrote: all files (web pages, pictures, and exe files) and folders in a directory should be protected against anonymous users. I create an application with php and mysql for registered users. when a user registers it's information will be saved in database and its username and password will be added to .htpass file. so registered users can reach protected area. But browser prompts login dialog, when users want to access this folder. How can I run login process with php. Thanks On Sat, Aug 14, 2010 at 4:23 PM, chris h chris...@gmail.com wrote: it sounds as if apache - or whatever your http server is - is not aware of your php script. All apache knows is that someone is trying to access a directory or file that is protected, it does not know that it should send that request to the php script for a login. What are the protected resources that you want a login for? On Sat, Aug 14, 2010 at 1:52 AM, Ali Asghar Toraby Parizy aliasghar.tor...@gmail.com wrote: Hi The php script is in another folder. I set PHP_AUTH_USER and 'PHP_AUTH_PW in login script then try to open the file in the protected directory. the php file is not in the protected realm. On Sat, Aug 14, 2010 at 3:26 AM, chris h chris...@gmail.com wrote: Based off what your saying my guess is that the request is not hitting your php script. Is the php script in the protected directory? If so what is it's file name and what url are you hitting for the test? Chris. On Fri, Aug 13, 2010 at 6:21 PM, Ali Asghar Toraby Parizy aliasghar.tor...@gmail.com wrote: Hi. I have a protected directory in my host. I have configured .htaccess successfully and it works prefect. Now I'm looking for a solution to login and logout by a php script. In my site I have a login page. In that page I set 'PHP_AUTH_USER' and ' PHP_AUTH_PW'. but when I try to open protected directory, user authentication dialog appears. How can I do this? What is my error? -- Ali Asghar Torabi -- Ali Asghar Torabi -- Ali Asghar Torabi The two login processes are separate from each other. The .htaccess method is handled by Apache, completely apart from PHP. I believe it is possible, but is unreliable because of the way different browser/server combinations behave. Your best bet is to store these files outside of web route, and access them with a URL like this: file.php?id=123456 your web route might be something like /var/www/html/yoursite (where /var/www/html is the web root) your documents and secure files could be at /var/www/files/yoursite In your DB, the file id 123456 maps to a specific file on the hosting. This file isn't accessible from the web normally, so PHP will have to use something like fpassthru() to open dump the contents to the browser (obviously sending the correct header() mime type, etc). The advantage to this is you can use your PHP login system, and check each file download attempt against the session to ensure they are a valid user who should be able to access this file. Also, the obfuscation of the filename means that someone is less likely to guess at a filename. The id itself can be anything from a hash of the filename to an auto increment id in the DB. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] login to protected directory by php
i would configure apache to let php interpreter handle all kinds of extensions ( http://httpd.apache.org/docs/2.0/mod/mod_mime.html#addhandler ) even then u'll have go through all the steps pointed out by Ash. the only advantage of this method is more user friendly URL -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login to protected directory by php
Based off what your saying my guess is that the request is not hitting your php script. Is the php script in the protected directory? If so what is it's file name and what url are you hitting for the test? Chris. On Fri, Aug 13, 2010 at 6:21 PM, Ali Asghar Toraby Parizy aliasghar.tor...@gmail.com wrote: Hi. I have a protected directory in my host. I have configured .htaccess successfully and it works prefect. Now I'm looking for a solution to login and logout by a php script. In my site I have a login page. In that page I set 'PHP_AUTH_USER' and ' PHP_AUTH_PW'. but when I try to open protected directory, user authentication dialog appears. How can I do this? What is my error? -- Ali Asghar Torabi
Re: [PHP] Login using just cookies, bad idea?
On 08/07/10 17:53, Michael Calkins wrote: I right now have a complete user login and registration system however it uses cookies when you login to store information. Is this a bad thing?$_COOKIE vs $_SESSION for login systems Encrypt the cookie, make sure you don't store the password in there, make sure it's salted, and validate the contents before using them. http://stut.net/2008/07/26/sessionless-sessions-2/ -Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login In script quesitons
On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote: [snip] Take a look at https://code.google.com/p/loginsystem-rd/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login In script quesitons
Richard Quadling rquadl...@gmail.com wrote in message news:aanlktilbmyedd8paky9dwgn0q7t6kem4zzutu_49u...@mail.gmail.com... On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote: [snip] Take a look at https://code.google.com/p/loginsystem-rd/ Richard Thank you for your quick reply and the link. Since I see you are one of the creators, thank you for that as well. I am getting the following error and I'm not sure how to correct it. Warning: Cannot modify header information - headers already sent by (output started at /home/content/45/6359745/html/login/include/loginGlobals.php:281) in /home/content/45/6359745/html/login/include/form_token.php on line 15 Warning: Cannot modify header information - headers already sent by (output started at /home/content/45/6359745/html/login/include/loginGlobals.php:281) in /home/content/45/6359745/html/login/include/form_token.php on line 22 Line 15 is: setcookie(token, , time()-42000); Line 22 is :if (setcookie(token, $_SESSION[token], time()+86400)) { loginGlobals stops at line 278 Again, thank you for all your help. gary __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login In script quesitons
On Fri, 2010-07-09 at 15:43 -0400, Gary wrote: Richard Quadling rquadl...@gmail.com wrote in message news:aanlktilbmyedd8paky9dwgn0q7t6kem4zzutu_49u...@mail.gmail.com... On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote: [snip] Take a look at https://code.google.com/p/loginsystem-rd/ Richard Thank you for your quick reply and the link. Since I see you are one of the creators, thank you for that as well. I am getting the following error and I'm not sure how to correct it. Warning: Cannot modify header information - headers already sent by (output started at /home/content/45/6359745/html/login/include/loginGlobals.php:281) in /home/content/45/6359745/html/login/include/form_token.php on line 15 Warning: Cannot modify header information - headers already sent by (output started at /home/content/45/6359745/html/login/include/loginGlobals.php:281) in /home/content/45/6359745/html/login/include/form_token.php on line 22 Line 15 is: setcookie(token, , time()-42000); Line 22 is :if (setcookie(token, $_SESSION[token], time()+86400)) { loginGlobals stops at line 278 Again, thank you for all your help. gary __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com My guess is that you've put the login PHP code after some HTML in that page? If you output any content at all (even a blank space) it will output the default headers. What you need to do is have any logic that includes a header() call before any output. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Login In script quesitons
Ashley Sheridan a...@ashleysheridan.co.uk wrote in message news:1278705035.2295.2.ca...@localhost... On Fri, 2010-07-09 at 15:43 -0400, Gary wrote: Richard Quadling rquadl...@gmail.com wrote in message news:aanlktilbmyedd8paky9dwgn0q7t6kem4zzutu_49u...@mail.gmail.com... On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote: [snip] Take a look at https://code.google.com/p/loginsystem-rd/ Richard Thank you for your quick reply and the link. Since I see you are one of the creators, thank you for that as well. I am getting the following error and I'm not sure how to correct it. Warning: Cannot modify header information - headers already sent by (output started at /home/content/45/6359745/html/login/include/loginGlobals.php:281) in /home/content/45/6359745/html/login/include/form_token.php on line 15 Warning: Cannot modify header information - headers already sent by (output started at /home/content/45/6359745/html/login/include/loginGlobals.php:281) in /home/content/45/6359745/html/login/include/form_token.php on line 22 Line 15 is: setcookie(token, , time()-42000); Line 22 is :if (setcookie(token, $_SESSION[token], time()+86400)) { loginGlobals stops at line 278 Again, thank you for all your help. gary __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com My guess is that you've put the login PHP code after some HTML in that page? If you output any content at all (even a blank space) it will output the default headers. What you need to do is have any logic that includes a header() call before any output. Thanks, Ash http://www.ashleysheridan.co.uk Ashley I am aware of that would cause a problem. I am not finding any html at all on either page. Thanks for your reply. Gary __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login In script quesitons
On Fri, 2010-07-09 at 15:58 -0400, Gary wrote: Ashley Sheridan a...@ashleysheridan.co.uk wrote in message news:1278705035.2295.2.ca...@localhost... On Fri, 2010-07-09 at 15:43 -0400, Gary wrote: Richard Quadling rquadl...@gmail.com wrote in message news:aanlktilbmyedd8paky9dwgn0q7t6kem4zzutu_49u...@mail.gmail.com... On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote: [snip] Take a look at https://code.google.com/p/loginsystem-rd/ Richard Thank you for your quick reply and the link. Since I see you are one of the creators, thank you for that as well. I am getting the following error and I'm not sure how to correct it. Warning: Cannot modify header information - headers already sent by (output started at /home/content/45/6359745/html/login/include/loginGlobals.php:281) in /home/content/45/6359745/html/login/include/form_token.php on line 15 Warning: Cannot modify header information - headers already sent by (output started at /home/content/45/6359745/html/login/include/loginGlobals.php:281) in /home/content/45/6359745/html/login/include/form_token.php on line 22 Line 15 is: setcookie(token, , time()-42000); Line 22 is :if (setcookie(token, $_SESSION[token], time()+86400)) { loginGlobals stops at line 278 Again, thank you for all your help. gary __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com My guess is that you've put the login PHP code after some HTML in that page? If you output any content at all (even a blank space) it will output the default headers. What you need to do is have any logic that includes a header() call before any output. Thanks, Ash http://www.ashleysheridan.co.uk Ashley I am aware of that would cause a problem. I am not finding any html at all on either page. Thanks for your reply. Gary __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com What does your code look like now? Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Login In script quesitons
Ashley Sheridan a...@ashleysheridan.co.uk wrote in message news:1278705549.2295.4.ca...@localhost... On Fri, 2010-07-09 at 15:58 -0400, Gary wrote: Ashley Sheridan a...@ashleysheridan.co.uk wrote in message news:1278705035.2295.2.ca...@localhost... On Fri, 2010-07-09 at 15:43 -0400, Gary wrote: Richard Quadling rquadl...@gmail.com wrote in message news:aanlktilbmyedd8paky9dwgn0q7t6kem4zzutu_49u...@mail.gmail.com... On 9 July 2010 16:42, Gary gp...@paulgdesigns.com wrote: [snip] Take a look at https://code.google.com/p/loginsystem-rd/ Richard Thank you for your quick reply and the link. Since I see you are one of the creators, thank you for that as well. I am getting the following error and I'm not sure how to correct it. Warning: Cannot modify header information - headers already sent by (output started at /home/content/45/6359745/html/login/include/loginGlobals.php:281) in /home/content/45/6359745/html/login/include/form_token.php on line 15 Warning: Cannot modify header information - headers already sent by (output started at /home/content/45/6359745/html/login/include/loginGlobals.php:281) in /home/content/45/6359745/html/login/include/form_token.php on line 22 Line 15 is: setcookie(token, , time()-42000); Line 22 is :if (setcookie(token, $_SESSION[token], time()+86400)) { loginGlobals stops at line 278 Again, thank you for all your help. gary __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com My guess is that you've put the login PHP code after some HTML in that page? If you output any content at all (even a blank space) it will output the default headers. What you need to do is have any logic that includes a header() call before any output. Thanks, Ash http://www.ashleysheridan.co.uk Ashley I am aware of that would cause a problem. I am not finding any html at all on either page. Thanks for your reply. Gary __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com What does your code look like now? Thanks, Ash http://www.ashleysheridan.co.uk Ashley This is form_token.php ?php if (!isset($_SESSION)) { session_start(); } ? ?php function generateToken(){ /* * Create and set a new token for CSRF protection * on initial entry or after form errors and we are going to redisplay theform. **/ $salt=; $tokenStr=; $salt = sha1($_SERVER[HTTP_HOST]); setcookie(token, , time()-42000); $_SESSION[salt]=$salt; $_SESSION[guid] = getGUID(); $_SESSION[ip] = $_SERVER[REMOTE_ADDR]; $_SESSION[time] = time(); $tokenStr = IP: . $_SESSION[ip] . ,SESSIONID: . session_id() .,GUID: . $_SESSION[guid]; $_SESSION[token]=sha1(($tokenStr.$_SESSION[salt]).$_SESSION[salt]); if (setcookie(token, $_SESSION[token], time()+86400)) { $_SESSION[usecookie]=True; }}function checkToken() { /* * Check the posted token for correctness **/ $oldToken=; $testToken=; $tokenStr=; $page=basename($_SERVER['PHP_SELF']); $oldToken=$_POST[token]; $tokenStr = IP: . $_SESSION[ip] . ,SESSIONID: . session_id() .,GUID: . $_SESSION[guid]; $testToken=sha1(($tokenStr.$_SESSION[salt]).$_SESSION[salt]); $checkToken=False; If ($oldToken===$testToken) { $diff = time() - $_SESSION[time]; If ($diff=300) { // Five minutes max If ($_SESSION[usecookie]) { If ($_COOKIE[token]===$oldToken) { /* * Destroy the old form token, then * generate a new token for the form, which may or may not be needed. Wewant to do this * before headers are written. When writeToken() or writeTokenH() iscalled we are only * writing the pre-generated token to the form. The cookie will havealready been written. **/ setcookie(token, '', time()-42000); generateToken(); return true;}else{ $_SESSION = array(); if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-42000); } session_destroy(); header(Location: http://;. lg_domain . lg_form_error .?p= . $page .t=ec);} }else{ return True; }}else{ $_SESSION = array(); if (isset($_COOKIE[session_name()])) {
