hi! i am using php with flash and mysql.
i have a table users where the users of the site are stored.
a user might be either simple or admin.
i have this php code that works for the admin.
i figured out that i have to add a column to my database named role. i want to modify the code so that if role=0 then status =admin
if role=1 then status=user. can you do this. i use status cause it's the only way for flash to understand this.
<?php
include_once("settings.inc.php");
include_once("functions.inc.php");
$password = MD5($_GET['userPassword']); // md5()
$query = "SELECT * FROM user WHERE username = '" . $_GET['userName'] . "' AND password = '$password'";
$result = @mysql_query($query);
if($result){
if(mysql_num_rows($result) == 1){
echo "status=ok";
}
else{
fail("The user name and password could not be validated.");
}
}else{
fail("There was an error getting information on the admin.", mysql_error());
}
?>
Login users
Moderator: General Moderators
-
guosheng1987
- Forum Newbie
- Posts: 24
- Joined: Thu Oct 15, 2009 3:03 am
Re: Login users
you can add a column named role.decpariem wrote:hi! i am using php with flash and mysql.
i have a table users where the users of the site are stored.
a user might be either simple or admin.
i have this php code that works for the admin.
i figured out that i have to add a column to my database named role. i want to modify the code so that if role=0 then status =admin
if role=1 then status=user. can you do this. i use status cause it's the only way for flash to understand this.
<?php
include_once("settings.inc.php");
include_once("functions.inc.php");
$password = MD5($_GET['userPassword']); // md5()
$query = "SELECT * FROM user WHERE username = '" . $_GET['userName'] . "' AND password = '$password'";
$result = @mysql_query($query);
if($result){
if(mysql_num_rows($result) == 1){
echo "status=ok";
}
else{
fail("The user name and password could not be validated.");
}
}else{
fail("There was an error getting information on the admin.", mysql_error());
}
?>
if role =1 then is admin.
Re: Login users
yes i know that but i can't get it work with the code.
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Login users
- Do not pass user credentials through the URL querystring ($_GET). The only suitable method for passing credentials is a HTTP POST. Reference RFC2616.
- Verify that the data exists before you access it. You will throw a NOTICE if you dont.
- MD5 is no longer cryptographically suitable for hashing passwords. Use atleast sha256.
- Validate your data. There is no reason to run a query if the username is blank, is there? The best solution is to use a regex to only allow appropriate characters.
- Be specific in your query. Only return the rows you need to access. This will help with performance on large resultsets.
- Always escape data that you are going to put into a query!!! This helps prevent SQL Injection.
- Use a LIMIT clause whenever you can. When you are working with login credentials, there is no reason to expect more than 1 row. Limit the query to 1 row, so if you are susceptible to SQL Injection, the damage is, hopefully, limited.
- Never supress errors. Handle them. There is a reason it is erroring. Find out why and fix it.
- Do not output mysql_error() in a production environment. Don't output any errors other than your defined, generic error messages.
Code: Select all
<?php
# Includes
include_once("settings.inc.php");
include_once("functions.inc.php");
# Fetch POST Data
$username = (isset($_POST['userName'])) ? $_POST['userName'] : '';
$password = (isset($_POST['userPassword'])) ? hash('sha512', $_POST['userPassword']) : '';
# Sanity Check - Validation goes here
if(empty($username))
throw new Exception('Incorrect Username or Password');
# Build SQL Query
$query = sprintf("SELECT `role` FROM `user` WHERE `username`='%s' AND `password`='%s' LIMIT 1;",
mysql_real_escape_string($username),
mysql_real_escape_string($password));
# Fetch Resultset from the database
$result = mysql_query($query);
# Fetch User's Role from the Resultset
if($result && mysql_num_rows($result) == 1) {
$user = mysql_fetch_assoc($result);
if($user['role'] == 0) {
$role = 'Admin';
} else {
$role = 'User';
}
} else {
throw new Exception('Incorrect Username or Password');
}
?>Re: Login users
thanks your post is very useful. for the post method it seems that with flash and utf-8 is not working.
that's why i can't use it. and i use utf-8 cause i have greek text. i'll follow the other advice though.
thank you
that's why i can't use it. and i use utf-8 cause i have greek text. i'll follow the other advice though.
thank you
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Login users
As long as both your form and flash use the same character set, I cant see why it would make a difference.decpariem wrote:it seems that with flash and utf-8 is not working.
Re: Login users
I've been dealing with the same question. I've tried everything else.
Worked only with POST.
Can't understand why! But now it's working.
Worked only with POST.
Can't understand why! But now it's working.