subject:"Re\: \[PHP\] user auth"

Re: [PHP] user auth

2002-05-30 Thread Miguel Cruz

On Thu, 30 May 2002, Justin Blake wrote:
> I will soon be developing a user authentication system with different
> access levels. I will need to check the users against a mysql database.
> How secure is checking for a session var, and then redirecting with
> header('Location:...') ? Is there a way to get around this method of
> protection?

That's the worst security scheme I've ever heard of.

Anyone can just look at where the redirect points to and go there.

You should keep the session active throughout your secured area and check 
against a session variable at the top of each page.

miguel

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] user auth

2002-05-30 Thread Daniel Tryba

On Thu, May 30, 2002 at 11:46:29PM -0400, Justin Blake wrote:
> I will soon be developing a user authentication system with different
> access levels. I will need to check the users against a mysql
> database. How secure is checking for a session var, and then
> redirecting with header('Location:...') ? Is there a way to get around
> this method of protection?

I'm no expert on this but I don't think session in PHP them selves have
any security embedded in it by them selves, you could just try to do a
bruteforce attack on sessionIDs (good luck :). 

But what you yourself could do is keep track of eg. the IP adress of the
user and check if it doesn't change... if it does then maybe someone is
trying something fishy.

-- 

  Daniel Tryba

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] user auth.. with mysql and cookies.. help

2002-05-30 Thread James Holden


It's basically saying that you are outputing stuff to the browser before you
are setting the cookies which is a no go.  All header requests (header() &
setcookie()) must be run before any text is outputted.

Thus, the most common error is that after or before your php tags  is
empty space, which to PHP is considered outputted text and you wont be able
to set any headers.

Other than that you might be setting cookies after you have echo'd templates
or some such.


- James
--
W: www.londontown.com
@: [EMAIL PROTECTED]
--

-Original Message-
From: Anton Heryanto [mailto:[EMAIL PROTECTED]]
Sent: 30 May 2002 11:44
To: [EMAIL PROTECTED]
Subject: [PHP] user auth.. with mysql and cookies.. help


sorry, bother all of you with my same question
i was learn to make user auth with mysql and using cookies, i have trouble
with this error message;

Warning: Cannot add header information - headers already sent by (output
started at ../functions.inc:54) in ../functions.inc on line 49

Warning: Cannot add header information - headers already sent by (output
started at ../functions.inc:54) in ../functions.inc on line 50

Warning: Cannot add header information - headers already sent by (output
started at ../functions.inc:54) in ../functions.inc on line 51

Warning: Cannot add header information - headers already sent by (output
started at ../functions.inc:54) in ../login.php on line 12

in this case i use 4 file ..
1)index.html -- sending data (methode post to login.php);
2)login.php
3)function.inc -- all the function i use
4)common.inc -- global variable;

2...login.php.
http://$http_host/$docroot/report.php";);
   exit();
}
else{
header("Location:http://$http_host/$docroot/error1.htm";);
exit();
}

3.function.inc

%s\n",$message);
}


function authenticateUser($user, $password)
{

   global  $host, $httphost, $user_db, $password_db, $db, $docroot;

   if (! ($link = mysql_pconnect($host, $user_db, $password_db)))
   {

   DisplayErrMsg(sprintf("internal Error %d: %s \n",
mysql_errno(), mysql_error() ));
   DisplayErrMsg(sprintf("internal Error %s %s %s %d: %s \n",
$host, $user, $password, mysql_errno(), mysql_error() ));

   return 0;

   }

   if (! ($result = mysql_db_query("$db","select * from user_login where
userid = '$user'")))
   {
   DisplayErrMsg(sprintf("internal Error %d: %s \n",
mysql_errno(), mysql_error() ));
   return 0 ;

   }


   if (($row = mysql_fetch_array($result)) &&
($password==$row["password"] && $password != ""))

   return 1;

   else
   return 0;

}

function deleteCookies()
{
   for ($i=0; $i<$total_items; $i++)
   {
   setcookie("items_tray[$i]","");
   setcookie("quantity[$i]","");
   }
setcookie("items_tray","");
setcookie("total_items","");
setcookie("quantity","");
}
?>

and 4. common.inc

~

could you tell me what and where  is the mistake ...
thank for all of you all kindness

regards

anton
 --Linux is Power---

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] user auth script update.

2002-02-16 Thread Matthew Darcy


never mind Matt,

I noticed the missin ); on line 65

Thanks for your help.

Matt.


-Original Message-
From: Matt [mailto:[EMAIL PROTECTED]]
Sent: 16 February 2002 12:05
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [PHP] user auth script update.


> I am now getting the parse error on line 64
> $sql_authorisation = "SELECT * FROM account_details WHERE
> account_name='$login_username' AND
> account_password=PASSWORD('$login_password');

You're missing the closing " on the last line above.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] user auth script update.

2002-02-16 Thread Matt


> I am now getting the parse error on line 64
> $sql_authorisation = "SELECT * FROM account_details WHERE
> account_name='$login_username' AND
> account_password=PASSWORD('$login_password');

You're missing the closing " on the last line above.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] user auth

2001-09-14 Thread Andreas Gietl

On Friday 14 September 2001 17:01, you wrote:

if you want to work with the passwords that originally are in the shadow-file 
your webserver needs to have read-permissions for the shadow-file, which is 
no good idea.

you could parse out the passwords from the shadow-file and write them into an 
extra password-file only readable for the webserver, which is no good idea 
neither.

Or you could use a patched pam-modul which checks the passwords for you, 
which is the best solution i can think of.

But if you want to do a webmail, you actually don't need to check the 
password. Your imap/pop-server will do that for you.

BTW: There already are lots of webmails in php, just check 
nocc.sourceforge.net for example and there are many others.

> Hello all! I a relatively newbie in PHP, so my question may appear silly:
>
> Please tell me if anyone has knowledge of
> authenticating a user based on his username and password
> from Linux system (shadow or anything).
> I want to make a php WebMail. Also, i want to make
> a ssh virtual web client for the registered user.
>
> Any help would be appreciated.
> Thanks,

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] user auth

Re: [PHP] user auth

RE: [PHP] user auth.. with mysql and cookies.. help

RE: [PHP] user auth script update.

Re: [PHP] user auth script update.

Re: [PHP] user auth

6 matches

Site Navigation

Mail list logo

Footer information