Re: [PHP] Login In script quesitons
On Fri, 2010-07-09 at 16:04 -0400, Gary wrote: ? ?php That bit of the code has a newline in it, which counts as output :p I've not looked over the rest yet, but see if that helps. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Login In script quesitons
Ashley Sheridan a...@ashleysheridan.co.uk wrote in message news:1278706121.2295.5.ca...@localhost... On Fri, 2010-07-09 at 16:04 -0400, Gary wrote: ? ?php That bit of the code has a newline in it, which counts as output :p I've not looked over the rest yet, but see if that helps. Thanks, Ash http://www.ashleysheridan.co.uk Ashley Actually I had added that closing and opening tag in trying to solve the problem, I put it back and still have the issue. I looked at the code as it looks on the board, would it be easier if I sent you the files? Thanks again. Gary __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login In script quesitons
Ashley Richard I think I found the issue. In loginGlobals.php, the error was pointing to line 281, when the code stopped and 278. (I know most of the time this just means there is a missing bracket or semi-colon in the code), however, what I did is put my curser on link 281, backspaced to eliminate white space, and it seems to be working. I will let you know if this is just premature exhuberation. Thanks again for all your help. Gary Ashley Sheridan a...@ashleysheridan.co.uk wrote in message news:1278706121.2295.5.ca...@localhost... On Fri, 2010-07-09 at 16:04 -0400, Gary wrote: ? ?php That bit of the code has a newline in it, which counts as output :p I've not looked over the rest yet, but see if that helps. Thanks, Ash http://www.ashleysheridan.co.uk __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com __ Information from ESET Smart Security, version of virus signature database 5266 (20100709) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login using just cookies, bad idea?
On Thu, 2010-07-08 at 09:53 -0700, Michael Calkins wrote: I right now have a complete user login and registration system however it uses cookies when you login to store information. Is this a bad thing?$_COOKIE vs $_SESSION for login systems From,Michael calkinsmichaelcalk...@live.com425-239-9952 _ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccountocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 VERY bad idea! :p Basically, cookies should only be used to store general non-personal information. Sessions are for anything that you want to keep out of prying eyes. The reason being is that cookies are just plain text files on the client machine, and can effectively be read by another program or person very easily. Sessions make use of cookies to store the session_id whilst a user is logged in, but you should destroy the session after you no-longer need it to remove the chance of someone getting hold of it and spoofing a request to your server. This can be done by destroying the session when a user logs out and setting a default timeout on a session. Sessions are easier to use I've found than cookies. You can add information to the session and read it right back without need the clients browser to make a new request to your server with the updated cookie in the header. You can store far more information in a session (exactly how much more depends on your server setup obviously) and in a much more logical manner than a cookie. This is not to say that cookies don't have their uses, but I think for a login system they introduce potential security issues which can be exploited. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Login using just cookies, bad idea?
On Thu, Jul 8, 2010 at 1:00 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Thu, 2010-07-08 at 09:53 -0700, Michael Calkins wrote: I right now have a complete user login and registration system however it uses cookies when you login to store information. Is this a bad thing?$_COOKIE vs $_SESSION for login systems From,Michael calkinsmichaelcalk...@live.com425-239-9952 _ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccountocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 VERY bad idea! :p Basically, cookies should only be used to store general non-personal information. Sessions are for anything that you want to keep out of prying eyes. The reason being is that cookies are just plain text files on the client machine, and can effectively be read by another program or person very easily. Sessions make use of cookies to store the session_id whilst a user is logged in, but you should destroy the session after you no-longer need it to remove the chance of someone getting hold of it and spoofing a request to your server. This can be done by destroying the session when a user logs out and setting a default timeout on a session. Sessions are easier to use I've found than cookies. You can add information to the session and read it right back without need the clients browser to make a new request to your server with the updated cookie in the header. You can store far more information in a session (exactly how much more depends on your server setup obviously) and in a much more logical manner than a cookie. This is not to say that cookies don't have their uses, but I think for a login system they introduce potential security issues which can be exploited. Thanks, Ash http://www.ashleysheridan.co.uk Hi Michael, The short answer is that it depends. Cookies are not inherently bad. Cookies are simply another piece of text that's sent to and fro from client to server (via Set-Cookie: name= value and Cookie: name=value exchanges), and this particular piece of text has a special storage mechanism integrated into most web browsers. Since it's inception, cookie support has improved significantly on browsers, as the security policies now in place provide much more security than those first implemented in the olden days. Today, cookies are a valuable tool used to facilitate the vast majority of website login mechanisms. PHP uses cookies to track sessions of web visitors (the cookie stores the corresponding PHPSESSID), and these sessions are often used to handle auth checks. That is, unless you've set your PHP environment up to propagate the session id through the url, which is not usually wise as it's quite easy to expose the PHPSESSID in server logs as through the referrer header: http://php.net/manual/en/session.security.php ASP.Net uses cookies to handle the provide the forms-based auth mechanism, storing limited session information directly within the cookie itself: http://msdn.microsoft.com/en-us/library/ff647070.aspx#pagexplained0002_aspnetforms I right now have a complete user login and registration system however it uses cookies when you login to store information. Now, the questions I'd have for you are: - Are the cookies merely storing the auth tokens or is other information being stored? - If other information is being stored, what type of info is it, how secure does it have to be, and how many bytes of data is it. Whatever scheme you're using, if you're exchanging the cookie over a non-secure channel (i.e., not using HTTPS), you're application is vulnerable to session hijacking: http://en.wikipedia.org/wiki/Session_hijacking I have stored limited amounts of information in the cookie (e.g., default stylesheet info, user first name, etc.), and when I wanted to protect the information, I signed and encrypted it. Because of the nature of a cookie, you'd have to guard against replay attacks even if the information is encrypted: http://en.wikipedia.org/wiki/Replay_attack In summary, a cookie is merely a tool for persisting data on the client. It can facilitate great security, but it's contribution (or detriment) to the security of your application depends on how it's used. Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
RE: [PHP] Login form + User level access
At 8:07 PM + 6/29/10, Carlos Sura wrote: Thank you for your answer Ted, You are right, well, I do have my login form, but what I do not understand is how to implement switch statement. switch ($level){ case 0: include (admin.php); break; case 1: include (sales.php); break; case 2: include (superuser.php); break; } Try: case 0: header('location:admin.php'); exit(); break; Instead of includes. Now I'm wondering if every page has to have something like: if ($level==2){ } else { } Of course, you must check the level of permission granted to the user before allowing them to see any protected page. I would suggest using a $_SESSION['level'] during logon to set the level of permission and then on each protected page do something like this: $level = isset($_SESSION['level']) ? $_SESSION['level'] : null; if($level 2) { // redirect to somewhere else header('location:admin.php'); exit(); } // this will allow the super-user (level 2) to see everything while redirecting everyone else elsewhere Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login form + User level access
At 7:46 PM + 6/29/10, Carlos Sura wrote: Hello everyone. I have this question: I'm developing a login system but what I need is to do is access levels I mean, in my database I have this users: Admin Superusers sales purchase etc So, What I do basically need is, when a user from sales log in.. I want him to see just the menu from SALES, He cannot see others menu options, and he can't get access, I was reading that I can do that with Switch, but really I have no idea about it... Any help? Thank you. Carlos Sura. Carlos: That's a little like saying, I want to build a car so I can drive around the country. I was reading that I could do that with a key, but I don't have any idea about it... Any help? Yes, you can use a switch statement, but that just one control structure in a much, much larger application. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login form + User level access
Hello Carlos, Something like this (assuming that the field with the type of the user - admin, sales, etc. - is called `Status`, and the table is called `Users`): $f=mysql_fetch_assoc(mysql_query(SELECT `Status`, COUNT(*) AS `UserExists` FROM `Users` WHERE `Name`='.$_POST['name'].' AND `Password`='.md5($_POST['pass']).')); if ($f['UserExists']0) { // name and password are correct switch ($f['Status']) { case 'ADMIN': include adminmenu.php; break; case 'SALES': include salesmenu.php; break; // ... } } else { die (You entered either an incorrect login or an incorrect password.); } I assume you store crypted passwords in your database, and the algorythm is md5 (there are better solutions, but I used it simply for this example). -- With best regards from Ukraine, Andre Skype: Francophile; WlmMSN: arthaelon @ yandex.ru; Jabber: arthaelon @ jabber.org Yahoo! messenger: andre.polykanine; ICQ: 191749952 Twitter: m_elensule - Original message - From: Carlos Sura carlos_s...@hotmail.com To: php-general@lists.php.net php-general@lists.php.net Date: Tuesday, June 29, 2010, 10:46:14 PM Subject: [PHP] Login form + User level access Hello everyone. I have this question: I'm developing a login system but what I need is to do is access levels I mean, in my database I have this users: Admin Superusers sales purchase etc So, What I do basically need is, when a user from sales log in.. I want him to see just the menu from SALES, He cannot see others menu options, and he can't get access, I was reading that I can do that with Switch, but really I have no idea about it... Any help? Thank you. Carlos Sura. _ http://clk.atdmt.com/UKM/go/19780/direct/01/ Do you have a story that started on Hotmail? Tell us now -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Login form + User level access
