Page 1 of 1
Login users
Posted: Sun Mar 14, 2010 8:09 am
by decpariem
hi! i am using php with flash and mysql.
i have a table users where the users of the site are stored.
a user might be either simple or admin.
i have this php code that works for the admin.
i figured out that i have to add a column to my database named role. i want to modify the code so that if role=0 then status =admin
if role=1 then status=user. can you do this. i use status cause it's the only way for flash to understand this.
<?php
include_once("settings.inc.php");
include_once("functions.inc.php");
$password = MD5($_GET['userPassword']); // md5()
$query = "SELECT * FROM user WHERE username = '" . $_GET['userName'] . "' AND password = '$password'";
$result = @mysql_query($query);
if($result){
if(mysql_num_rows($result) == 1){
echo "status=ok";
}
else{
fail("The user name and password could not be validated.");
}
}else{
fail("There was an error getting information on the admin.", mysql_error());
}
?>
Re: Login users
Posted: Sun Mar 14, 2010 9:01 am
by guosheng1987
decpariem wrote:hi! i am using php with flash and mysql.
i have a table users where the users of the site are stored.
a user might be either simple or admin.
i have this php code that works for the admin.
i figured out that i have to add a column to my database named role. i want to modify the code so that if role=0 then status =admin
if role=1 then status=user. can you do this. i use status cause it's the only way for flash to understand this.
<?php
include_once("settings.inc.php");
include_once("functions.inc.php");
$password = MD5($_GET['userPassword']); // md5()
$query = "SELECT * FROM user WHERE username = '" . $_GET['userName'] . "' AND password = '$password'";
$result = @mysql_query($query);
if($result){
if(mysql_num_rows($result) == 1){
echo "status=ok";
}
else{
fail("The user name and password could not be validated.");
}
}else{
fail("There was an error getting information on the admin.", mysql_error());
}
?>
you can add a column named role.
if role =1 then is admin.
Re: Login users
Posted: Mon Mar 15, 2010 10:48 am
by decpariem
yes i know that but i can't get it work with the code.
Re: Login users
Posted: Mon Mar 15, 2010 12:04 pm
by flying_circus
- Do not pass user credentials through the URL querystring ($_GET). The only suitable method for passing credentials is a HTTP POST. Reference RFC2616.
- Verify that the data exists before you access it. You will throw a NOTICE if you dont.
- MD5 is no longer cryptographically suitable for hashing passwords. Use atleast sha256.
- Validate your data. There is no reason to run a query if the username is blank, is there? The best solution is to use a regex to only allow appropriate characters.
- Be specific in your query. Only return the rows you need to access. This will help with performance on large resultsets.
- Always escape data that you are going to put into a query!!! This helps prevent SQL Injection.
- Use a LIMIT clause whenever you can. When you are working with login credentials, there is no reason to expect more than 1 row. Limit the query to 1 row, so if you are susceptible to SQL Injection, the damage is, hopefully, limited.
- Never supress errors. Handle them. There is a reason it is erroring. Find out why and fix it.
- Do not output mysql_error() in a production environment. Don't output any errors other than your defined, generic error messages.
Code: Select all
<?php
# Includes
include_once("settings.inc.php");
include_once("functions.inc.php");
# Fetch POST Data
$username = (isset($_POST['userName'])) ? $_POST['userName'] : '';
$password = (isset($_POST['userPassword'])) ? hash('sha512', $_POST['userPassword']) : '';
# Sanity Check - Validation goes here
if(empty($username))
throw new Exception('Incorrect Username or Password');
# Build SQL Query
$query = sprintf("SELECT `role` FROM `user` WHERE `username`='%s' AND `password`='%s' LIMIT 1;",
mysql_real_escape_string($username),
mysql_real_escape_string($password));
# Fetch Resultset from the database
$result = mysql_query($query);
# Fetch User's Role from the Resultset
if($result && mysql_num_rows($result) == 1) {
$user = mysql_fetch_assoc($result);
if($user['role'] == 0) {
$role = 'Admin';
} else {
$role = 'User';
}
} else {
throw new Exception('Incorrect Username or Password');
}
?>
Re: Login users
Posted: Wed Mar 17, 2010 3:05 pm
by decpariem
thanks your post is very useful. for the post method it seems that with flash and utf-8 is not working.
that's why i can't use it. and i use utf-8 cause i have greek text. i'll follow the other advice though.
thank you
Re: Login users
Posted: Wed Mar 17, 2010 7:11 pm
by flying_circus
decpariem wrote:it seems that with flash and utf-8 is not working.
As long as both your form and flash use the same character set, I cant see why it would make a difference.
Re: Login users
Posted: Thu Mar 18, 2010 9:31 am
by decpariem
I've been dealing with the same question. I've tried everything else.
Worked only with POST.
Can't understand why! But now it's working.