Thank you for your answer Ted, You are right, well, I do have my login form, but what I do not understand is how to implement switch statement. switch ($level){ case 0: include (admin.php); break; case 1: include (sales.php); break; case 2: include (superuser.php); break; } Now I'm wondering if every page has to have something like: if ($level==2){ } else { } but, I think that might check link pages, and whole menu... Not, just the menu for admin as example. So, that's why I'm asking for help... I was saying just the idea to get example codes, to base on it, asking : how do I get to london?, not how do I drive a car? Thanks. Carlos Sura. Date: Tue, 29 Jun 2010 15:58:10 -0400 To: carlos_s...@hotmail.com; php-general@lists.php.net From: tedd.sperl...@gmail.com Subject: Re: [PHP] Login form + User level access At 7:46 PM + 6/29/10, Carlos Sura wrote: Hello everyone. I have this question: I'm developing a login system but what I need is to do is access levels I mean, in my database I have this users: Admin Superusers sales purchase etc So, What I do basically need is, when a user from sales log in.. I want him to see just the menu from SALES, He cannot see others menu options, and he can't get access, I was reading that I can do that with Switch, but really I have no idea about it... Any help? Thank you. Carlos Sura. Carlos: That's a little like saying, I want to build a car so I can drive around the country. I was reading that I could do that with a key, but I don't have any idea about it... Any help? Yes, you can use a switch statement, but that just one control structure in a much, much larger application. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com _ http://clk.atdmt.com/UKM/go/19780/direct/01/ Do you have a story that started on Hotmail? Tell us now
Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote: The following script is supposed to validate a username and password in a mysql db. When entering the username and password of a preregistered user, I get the following errors: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 24 Warning: Cannot modify header information - headers already sent by (output started at /var/www/login.php:24) in /var/www/login.php on line 26 On line 24 is: if(!mysql_num_rows($login)) //if the username and pass are wrong --The supplied argument is $login, which is previously defined as: $login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND `pass` = '$pass`); --which is further defined above it as these values: $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md So why is the sum of those previous definitions an invalid argument for the mysql_query() to test for whether the username and md5 password values are true/equivalent to each other? Thanks for any help you may be able to provide, below is the full login.php page. David This is the full login.php script, I'm pretty sure no other portions are needed to show at this point for the current problem: ?php $act = $_GET['act']; //retrives the page action if(empty($act)) //if there is no action { echo('form action=login.php?act=auth method=post name=loginform id=loginform pUsername input type=text name=user /p pPassword input type=password name=pass /p p input type=submit name=Submit value=Login /p /form'); } elseif($act == auth) //if our page action = auth { $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md5 include(connect.php); //connects to our mysql database $login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`); //selects info from our table if the row has the same user and pass that our form does if(!mysql_num_rows($login)) //if the username and pass are wrong { header(Location: login.php); //redirects to our login page die(); //stops the page from going any further } else { setcookie(user, $user, time()+3600);//sets our user cookie setcookie(pass, $pass, time()+3600);//sets our pass cookie header(Location: memprar.php);//instead of yourpage.php it would be your protected page } } ? First, please create a new email when sending to the list and don't just reply to the last one, as those of us with email clients that group by threads get confused when the subject line appears to change mid-thread! On to your question, you've got an error with your query, so it will never work: SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`// change that last back tick after $pass! Lastly; protect your queries! That $user variable is open to injection. Replacing it with something like $user = mysql_real_escape_string($_POST['user']); Your $pass is protected (I believe) because of what you're doing with the hash, but I'm not an expert in these things, so it could be that this may not be enough. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
--- On Fri, 2/19/10, Ashley Sheridan a...@ashleysheridan.co.uk wrote: From: Ashley Sheridan a...@ashleysheridan.co.uk Subject: Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource To: David Hutto dwightdhu...@yahoo.com Cc: php-general@lists.php.net Date: Friday, February 19, 2010, 5:34 AM On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote: The following script is supposed to validate a username and password in a mysql db. When entering the username and password of a preregistered user, I get the following errors: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 24 Warning: Cannot modify header information - headers already sent by (output started at /var/www/login.php:24) in /var/www/login.php on line 26 On line 24 is: if(!mysql_num_rows($login)) //if the username and pass are wrong --The supplied argument is $login, which is previously defined as: $login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND `pass` = '$pass`); --which is further defined above it as these values: $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md So why is the sum of those previous definitions an invalid argument for the mysql_query() to test for whether the username and md5 password values are true/equivalent to each other? Thanks for any help you may be able to provide, below is the full login.php page. David This is the full login.php script, I'm pretty sure no other portions are needed to show at this point for the current problem: ?php $act = $_GET['act']; //retrives the page action if(empty($act)) //if there is no action { echo('form action=login.php?act=auth method=post name=loginform id=loginform pUsername input type=text name=user /p pPassword input type=password name=pass /p p input type=submit name=Submit value=Login /p /form'); } elseif($act == auth) //if our page action = auth { $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md5 include(connect.php); //connects to our mysql database $login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`); //selects info from our table if the row has the same user and pass that our form does if(!mysql_num_rows($login)) //if the username and pass are wrong { header(Location: login.php); //redirects to our login page die(); //stops the page from going any further } else { setcookie(user, $user, time()+3600);//sets our user cookie setcookie(pass, $pass, time()+3600);//sets our pass cookie header(Location: memprar.php);//instead of yourpage.php it would be your protected page } } ? First, please create a new email when sending to the list and don't just reply to the last one, as those of us with email clients that group by threads get confused when the subject line appears to change mid-thread! On to your question, you've got an error with your query, so it will never work: SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass` // change that last back tick after $pass! Lastly; protect your queries! That $user variable is open to injection. Replacing it with something like $user = mysql_real_escape_string($_POST['user']); Your $pass is protected (I believe) because of what you're doing with the hash, but I'm not an expert in these things, so it could be that this may not be enough. Thanks, Ash http://www.ashleysheridan.co.uk Apologies for hijacking the thread, I hit reply all in a randomly picked email and deleted the info/subject line, guess that doesn't work. Thanks for the advice, it's almost working right, all things considered. David
Re: [PHP] Login should not allow users to login if the application is logged in with the same login credentials
Use Database Online table for user sessions. 2009/8/27 Balasubramanyam A knowledge.wea...@gmail.com: Hello, I've written a simple application, where users need to login to access the features of the application. I want to develop login system such that, if user is already logged in, the application should not allow the users to login with the same login credentials. How do I accomplish this? Regards, Balu -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login should not allow users to login if the application is logged in with the same login credentials
On Aug 27, 2009, at 8:01 AM, hack988 hack988 hack...@dev.htwap.com wrote: Use Database Online table for user sessions. 2009/8/27 Balasubramanyam A knowledge.wea...@gmail.com: Hello, I've written a simple application, where users need to login to access the features of the application. I want to develop login system such that, if user is already logged in, the application should not allow the users to login with the same login credentials. How do I accomplish this? Regards, Balu -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Set a flag in the login table when the user logs in. You will need a process to unset this when a user logs out or if the session times out or the user will not be able to log in again. Bastien Sent from my iPod -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Thu, Oct 9, 2008 at 8:35 AM, Nathan Rixham [EMAIL PROTECTED] wrote: Jason Pruim wrote: On Oct 8, 2008, at 5:48 PM, Stut wrote: On 8 Oct 2008, at 22:32, Ashley Sheridan wrote: On Wed, 2008-10-08 at 22:15 +0100, Stut wrote: Obviously, I'm a programmer, so I probably don't fall into the 'normal' category for advertising ;) You may think that but I've never come across any statistics that suggest that programmers or even technical people in general have a lower response rate to any form of advertising. I'm sure they are differences, but as a percentage of internet users we're insignificant for most websites these days, even when it comes to games. As someone who works in the advertising and marketing field, I can say I have never seen stats that say programmers click rates are less then Joe Blow. Advertising and marketing boils down to 2 things.. Offering the right person the right offer. And doing it at the right time. Right now you may not be interested in purchasing Bawls [1]. But if you have a huge project and need to work 20 hours a day for a few weeks... It might not sound so bad. [1]http://www.bawls.com/ -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] as the owner of a few hundred automated sites covering many niches and a few programmers sites I know that programmer's don't click them ad's much *tight fisted bunch of* -- nathan ( [EMAIL PROTECTED] ) { Senior Web Developer php + java + flex + xmpp + xml + ecmascript web development edinburgh | http://kraya.co.uk/ } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Especially when we don't see them. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
Jason Pruim wrote: On Oct 8, 2008, at 5:48 PM, Stut wrote: On 8 Oct 2008, at 22:32, Ashley Sheridan wrote: On Wed, 2008-10-08 at 22:15 +0100, Stut wrote: Obviously, I'm a programmer, so I probably don't fall into the 'normal' category for advertising ;) You may think that but I've never come across any statistics that suggest that programmers or even technical people in general have a lower response rate to any form of advertising. I'm sure they are differences, but as a percentage of internet users we're insignificant for most websites these days, even when it comes to games. As someone who works in the advertising and marketing field, I can say I have never seen stats that say programmers click rates are less then Joe Blow. Advertising and marketing boils down to 2 things.. Offering the right person the right offer. And doing it at the right time. Right now you may not be interested in purchasing Bawls [1]. But if you have a huge project and need to work 20 hours a day for a few weeks... It might not sound so bad. [1]http://www.bawls.com/ -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] as the owner of a few hundred automated sites covering many niches and a few programmers sites I know that programmer's don't click them ad's much *tight fisted bunch of* -- nathan ( [EMAIL PROTECTED] ) { Senior Web Developer php + java + flex + xmpp + xml + ecmascript web development edinburgh | http://kraya.co.uk/ } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Login [0T]
-Original Message- From: Ashley Sheridan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2008 4:05 PM To: Stut Cc: Wolf; Richard Heyes; php-general@lists.php.net; Bernhard Kohl Subject: Re: [PHP] Login On Wed, 2008-10-08 at 21:45 +0100, Stut wrote: On 8 Oct 2008, at 21:44, Ashley Sheridan wrote: On Wed, 2008-10-08 at 16:33 -0400, Wolf wrote: !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? Sorry to threadjack, but I saw this line and had to interject. Yahoo! not only has guidelines, but the YSlow plug-ins are a wonderful method for benchmarking web application speed and efficiency. In addition, suggestions are given to raise a given page's grade in particular areas. Quite helpful, IMHO. Also, the YUI Javascript package is quite comprehensive, and was (somewhat) independently developed by a Yahoo! programmer. That's my 2 cents... just 'cause a company gets it wrong most of the time doesn't mean that there aren't a few shining gems in their bag. :) Todd Boyd Web Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Login
-Original Message- From: Jason Pruim [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2008 6:01 AM To: Stut Cc: [EMAIL PROTECTED]; PHP LIST Subject: Re: [PHP] Login As someone who works in the advertising and marketing field, I can say I have never seen stats that say programmers click rates are less then Joe Blow. Advertising and marketing boils down to 2 things.. Offering the right person the right offer. And doing it at the right time. Right now you may not be interested in purchasing Bawls [1]. But if you have a huge project and need to work 20 hours a day for a few weeks... It might not sound so bad. ...or if you want to induce vomit from a horrible flavor overdose. Guh. I went to Pilgrimage in Salt Lake City, UT a few years back, and they were giving away tons of that stuff. At first, I was psyched--then, I tasted it. None for me, thanks. Red Bull sugar-free or SoBe Adrenaline Rush. Full Throttle (the green kind) if I'm feeling saucy. Todd Boyd Web Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login [0T]
YUI components have had a tendency to: - Not work - Only work in certain browsers - Have sketchy troubleshooting and implementation documentation - Take forever to load - Only load sometimes As well as having to edit the source code to get it to do what you want quite a lot. That's me though: it would probably work for anyone else. :) 2008/10/9 Boyd, Todd M. [EMAIL PROTECTED] -Original Message- From: Ashley Sheridan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2008 4:05 PM To: Stut Cc: Wolf; Richard Heyes; php-general@lists.php.net; Bernhard Kohl Subject: Re: [PHP] Login On Wed, 2008-10-08 at 21:45 +0100, Stut wrote: On 8 Oct 2008, at 21:44, Ashley Sheridan wrote: On Wed, 2008-10-08 at 16:33 -0400, Wolf wrote: !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? Sorry to threadjack, but I saw this line and had to interject. Yahoo! not only has guidelines, but the YSlow plug-ins are a wonderful method for benchmarking web application speed and efficiency. In addition, suggestions are given to raise a given page's grade in particular areas. Quite helpful, IMHO. Also, the YUI Javascript package is quite comprehensive, and was (somewhat) independently developed by a Yahoo! programmer. That's my 2 cents... just 'cause a company gets it wrong most of the time doesn't mean that there aren't a few shining gems in their bag. :) Todd Boyd Web Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Luke Slater
Re: [PHP] Login
Wolf [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? You always have to look at the User Experience. You don't want to annoy or p!ss off your users or they will find a site like yours that doesn't p!ss them off. If it makes sense to re-direct the user after a successful login, then go ahead and do it. Of course, I don't care if I p!ss off someone who is trying to run malicious code on my site or find a hidden piece. Then a redirect to ratemypoo seems like a good idea to me! Wolf I'd like to take this back to the heart of this message and state that redirecting malicious usage to ratemypoo seems like a perfectly delightful means of security. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Oct 8, 2008, at 5:48 PM, Stut wrote: On 8 Oct 2008, at 22:32, Ashley Sheridan wrote: On Wed, 2008-10-08 at 22:15 +0100, Stut wrote: Obviously, I'm a programmer, so I probably don't fall into the 'normal' category for advertising ;) You may think that but I've never come across any statistics that suggest that programmers or even technical people in general have a lower response rate to any form of advertising. I'm sure they are differences, but as a percentage of internet users we're insignificant for most websites these days, even when it comes to games. As someone who works in the advertising and marketing field, I can say I have never seen stats that say programmers click rates are less then Joe Blow. Advertising and marketing boils down to 2 things.. Offering the right person the right offer. And doing it at the right time. Right now you may not be interested in purchasing Bawls [1]. But if you have a huge project and need to work 20 hours a day for a few weeks... It might not sound so bad. [1]http://www.bawls.com/ -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
I'd like to take this back to the heart of this message and state that redirecting malicious usage to ratemypoo seems like a perfectly delightful means of security. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Agreed, funniest thing I've heard all week!
Re: [PHP] Login
I'd like to take this back to the heart of this message and state that redirecting malicious usage to ratemypoo seems like a perfectly delightful means of security. Agreed, funniest thing I've heard all week! However if you're wrong, you would have redirected a valid user to ratemypoo.com... Now I'm no business man (as my attempts of starting a company would show...), but I'd imagine it's not the sort of image most companies would want to portray. -- Richard Heyes HTML5 Graphing for FF, Chrome, Opera and Safari: http://www.rgraph.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Thu, 2008-10-09 at 19:02 +0100, Richard Heyes wrote: I'd like to take this back to the heart of this message and state that redirecting malicious usage to ratemypoo seems like a perfectly delightful means of security. Agreed, funniest thing I've heard all week! However if you're wrong, you would have redirected a valid user to ratemypoo.com... Now I'm no business man (as my attempts of starting a company would show...), but I'd imagine it's not the sort of image most companies would want to portray. -- Richard Heyes HTML5 Graphing for FF, Chrome, Opera and Safari: http://www.rgraph.org Unless that was the business you were in ;) Ash www.ashleysheridan.co.uk
Re: [PHP] Login
Unless that was the business you were in ;) True enough, but what kind of business would that be...? :-) -- Richard Heyes HTML5 Graphing for FF, Chrome, Opera and Safari: http://www.rgraph.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
Richard Heyes wrote: Unless that was the business you were in ;) True enough, but what kind of business would that be...? :-) Rating poo, of course... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
Shawn McKenzie [EMAIL PROTECTED] wrote: Richard Heyes wrote: Unless that was the business you were in ;) True enough, but what kind of business would that be...? :-) Rating poo, of course... It's a crappy job, but someone's got to do it... ;) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
?php # I would recommend using the include method. Redirects should always be second choice, because they are just evil. # Example code below $password = md5('swordfish'); $user = 'Trucker Joe'; if ($_POST['user'] == $user md5($_POST['password']) == $password) { include_once('login_successful.php'); } else { include_once('login_failed.php'); } # Some may also hash the user to prevent injection # http://us.php.net/manual/en/function.include.php # http://en.wikipedia.org/wiki/Code_injection#PHP_Injection ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Wed, 2008-10-08 at 11:52 -0700, Bernhard Kohl wrote: ?php # I would recommend using the include method. Redirects should always be second choice, because they are just evil. # Example code below $password = md5('swordfish'); $user = 'Trucker Joe'; if ($_POST['user'] == $user md5($_POST['password']) == $password) { include_once('login_successful.php'); } else { include_once('login_failed.php'); } # Some may also hash the user to prevent injection # http://us.php.net/manual/en/function.include.php # http://en.wikipedia.org/wiki/Code_injection#PHP_Injection ? Also, generally speaking, it is a good idea to verify a user against their $_SESSION on every page to verify that they have gone through the login procedure and not just gone directly to an URL in the site. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On 8 Oct 2008, at 19:52, Bernhard Kohl wrote: ?php # I would recommend using the include method. Redirects should always be second choice, because they are just evil. In this case I would disagree. On successful login it's normal to redirect to a useful page rather than just display a page that says congratulations, you're a real user. In the case of an unsuccessful login why would you need to include another file? Surely the logic that follows is part of the login script. It's all a personal preference tho. I used to think that redirects should not be used unless absolutely necessary but the reasons people give are generally religious rather than logical. # Example code below $password = md5('swordfish'); $user = 'Trucker Joe'; if ($_POST['user'] == $user md5($_POST['password']) == $password) { include_once('login_successful.php'); } else { include_once('login_failed.php'); } # Some may also hash the user to prevent injection # http://us.php.net/manual/en/function.include.php # http://en.wikipedia.org/wiki/Code_injection#PHP_Injection I see nothing in that code that would be open to code injection. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Wed, 2008-10-08 at 20:02 +0100, Stut wrote: On 8 Oct 2008, at 19:52, Bernhard Kohl wrote: ?php # I would recommend using the include method. Redirects should always be second choice, because they are just evil. In this case I would disagree. On successful login it's normal to redirect to a useful page rather than just display a page that says congratulations, you're a real user. In the case of an unsuccessful login why would you need to include another file? Surely the logic that follows is part of the login script. It's all a personal preference tho. I used to think that redirects should not be used unless absolutely necessary but the reasons people give are generally religious rather than logical. # Example code below $password = md5('swordfish'); $user = 'Trucker Joe'; if ($_POST['user'] == $user md5($_POST['password']) == $password) { include_once('login_successful.php'); } else { include_once('login_failed.php'); } # Some may also hash the user to prevent injection # http://us.php.net/manual/en/function.include.php # http://en.wikipedia.org/wiki/Code_injection#PHP_Injection I see nothing in that code that would be open to code injection. -Stut -- http://stut.net/ I usually include verification on each page, so I'll redirect if they are not logged in, but process them as normal throughout that script if they are. I guess like all things PHP, there's 101 ways to do something, and it's just down to preference and those little details... Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
I would recommend using the include method. Redirects should always be second choice, because they are just evil. In this case I would disagree. On successful login it's normal to redirect to a useful page rather than just display a page that says congratulations, you're a real user. In the case of an unsuccessful login why would you need to include another file? Surely the logic that follows is part of the login script. Agreed. Flow could be described as this: Not logged in -- Login page -- Logged in Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. -- Richard Heyes HTML5 Graphing for FF, Chrome, Opera and Safari: http://www.phpguru.org/RGraph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
!-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? You always have to look at the User Experience. You don't want to annoy or p!ss off your users or they will find a site like yours that doesn't p!ss them off. If it makes sense to re-direct the user after a successful login, then go ahead and do it. Of course, I don't care if I p!ss off someone who is trying to run malicious code on my site or find a hidden piece. Then a redirect to ratemypoo seems like a good idea to me! Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Wed, 2008-10-08 at 16:33 -0400, Wolf wrote: !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? You always have to look at the User Experience. You don't want to annoy or p!ss off your users or they will find a site like yours that doesn't p!ss them off. If it makes sense to re-direct the user after a successful login, then go ahead and do it. Of course, I don't care if I p!ss off someone who is trying to run malicious code on my site or find a hidden piece. Then a redirect to ratemypoo seems like a good idea to me! Wolf The only redirects that have p!ssed me off before are those ones that big sites put in to make room for their adverts. On more than one occassion I've decided to look elsewhere for whatever it was I was looking for, although it tends only to be game and (legal) download sites that do this. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On 8 Oct 2008, at 21:44, Ashley Sheridan wrote: On Wed, 2008-10-08 at 16:33 -0400, Wolf wrote: !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? You always have to look at the User Experience. You don't want to annoy or p!ss off your users or they will find a site like yours that doesn't p!ss them off. If it makes sense to re-direct the user after a successful login, then go ahead and do it. Of course, I don't care if I p!ss off someone who is trying to run malicious code on my site or find a hidden piece. Then a redirect to ratemypoo seems like a good idea to me! Wolf The only redirects that have p!ssed me off before are those ones that big sites put in to make room for their adverts. On more than one occassion I've decided to look elsewhere for whatever it was I was looking for, although it tends only to be game and (legal) download sites that do this. Yeah, I hate it when companies try to make a profit. Don't they know everything on the Internet is supposed to be free?!?!?!? Find your stuff elsewhere by all means, but don't slate sites for using advertising to pay for your FREE usage of their service. -Stut PS. For those sarcasm-detector-challenged out there the first paragraph was full of sarcasm. -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Wed, 2008-10-08 at 21:45 +0100, Stut wrote: On 8 Oct 2008, at 21:44, Ashley Sheridan wrote: On Wed, 2008-10-08 at 16:33 -0400, Wolf wrote: !-- SNIP -- Redirects make sense IMO. IIRC the Yahoo guidelines say not to redirect after a form POST, but unless you have a ka-jillion page views a second (or, a lot), then I don't think it's a concern. Wait, Yahell has guidelines?!?!? You always have to look at the User Experience. You don't want to annoy or p!ss off your users or they will find a site like yours that doesn't p!ss them off. If it makes sense to re-direct the user after a successful login, then go ahead and do it. Of course, I don't care if I p!ss off someone who is trying to run malicious code on my site or find a hidden piece. Then a redirect to ratemypoo seems like a good idea to me! Wolf The only redirects that have p!ssed me off before are those ones that big sites put in to make room for their adverts. On more than one occassion I've decided to look elsewhere for whatever it was I was looking for, although it tends only to be game and (legal) download sites that do this. Yeah, I hate it when companies try to make a profit. Don't they know everything on the Internet is supposed to be free?!?!?!? Find your stuff elsewhere by all means, but don't slate sites for using advertising to pay for your FREE usage of their service. -Stut PS. For those sarcasm-detector-challenged out there the first paragraph was full of sarcasm. I'm not against advertising, just this kind. It makes you sit through a 30 second long advert before you get to the sweet stuff. Now, I don't have a bandwidth limit, but what about those users who do? Inline adverts are better, and Google has them worked to a tee. If the model doesn't work for the big companies then, it's time to find a new model, but I think one in which the visitors to a site are treated like TV viewers is not the way to go. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On 8 Oct 2008, at 22:05, Ashley Sheridan wrote: On Wed, 2008-10-08 at 21:45 +0100, Stut wrote: On 8 Oct 2008, at 21:44, Ashley Sheridan wrote: The only redirects that have p!ssed me off before are those ones that big sites put in to make room for their adverts. On more than one occassion I've decided to look elsewhere for whatever it was I was looking for, although it tends only to be game and (legal) download sites that do this. Yeah, I hate it when companies try to make a profit. Don't they know everything on the Internet is supposed to be free?!?!?!? Find your stuff elsewhere by all means, but don't slate sites for using advertising to pay for your FREE usage of their service. -Stut PS. For those sarcasm-detector-challenged out there the first paragraph was full of sarcasm. I'm not against advertising, just this kind. It makes you sit through a 30 second long advert before you get to the sweet stuff. Now, I don't have a bandwidth limit, but what about those users who do? Inline adverts are better, and Google has them worked to a tee. If the model doesn't work for the big companies then, it's time to find a new model, but I think one in which the visitors to a site are treated like TV viewers is not the way to go. I don't disagree that it's not the best model, but it is the best paying. Why? For precisely the reason you've stated - it interrupts what you're doing and forces you to pay attention to it. The reason game and download sites use them is because they pay enough to cover your usage of their site, whereas I'd bet standard banners would not. To make a reasonable amount of money from Google adwords you need a fairly sizable amount of traffic, and even then you won't pay for the scenario where every user downloads files 100's of meg in size. If you don't like it and you think it can be done less intrusively I urge you to go ahead and build a competitor. But don't expect to break even anytime soon. In the meantime if it really bothers you that much I would recommend finding a site that lets you pay a monthly fee for ad-free access. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On Wed, 2008-10-08 at 22:15 +0100, Stut wrote: I don't disagree that it's not the best model, but it is the best paying I have to disagree. Each and every time I've come across this, I've gone elsewhere. The model doesn't work as far as I can tell. I think the problem is the people who create the schemes aren't really aware of what the Internet can do; something similar to that guy in marketing asking why it's not possible to duplicate his A4 page, exactly as he set it out, as a web page. I don't have a better model, but something like that that's used on Experts Exchange doesn't go too badly with me. Targeted ads that don't get in my way. I'm more inclined to look at something that isn't shoved in my face. Obviously, I'm a programmer, so I probably don't fall into the 'normal' category for advertising ;) Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
On 8 Oct 2008, at 22:32, Ashley Sheridan wrote: On Wed, 2008-10-08 at 22:15 +0100, Stut wrote: I don't disagree that it's not the best model, but it is the best paying I have to disagree. Each and every time I've come across this, I've gone elsewhere. The model doesn't work as far as I can tell. It's not the best model but I can assure you it *does* work otherwise advertisers would not pay the rates such campaigns demand. I think the problem is the people who create the schemes aren't really aware of what the Internet can do; something similar to that guy in marketing asking why it's not possible to duplicate his A4 page, exactly as he set it out, as a web page. I don't have a better model, but something like that that's used on Experts Exchange doesn't go too badly with me. Targeted ads that don't get in my way. I'm more inclined to look at something that isn't shoved in my face. Like I said, I don't disagree, but you have to accept that ads that interrupt the user pay the best so for sites that are expensive to run, like download sites, they're economically sound. I find it interesting that you feel you have the right to criticise the people who create the schemes for not knowing any better, but you with all your knowledge of what the internet can do admit that you can't come up with a better model. Obviously, I'm a programmer, so I probably don't fall into the 'normal' category for advertising ;) You may think that but I've never come across any statistics that suggest that programmers or even technical people in general have a lower response rate to any form of advertising. I'm sure they are differences, but as a percentage of internet users we're insignificant for most websites these days, even when it comes to games. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
What do you mean by open? You can redirect to a new page: http://us.php.net/header or You can include a file: http://us.php.net/include/ Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Terry J Daichendt wrote: I want to open a page if a login is correct and another if not. What is the function to open a page in PHP? Can you show me a simple example of the syntax? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
You can just use a header redirect. For example: if you are at login.php and the user is authorized, you could use if($auth === true) { header(Location: authed_page.php); } else { header(Location: denied.php); } On Oct 7, 2008, at 5:44 PM, Terry J Daichendt [EMAIL PROTECTED] wrote: I want to open a page if a login is correct and another if not. What is the function to open a page in PHP? Can you show me a simple example of the syntax? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login
There is no such function! You have to write the code. On Wed, Oct 8, 2008 at 6:14 AM, Terry J Daichendt [EMAIL PROTECTED]wrote: I want to open a page if a login is correct and another if not. What is the function to open a page in PHP? Can you show me a simple example of the syntax? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Nilesh Govindrajan ([EMAIL PROTECTED]) iTech7 Site and Server Administrator www.itech7.com
Re: [PHP] Login
On Wednesday 08 October 2008 06:14:33 am Terry J Daichendt wrote: I want to open a page if a login is correct and another if not. What is the function to open a page in PHP? Can you show me a simple example of the syntax? There is no such function. You have many options like redirecting a user- header('Location: newfile.php'); showing another file- include('newfile.php'); or using fopen to open a HTML file and print it (this one is very rarely used!). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login without cookies enabled help
Quoting Shelley [EMAIL PROTECTED]: Hi all, What is your way to organize user login without Client Cookies being disabled? Sample code will be appreciated. Waiting for your reply... -- Regards, Shelley You can use sessions to store data on the server instead of the client. http://nl2.php.net/manual/en/ref.session.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login without cookies enabled help
[quote] On Tue , Thijs Lensselink [EMAIL PROTECTED] sent: Quoting Shelley [EMAIL PROTECTED]: Hi all, What is your way to organize user login without Client Cookies being disabled? Sample code will be appreciated. Waiting for your reply... -- Regards, Shelley You can use sessions to store data on the server instead of the client. http://nl2.php.net/manual/en/ref.session.php [/quote] Just be careful as sessions default to using cookies. Otherwise, pass the session id with the query string of links!! Alex -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login without cookies enabled help
Well, as I said the cookies are disabled at the clients. Anybody any opinions? On Tue, Jul 15, 2008 at 7:23 PM, Thijs Lensselink [EMAIL PROTECTED] wrote: Quoting Shelley [EMAIL PROTECTED]: Hi all, What is your way to organize user login without Client Cookies being disabled? Sample code will be appreciated. Waiting for your reply... -- Regards, Shelley You can use sessions to store data on the server instead of the client. http://nl2.php.net/manual/en/ref.session.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Regards, Shelley
Re: [PHP] Login without cookies enabled help
On Tue, Jul 15, 2008 at 10:15 AM, Shelley [EMAIL PROTECTED] wrote: Well, as I said the cookies are disabled at the clients. Anybody any opinions? Yes, again, STFW before posting here. Google PHPSESSID. -- /Daniel P. Brown Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just $59.99/mo. with no contract! Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login without cookies enabled help
Yes, again, STFW before posting here. Google PHPSESSID. Call to undefined function Google(); -- /Daniel P. Brown :) -- Thiago Henrique Pojda
Re: [PHP] Login script problem
On Jan 5, 2008 11:50 AM, Reese [EMAIL PROTECTED] wrote: Daniel Brown wrote: Do you expect the value of $key in this condition to be a literal zero? $twoyears = array('alphanumeric_code1', 'alphanumeric_code2', 'alphanumeric_code3', 'alphanumeric_code4', 'alphanumeric_code5', 'alphanumeric_code6', 'alphanumeric_code7'); $key = in_array($sPromocode,$twoyears); if($key=='0') I changed if($key=='0') to if(!isset($key=='1')) to see what effect that change might make, the server threw an error so I set it back to its original state: Parse error: parse error, unexpected T_IS_EQUAL, expecting ',' or ')' in /[PATH]/login.php on line 16 That's because isset() isn't able to eval() an expression. Remove the !isset() part, or the =='1' part and that will remove the parse error. -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
Daniel Brown wrote: if(!isset($key=='1')) //caused parse error That's because isset() isn't able to eval() an expression. Got it, I see the mistake now. Remove the !isset() part, or the =='1' part and that will remove the parse error. I changed it to if(!isset($key)) and you were right, the parse error went away. This change seems to have no effect on access code logins (I'm able to log in, as expected) or IP-authenticated logins (I still cannot log in, even though my IP is in the MySQL db). Reese -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login and read ad email
On Saturday 05 January 2008 22:06:47 Yui Hiroaki wrote: HI! I try to login and read ad email in server. Does any one know how to do this? Below does not run correctly. right, the line: if( !eregi(OK, $line) ) // login faile?if( !eregi(OK, $line) ) //ogin faile? it looks just like this? without reading the code it strikes me as odd if it does. Regards, Yui p.s I try to see pop3 email. I can not find the example! ?php $host = abc.com; $port = 110; $user ='[EMAIL PROTECTED]'; $pwd ='password'; $fp = fsockopen($host, $port); // ログイン fputs($fp,USER $user\r\n); // USE $line = fgets($fp, 512); fputs($fp,PASS $pwd\r\n); // pwd $line = fgets($fp, 512); echo $line; if( !eregi(OK, $line) ) // login faile?if( !eregi(OK, $line) ) //ogin faile? { echo fail; fclose($fp); return false; } echo sucess; ? 2008/1/1, Richard Lynch [EMAIL PROTECTED]: PHP's IMAP module will cheerfully use POP if you insist on it. You don't have to READ the email with IMAP. You can just re-arrange all your folders or do whatever it is you want it to do... You keep asking the same questions, and I keep telling you IMAP will do it. maybe you should try it? On Mon, December 31, 2007 1:17 am, Yui Hiroaki wrote: Thank you! But I would like to use pop. Because I do not want display the email. I just access and get email. Please teach me some advise. Yui 2007/12/31, Richard Lynch [EMAIL PROTECTED]: On Sun, December 30, 2007 2:19 pm, Yui Hiroaki wrote: HI! I am trying to access qmail with php. Why! Because I would like to read mail who someone send an email me to qmail. If anyone knows the code, please send me the code. http://php.net/imap Sample Code: http://l-i-e.com/imap/index.phps Some spam filtering I set up to catch what slips through spam assasin and get the email sorted server-side rather than have my desktop client CHOKES trying to sort out thousands of emails upon login... -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- --- Børge Holen http://www.arivene.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
On Jan 4, 2008 9:54 AM, Reese [EMAIL PROTECTED] wrote: Greetings, I've been lurking for several weeks, I thought I'd post to describe a problem I've been having in the hope that a solution can be found. And my thanks to Casey, for his offlist assistance with another, unrelated issue earlier this week. :-) [snip=all] Reese, While I noticed several areas for improvement in the code (such as being sure to exit; after calling header(Location: ); ), two things primarily come to mind: Do you expect the value of $key in this condition to be a literal zero? $twoyears = array('alphanumeric_code1', 'alphanumeric_code2', 'alphanumeric_code3', 'alphanumeric_code4', 'alphanumeric_code5', 'alphanumeric_code6', 'alphanumeric_code7'); $key = in_array($sPromocode,$twoyears); if($key=='0') Also, what about ISPs such as AOHell who use fully-dynamic IP proxies that change on location, at time intervals, and are interspersed with random changes? Even putting that into a range won't help, as it's likely the IP will only have the network prefix (and perhaps the same Class B slot). -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
Web Design Company wrote: Someone? Me31!1!1ONE Please, if you do not need amplifying information or if you do not intend to pose a suggestion, it is better to remain silent. I wasn't helped by your Someone? post, no one else was either. Reese -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
Someone? - http://ooyes.net Web design company | http://ooyes.net Graphic design company | http://ooyes.net Outsourcing company -- View this message in context: http://www.nabble.com/Login-script-problem-tp14618073p14618942.html Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
Daniel Brown wrote: [snip=all] Reese, While I noticed several areas for improvement in the code (such as being sure to exit; after calling header(Location: ); ), two things primarily come to mind: Do you expect the value of $key in this condition to be a literal zero? $twoyears = array('alphanumeric_code1', 'alphanumeric_code2', 'alphanumeric_code3', 'alphanumeric_code4', 'alphanumeric_code5', 'alphanumeric_code6', 'alphanumeric_code7'); $key = in_array($sPromocode,$twoyears); if($key=='0') No, it should either be 1 if set or NULL(?) if not set, there is nothing to set that value to 0 - only this check to see if it is == to 0. Is this another area, like the one Casey helped with earlier, where '!empty' was being used instead of 'isset'? The programmer is aware that improvement is possible and we've had some discussions in that regard, but owing to this being a for a friend item and his currently declared job demands, either he is truly swamped or he is brushing me off. I'm willing to give him benefit of the doubt, until I'm confronted with evidence to the contrary. Also, what about ISPs such as AOHell who use fully-dynamic IP proxies that change on location, at time intervals, and are interspersed with random changes? Even putting that into a range won't help, as it's likely the IP will only have the network prefix (and perhaps the same Class B slot). That's an area where I left detail out, my apologies. The dual login mechanisms are geared towards accommodating this, AOHell users will tend to be individual entities and the 'access code' mechanism is geared towards them. Meanwhile, entities with static, assigned IP addresses such as libraries on city networks are meant to be given IP-based access, hence the other login validation method (which isn't working quite right). Reese -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
On Jan 4, 2008 11:55 AM, Reese [EMAIL PROTECTED] wrote: Web Design Company wrote: Someone? Me31!1!1ONE Please, if you do not need amplifying information or if you do not intend to pose a suggestion, it is better to remain silent. I wasn't helped by your Someone? post, no one else was either. It's just some jackass who's replying to random posts to SPAM the links in his/her signature, I'm sure. Ridiculous posts have been made in other threads from Web Design Company as well. -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login page error
On Mon, June 11, 2007 9:28 pm, Humani Power wrote: Hi! Im trying to make a login page. I have searched for examples that makes me check the user name with a database, and the one that suits better is this code. // Perhaps you have a BLANK LINE right here? // Even a BLANK LINE counts as output. // Or, perhaps you are include-ing this file from somewhere else? // ANY output before that include also counts. // It's also remotely possible that you have an auto_prepend set up. // That is incredibly unlikely, and mentioned only for completeness sake ? session_start(); // start session. ? !-- header tags, edit to match your own, or include template header *Warning*: session_start() [function.session-start http://localhost/apache2-default/function.session-start]: Cannot send session cache limiter - headers already sent (output started at /var/www/apache2-default/visual_imag.php:2) in */var/www/apache2-default/connection/login.php* on line *2 I have searched for possible answers, and all I have found is that I should not send any output before the session_start(); But in this code the session_start(); output is before anything else. can you give me a tip? Tip: READ the error message again. It tells you EXACTLY where the output happened. [I requested that feature years ago :-)] Your real problem is in visual_imag.php on line 2. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login page error
On Mon, 2007-06-11 at 21:28 -0500, Humani Power wrote: [-- SNIIP --] I have searched for possible answers, and all I have found is that I should not send any output before the session_start(); But in this code the session_start(); output is before anything else. can you give me a tip? Look through the source files and make sure you have no spaces or content preceding ? and no spaces or content trailing ? These count as output. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login page error
The error comes from having output before the session_start(). This means that anything before the ? would be output. Even a single empty space. Janet Humani Power wrote: Hi! Im trying to make a login page. I have searched for examples that makes me check the user name with a database, and the one that suits better is this code. ? session_start(); // start session. ? !-- header tags, edit to match your own, or include template header file. -- html head titleLogin/title head body ? if(!isset($username) | !isset($password)) { // escape from php mode. ? form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}? method=POST p align=centerMembers only. Please login to access this document./p table align=center border=0 tr th Username: /th th input type=text name=username /th /tr tr th Password: /th th input type=password name=password /th /tr tr th colspan=2 align=right input type=submit value=Login /form /th /tr /table /body /html ? exit(); } // If all is well so far. session_register(username); session_register(password); // register username and password as session variables. // Here you would check the supplied username and password against your database to see if they exist. // For example, a MySQL Query, your method may differ. $sql = mysql_query(SELECT password FROM user_table WHERE username = '$username'); $fetch_em = mysql_fetch_array($sql); $numrows = mysql_num_rows($sql); if($numrows != 0 $password == $fetch_em[password]) { $valid_user = 1; } else { $valid_user = 0; } // If the username exists and pass is correct, don't pop up the login code again. // If info can't be found or verified if (!($valid_user)) { session_unset(); // Unset session variables. session_destroy(); // End Session we created earlier. // escape from php mode. ? form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}? method=POST p align=centerIncorrect login information, please try again. You must login to access this document./p table align=center border=0 tr th Username: /th th input type=text name=username /th /tr tr th Password: /th th input type=password name=password /th /tr tr th colspan=2 align=right input type=submit value=Login /form /th /tr /table /body /html ? exit(); } ? After this, I have only included on a file that has this code ?php include_once 'connection/login.php'; ? But when I try to see it in a browser I got the error *Warning*: session_start() [function.session-start http://localhost/apache2-default/function.session-start]: Cannot send session cache limiter - headers already sent (output started at /var/www/apache2-default/visual_imag.php:2) in */var/www/apache2-default/connection/login.php* on line *2 I have searched for possible answers, and all I have found is that I should not send any output before the session_start(); But in this code the session_start(); output is before anything else. can you give me a tip? Thanks in advance. Yamil * -- Janet Valade -- janet.valade.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
- Original Message - From: Dave Carrera [EMAIL PROTECTED] Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error In login scripts you usually don't tell which part of the login is wrong, otherwise, you are hinting at what is right. Once the customer is logged in, you are right to be as helpful as possible, but until the customer proves who he/she is, you don't give away anything. Satyam If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Dave Carrera wrote: Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C I'm not totally clear what the question was in there. Personally I keep this simple... ?php $_POST['number'] = (isset($_POST['number']) ? trim($_POST['number']) : ''); $_POST['email'] = (isset($_POST['email']) ? trim($_POST['email']) : ''); if (empty($_POST['number']) or empty($_POST['email']) or empty($_POST['password'])) { die('All fields must be entered'); } // Find the customer/user/whatever you need from the given details if (not found) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Hi Stut, I think i have found where i am going wrong. Its in the comparison login for the db result. So i select * from jfjfjfjf where custno=$_POST[number] But now i am getting messed up with if cust no not found then all i get is a blank page but hoping for an error And i dont think i am comparing the db result with the $_POST correctly Struggling here a bit :-( Dave C Stut wrote: Dave Carrera wrote: Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C I'm not totally clear what the question was in there. Personally I keep this simple... ?php $_POST['number'] = (isset($_POST['number']) ? trim($_POST['number']) : ''); $_POST['email'] = (isset($_POST['email']) ? trim($_POST['email']) : ''); if (empty($_POST['number']) or empty($_POST['email']) or empty($_POST['password'])) { die('All fields must be entered'); } // Find the customer/user/whatever you need from the given details if (not found) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On p, 2007-02-02 at 12:10 +, Dave Carrera wrote: Hi Stut, I think i have found where i am going wrong. Its in the comparison login for the db result. So i select * from jfjfjfjf where custno=$_POST[number] But now i am getting messed up with if cust no not found then all i get is a blank page but hoping for an error because you get an empty result set if no match is found so check it like if ($row = mysql_fetch_array($result)) { // ok, found } else { // not found, error } or whatever sql you use hope that helps Zoltán Németh And i dont think i am comparing the db result with the $_POST correctly Struggling here a bit :-( Dave C Stut wrote: Dave Carrera wrote: Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C I'm not totally clear what the question was in there. Personally I keep this simple... ?php $_POST['number'] = (isset($_POST['number']) ? trim($_POST['number']) : ''); $_POST['email'] = (isset($_POST['email']) ? trim($_POST['email']) : ''); if (empty($_POST['number']) or empty($_POST['email']) or empty($_POST['password'])) { die('All fields must be entered'); } // Find the customer/user/whatever you need from the given details if (not found) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Stut wrote: I'm not totally clear what the question was in there. Personally I keep this simple... ?php $_POST['number'] = (isset($_POST['number']) ? trim($_POST['number']) : ''); $_POST['email'] = (isset($_POST['email']) ? trim($_POST['email']) : ''); if (empty($_POST['number']) or empty($_POST['email']) or empty($_POST['password'])) { die('All fields must be entered'); } // Find the customer/user/whatever you need from the given details if (not found) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut be aware that you need a session_write_close(); before header('Location... or the session data might not be written to disk! just my 2 cent -- View this message in context: http://www.nabble.com/Login-script-login-tf3160341.html#a8766588 Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On Fri, February 2, 2007 5:19 am, Dave Carrera wrote: Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered $customer_number = (int) (isset($_POST['customer_number']) ? $_POST['customer_number'] : 0); $customer_email = isset($_POST['customer_email']) ? $_POST['customer_email'] : ''; $customer_password = isset($_POST['customer_password']) ? $_POST['customer_password'] : ''; if (!$customer_number || !strlen($customer_email) || !strlen($customer_password)){ $messages[] = All fields are required; } else{ $customer_number_sql = mysql_real_escape_string($customer_number); $customer_email_sql = mysql_real_escape_string($customer_email); $customer_password_sql = mysql_real_escape_string($customer_password); $query = select ; $query .=email = '$customer_email_sql' as email_ok $query .= , password = md5('$customer_password_sql') as password_ok $query .= FROM customer ; $query .= WHERE customer_number = $customer_number_sql ; $customer_info = mysql_query($query) or die(mysql_error()); if (!mysql_num_rows($customer_info)){ $messages[] = Invalid Customer Number; } else{ list($email_ok, $password_ok) = mysql_fetch_row($customer_info); if (!$email_ok) $messages[] = Invalid Email; elseif (!$password_ok) $messages[] = Invalid Password; } } if count($messages)) echo div class=\errorp, implode(/p\np, $messages), /p/div\n; else require 'proceed.inc'; -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On Fri, February 2, 2007 5:33 am, Satyam wrote: In login scripts you usually don't tell which part of the login is wrong, otherwise, you are hinting at what is right. Once the customer is logged in, you are right to be as helpful as possible, but until the customer proves who he/she is, you don't give away anything. Satyam is correct: It's more secure to not indicate when the username was incorrect differently from an incorrect password. But it's definitely also (very much) less user-friendly. For example, in seldom-used applications where the user is very likely to forget their username, such as 99% of the stupid websites that require me to register for something that needs no security in the first place, it's a royal pain in the ass. :-) You have to balance Security against Usability and make an informed intelligent decision. I also wondered why you have an ID number that somebody is supposed to remember, and an email, when either one should be sufficient for most applications, but it was easier to type out an answer than to get you to re-think your design decisions. :-) -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
If you are splicing $_POST directly into your SQL, you are DEFINITELY doing it wrong, but not in the way that you think. Start reading here: http://phpsec.org On Fri, February 2, 2007 6:10 am, Dave Carrera wrote: Hi Stut, I think i have found where i am going wrong. Its in the comparison login for the db result. So i select * from jfjfjfjf where custno=$_POST[number] But now i am getting messed up with if cust no not found then all i get is a blank page but hoping for an error And i dont think i am comparing the db result with the $_POST correctly Struggling here a bit :-( Dave C Stut wrote: Dave Carrera wrote: Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C I'm not totally clear what the question was in there. Personally I keep this simple... ?php $_POST['number'] = (isset($_POST['number']) ? trim($_POST['number']) : ''); $_POST['email'] = (isset($_POST['email']) ? trim($_POST['email']) : ''); if (empty($_POST['number']) or empty($_POST['email']) or empty($_POST['password'])) { die('All fields must be entered'); } // Find the customer/user/whatever you need from the given details if (not found) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On Fri, February 2, 2007 7:05 am, Jürgen Wind wrote: // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut be aware that you need a session_write_close(); before header('Location... or the session data might not be written to disk! If we're gonna get picuyane... The Location header technically requires a full URL. And using a re-direct instead of an include is a shocking waste of HTTP resources imho, but that may not matter if traffic is low. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Richard Lynch wrote: And using a re-direct instead of an include is a shocking waste of HTTP resources imho, but that may not matter if traffic is low. I generally redirect there because on occasion the login process does stuff like clear out potentially pre-existing session data from another part of the site. Having it happen again because of the user refreshing the page needs to be avoided. The redirect accomplishes this. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login script
Ross wrote: first how do I check two tables is it? $sql = SELECT * FROM mytable, mytable2 WHERE username = '$username' AND userpass = '$userpass'; That depends on what you are trying to achieve. Your example makes no sense at all. What are you trying to get from each table? How are they linked? etc! However, since this is a PHP list I suggest you try Googling for an introductory SQL tutorial or a SQL mailing list. Secondly my table just sends and returns straight values from the db but I expect some kind of encription is required. What is a simple, secure method. md5() or another method. Do I store an encypted file on the server and just decrypt it at the php page. my auth script at present ?php session_start(); $auth = false; // Assume user is not authenticated $username= $_REQUEST['username']; $userpass= $_REQUEST['userpass']; if (isset($username) isset($userpass)) { $sql = SELECT * FROM mytable WHERE username = '$username' AND userpass = '$userpass'; // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num_rows = mysql_num_rows($result); if($num_rows == 0) { } else { $_SESSION['username']= $username; $_SESSION['userpass']= $userpass; header(Location: disclaimer.php); $auth = true; } } If that's your login script you have bigger problems than securing the passwords in the database. There is no escaping applied to the username and password you get from the browser - this is a massive security hole. See http://php.net/mysql_real_escape_string about that one. As far as securing the password goes, the most common approach is to store the MD5 hash in the DB. What you want is something like this... ?php session_start(); $auth = false; // Assume user is not authenticated $username = $_REQUEST['username']; $userpass = $_REQUEST['userpass']; if (!empty($username) !empty($userpass)) { $sql = SELECT * FROM mytable WHERE username = '.mysql_real_escape_string($username).' AND userpass = md5('.mysql_real_escape_string($userpass).'); // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. if (mysql_num_rows($result) == 0) { // Login failed, blah blah blah } else { $_SESSION['username']= $username; $_SESSION['userpass']= $userpass; header(Location: disclaimer.php); $auth = true; } } ? -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login script
On 15/08/06, Ross [EMAIL PROTECTED] wrote: Hello, I have a couple of questions first how do I check two tables is it? $sql = SELECT * FROM mytable, mytable2 WHERE username = '$username' AND userpass = '$userpass'; Secondly my table just sends and returns straight values from the db but I expect some kind of encription is required. What is a simple, secure method. md5() or another method. Do I store an encypted file on the server and just decrypt it at the php page. my auth script at present ?php session_start(); $auth = false; // Assume user is not authenticated $username= $_REQUEST['username']; $userpass= $_REQUEST['userpass']; if (isset($username) isset($userpass)) { $sql = SELECT * FROM mytable WHERE username = '$username' AND userpass = '$userpass'; // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num_rows = mysql_num_rows($result); if($num_rows == 0) { } else { $_SESSION['username']= $username; $_SESSION['userpass']= $userpass; header(Location: disclaimer.php); $auth = true; } } Question 1 - you are doing a join so there has to be a linking index between the two table ie select * from table1, table2 where table1.id = table2.userid (for example). Question 2 - md5 is sufficient, depends on what your are storing (ie credit card numbers may require a stronger encyption method. To check: $pass = md5(password); select * from table 1 where password = '$pass'; I think the php and mysql md5 functions differ but I may be wrong! -- http://www.web-buddha.co.uk http://www.projectkarma.co.uk
Re: [PHP] login script
I would hope that MD5 hashing is MD5 hashing no matter where it originates. However, I think it's better to use the database server's implementation. I believe it is less likely to be changed in future versions, and it removes some processing time from the front end. Additionally, if you ever move away from PHP, you have one less line of platform-specific code to change. On 8/15/06, Dave Goodchild [EMAIL PROTECTED] wrote: $pass = md5(password); select * from table 1 where password = '$pass'; I think the php and mysql md5 functions differ but I may be wrong! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login script
On Tue, August 15, 2006 5:37 am, Ross wrote: I have a couple of questions first how do I check two tables is it? You probably should not have 2 tables at all. Both username and password would normally be stored in a single record in the same table CREATE TABLE user ( user_id int(11) auto_increment unique not null primary key, username text, password text ); /* You'd probably have other fields like name, address, email, etc */ $sql = SELECT * FROM mytable, mytable2 WHERE username = '$username' AND userpass = '$userpass'; So it would just be: FROM user WHERE username = '$username' AND password = '$userpass' Second, SELECT * is Evil, for various reasons. You can Google and find the debates about it. Secondly my table just sends and returns straight values from the db but I expect some kind of encription is required. What is a simple, secure method. md5() or another method. Do I store an encypted file on the server and just decrypt it at the php page. You never ever ever actually decrypt it. But wait, you way, how can that work?! It's quite simple, really. The whole purpose of a one-way encryption is that you only store the ENCRYPTED result. Later, the user then has to put in the correct password, and you one-way encrypt that, and you compare the ENCRYPTED values. Either the encrypted values match, or the password is wrong. You can almost think of the ENCRYPTED value as being like a lock to which there is only one key that fits -- the password. To test if the key fits the lock, you don't make another copy of the key -- You just encrypt it, and see if it matches the shape of the lock. MD5 would be a perfectly reasonable one-way encryption scheme. So if the password was 'foo', then your MD5-encrypted value would be: acbd18db4cc2f85cedef654fccc4a4d8 Your database would have 'acbd18db4cc2f85cedef654fccc4a4d8' stored in it. When they login, you do: SELECT user_id, username FROM user WHERE username = '$username' AND password = md5('$userpass') Either the MD5 of their input ('foo') is the correct value you have stored: acbd18db4cc2f85cedef654fccc4a4d8 or they have the wrong password/key, and you should not let them in. ?php session_start(); $auth = false; // Assume user is not authenticated $username= $_REQUEST['username']; $userpass= $_REQUEST['userpass']; if (isset($username) isset($userpass)) { $sql = SELECT * FROM mytable WHERE username = '$username' AND userpass = '$userpass'; Yikes! You REALLY need to read about SQL-injection here: http://phpsec.org/ and start using this function: http://php.net/mysql_real_escape_string Also, your $username and $userpass should be constrained at all times to very specific validation rules. Can't be blank. Must be at least X characters. (you pick a nice X) Passwords should probably contain at least one non-alpha character. // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); or die() is a great simple way to demonstrate the basics of code. It's not something you would really really want to use on a production server, unless you are 100% sure that you've turned off display-errors and are logging your errors and you have a process in place to examine the logs... Something like http://php.net/set_error_handler and http://php.net/trigger_error would be more appropriate for real code. // Get number of rows in $result. $num_rows = mysql_num_rows($result); if($num_rows == 0) { } else { $_SESSION['username']= $username; $_SESSION['userpass']= $userpass; header(Location: disclaimer.php); Instead of a header(Location:) which has some issues involved, you could just do: require 'disclaimer.php'; exit; $auth = true; This doesn't do anything, at least not with your current code, nor with anything I've suggested here... } } -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login script
On Tue, August 15, 2006 5:51 am, Dave Goodchild wrote: I think the php and mysql md5 functions differ but I may be wrong! You are wrong. :-) The whole point of MD5 is that MD5 is MD5, no matter where you go. Even ASP MD5 is the same as PHP MD5. Except it probably sucks for being too slow or you have to pay for it or something. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login problem
Dear SK, alternately, close previously opened A/C and allow current one. this is similar to wat yahoo messenger does and is a good safety measure. 1. If u use this technique, ur problem of shutdown would be solved. 2. Alternately, maintain sessions (using session ID) in PHP. 2a. Or just monitor user activity periodically. If no activity for x minutes, log the user off. Keep an activity counter, and run a script in the background, to reduce the counter ever y minutes. On activities like click, mouse movement, page request, etc, increment the counter. Think semaphores in Linux... 3. Try AJAX. You can keep sessions alive from server side. When no feedback is received, log the user off. KM P.S. Pls send mails to the group rather than to me. On 6/26/06, suresh kumar [EMAIL PROTECTED] wrote: Tnxs for ur reply,i am very happy to receive response from u.I am storing all the user account in my database.I am facing one problem.Suppose i am setting a flag fot that login user.suddenly if there is any power shutdown or user forgot to logout.then the flag always be set.In MySQL is there any query is available for automatic update.I am waiting for ur reponse A.suresh *kartikay malhotra [EMAIL PROTECTED]* wrote: strange problem, but very similar to links in linux. you must be maintaining a database or a record file. u can maintain all links ('users' as u put it) for a given user. if a user logs in through any of his accounts, check if he/she is logged in another A/C and stop this one. else, allow log-in and set a flag. alternately, close previously opened A/C and allow current one. this is similar to wat yahoo messenger does and is a good safety measure. Q. why do you want to assign more than one A/C anyway? and if its an invitation to someone else, then you MUST not stop that new person. he would be a valid subscriber, won't he? No PHP here :(, guys would frown... KM On 6/24/06, suresh kumar wrote: Hi, I am facing one problem.i previously mailed ,but there is no response,its running out of time.i want to implement that logic as soon as possible.This is my problem We are developing an online software for displaying ads in big mall.I want to restrict only one user can login to his own account at that particular time.suppose users1 created a new user users2 for another user.If user1 login to the users2 account and at that same time i want to restrict user2 for log in to his account.i want at a time only one user can access his account.I am waiting reponse from u A.suresh - Yahoo! India Answers: Share what you know. Learn something new Click here Catch all the FIFA World Cup 2006 action on Yahoo! India Click here -- Yahoo! India Answers: Share what you know. Learn something new Click herehttp://us.rd.yahoo.com/mail/in/mailanswersshare/*http://in.answers.yahoo.com/ Catch all the FIFA World Cup 2006 action on Yahoo! India Click herehttp://us.rd.yahoo.com/mail/in/mailfifa/*http://in.sports.yahoo.com/football/football_fifa.html
Re: [PHP] login problem
strange problem, but very similar to links in linux. you must be maintaining a database or a record file. u can maintain all links ('users' as u put it) for a given user. if a user logs in through any of his accounts, check if he/she is logged in another A/C and stop this one. else, allow log-in and set a flag. alternately, close previously opened A/C and allow current one. this is similar to wat yahoo messenger does and is a good safety measure. Q. why do you want to assign more than one A/C anyway? and if its an invitation to someone else, then you MUST not stop that new person. he would be a valid subscriber, won't he? No PHP here :(, guys would frown... KM On 6/24/06, suresh kumar [EMAIL PROTECTED] wrote: Hi, I am facing one problem.i previously mailed ,but there is no response,its running out of time.i want to implement that logic as soon as possible.This is my problem We are developing an online software for displaying ads in big mall.I want to restrict only one user can login to his own account at that particular time.suppose users1 created a new user users2 for another user.If user1 login to the users2 account and at that same time i want to restrict user2 for log in to his account.i want at a time only one user can access his account.I am waiting reponse from u A.suresh - Yahoo! India Answers: Share what you know. Learn something new Click here Catch all the FIFA World Cup 2006 action on Yahoo! India Click here
Re: [PHP] Login is not working. Please help....
You do know your code is open for sql injection attacks. php.net search for sql injection and session spoofing HTH Andy On Friday 14 October 2005 09:25, Jochem Maas wrote: try some code indentation to make it more readable. someone else pointed you to the 'user' 'name' mismatch already I see. twistednetadmin wrote: ... session_start(); switch (@$_GET['action']) // Gets set by the form action { case login: $sql = SELECT name FROM DB WHERE name='$_POST[user]'; $result = mysql_query($sql) or die(Couldn't execute query.); $num = mysql_num_rows($result); if ($num ==1) // loginname found { $sql = SELECT name FROM DB WHERE name='$_POST[user]' AND pass=password('$_POST[pass]'); $result2 = mysql_query($sql) or die(Couldn't execute query 2.); $num2 = mysql_num_rows($result2); if ($num2 0) // password is correct { $_SESSION['auth']=yes; $logname=$_POST['user']; $_SESSION['logname'] = $logname; header(Location: page1.php); } else // password is not correct { unset($action); header(Location: loginerror.php); } } elseif ($num == 0) // Wrong name. Name not in db { unset($action); header(Location: loginerror.php); } } ... -- Now listening to on amaroK Geek code: www.vlaamse-kern.com/geek Registered Linux User No 379093 If life was for sale, what would be its price? www.vlaamse-kern.com/sas/ for free php utilities -- pgpwq1LTh5cxi.pgp Description: PGP signature
Re: [PHP] Login is not working. Please help....
try some code indentation to make it more readable. someone else pointed you to the 'user' 'name' mismatch already I see. twistednetadmin wrote: ... session_start(); switch (@$_GET['action']) // Gets set by the form action { case login: $sql = SELECT name FROM DB WHERE name='$_POST[user]'; $result = mysql_query($sql) or die(Couldn't execute query.); $num = mysql_num_rows($result); if ($num ==1) // loginname found { $sql = SELECT name FROM DB WHERE name='$_POST[user]' AND pass=password('$_POST[pass]'); $result2 = mysql_query($sql) or die(Couldn't execute query 2.); $num2 = mysql_num_rows($result2); if ($num2 0) // password is correct { $_SESSION['auth']=yes; $logname=$_POST['user']; $_SESSION['logname'] = $logname; header(Location: page1.php); } else // password is not correct { unset($action); header(Location: loginerror.php); } } elseif ($num == 0) // Wrong name. Name not in db { unset($action); header(Location: loginerror.php); } } ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login check
[EMAIL PROTECTED] wrote: I think this is the way I need to write my if statement. if ( $min $user[ min ] == $min $user[ pin ] == $pin || $pin == 'allow') try a couple paretheses to make your intension explicit. your if statement might work the way you want it but I have no idea - and I'm way to lazy to go and look up the operator precedence to work it out if ($min $user[ min ] == $min ($user[ pin ] == $pin || $pin == 'allow')) { // you are okay to login } $min login name entered by the customer at the form. $user[min] is the login name from my sql db that matches $min $user[pin] is the password from mysql db that matches $min $pin is the password that is entered by the user There's 4 checks 1) $min must have a value 2) $user[ min ] must equal $min 3) $user[ pin ] must equal $pin 4) $pin == 'allow' check 4 seems a little absurd - anyone who knows it will be able to login as anyone on your app. also checking whether $user['min'] is equal to $min _seems_ pointless because I assume that you had to extract the data from the database somehow - usually this means using the login (i.e. $min) entered by the user to do the look up. lots of good reading here on security: http://www.phpsec.org/ I want it so that both 1 and 2 must be true and either 3 or 4 must be true. Will this if statement work? Andrew Darrow Kronos1 Productions www.pudlz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: php login
William Stokes wrote: Hello, I need to create solution for user authentication/recognition in my web page. I think it would be a good idea to use mysql database for storing the user info because the user info is later used to determine what parts of site the recognized user is allowed to update. Sounds like a fine idea to me. The site is for a soccer club that has some 30+ teams. I want to give each team the ability to update their own information but I don't want them to be able to mess with others info. So each team has one named admin to whom I need to give the access to their team info. I'm willing to learn to write my own scripts if I can get some info how these things are normally handled or I can use free ready scripts if someone can reccoment me one The basic process might go something like this: - Create the user database - Build DB so that each user record needs a unique ID (auto-increment number is usually best), a team name, user type (user / admin), and password - Create a login function (user / password) - Query the user database; see if password matches stored password - If login succeeds: - Start session: session_start() - Store username / team / user type in $_SESSION - Go to team home page (or whatever) - If login fails: - Redirect user to the login page - Create all of the individual web pages you want (show team / edit team / etc.) - At the beginning of each web page you check for the user type in $_SESSION. Also, check for the user team in $_SESSION. - If the user isn't the required team / user type then send an error message to the user Rough outline, but this should be enough to get you started and to let you know which parts of the manual you will need to read. ;) http://www.php.net/manual/en/index.php BTW I am quite rookie with PHP. Thanks a lot -Will -- Teach a man to fish... NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://www.php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins signature.asc Description: OpenPGP digital signature
[PHP] Re: php login
I need to create solution for user authentication/recognition in my web page. I think it would be a good idea to use mysql database for storing the user info because the user info is later used to determine what parts of site the recognized user is allowed to update. William, Take a look at the PEAR Auth class: http://pear.php.net/package/Auth http://pear.php.net/manual/en/package.authentication.auth.php It allows you to use MySQL to store the user information and will probably save you some time on the actual login part of your script. - Jamie -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: php login
OK. Thanks a lot. So I need to studu the $_Session more closely. Jamie Alessio [EMAIL PROTECTED] kirjoitti viestissä:[EMAIL PROTECTED] I need to create solution for user authentication/recognition in my web page. I think it would be a good idea to use mysql database for storing the user info because the user info is later used to determine what parts of site the recognized user is allowed to update. William, Take a look at the PEAR Auth class: http://pear.php.net/package/Auth http://pear.php.net/manual/en/package.authentication.auth.php It allows you to use MySQL to store the user information and will probably save you some time on the actual login part of your script. - Jamie -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php