Page 1 of 1

Login users

Posted: Sun Mar 14, 2010 8:09 am
by decpariem
hi! i am using php with flash and mysql.
i have a table users where the users of the site are stored.
a user might be either simple or admin.
i have this php code that works for the admin.
i figured out that i have to add a column to my database named role. i want to modify the code so that if role=0 then status =admin
if role=1 then status=user. can you do this. i use status cause it's the only way for flash to understand this.
<?php
include_once("settings.inc.php");
include_once("functions.inc.php");
$password = MD5($_GET['userPassword']); // md5()

$query = "SELECT * FROM user WHERE username = '" . $_GET['userName'] . "' AND password = '$password'";
$result = @mysql_query($query);
if($result){
if(mysql_num_rows($result) == 1){
echo "status=ok";
}
else{
fail("The user name and password could not be validated.");
}
}else{
fail("There was an error getting information on the admin.", mysql_error());
}
?>

Re: Login users

Posted: Sun Mar 14, 2010 9:01 am
by guosheng1987
decpariem wrote:hi! i am using php with flash and mysql.
i have a table users where the users of the site are stored.
a user might be either simple or admin.
i have this php code that works for the admin.
i figured out that i have to add a column to my database named role. i want to modify the code so that if role=0 then status =admin
if role=1 then status=user. can you do this. i use status cause it's the only way for flash to understand this.
<?php
include_once("settings.inc.php");
include_once("functions.inc.php");
$password = MD5($_GET['userPassword']); // md5()

$query = "SELECT * FROM user WHERE username = '" . $_GET['userName'] . "' AND password = '$password'";
$result = @mysql_query($query);
if($result){
if(mysql_num_rows($result) == 1){
echo "status=ok";
}
else{
fail("The user name and password could not be validated.");
}
}else{
fail("There was an error getting information on the admin.", mysql_error());
}
?>
you can add a column named role.
if role =1 then is admin.

Re: Login users

Posted: Mon Mar 15, 2010 10:48 am
by decpariem
yes i know that but i can't get it work with the code.

Re: Login users

Posted: Mon Mar 15, 2010 12:04 pm
by flying_circus
  • Do not pass user credentials through the URL querystring ($_GET). The only suitable method for passing credentials is a HTTP POST. Reference RFC2616.
  • Verify that the data exists before you access it. You will throw a NOTICE if you dont.
  • MD5 is no longer cryptographically suitable for hashing passwords. Use atleast sha256.
  • Validate your data. There is no reason to run a query if the username is blank, is there? The best solution is to use a regex to only allow appropriate characters.
  • Be specific in your query. Only return the rows you need to access. This will help with performance on large resultsets.
  • Always escape data that you are going to put into a query!!! This helps prevent SQL Injection.
  • Use a LIMIT clause whenever you can. When you are working with login credentials, there is no reason to expect more than 1 row. Limit the query to 1 row, so if you are susceptible to SQL Injection, the damage is, hopefully, limited.
  • Never supress errors. Handle them. There is a reason it is erroring. Find out why and fix it.
  • Do not output mysql_error() in a production environment. Don't output any errors other than your defined, generic error messages.

Code: Select all

<?php
  # Includes
    include_once("settings.inc.php");
    include_once("functions.inc.php");
    
  # Fetch POST Data
    $username = (isset($_POST['userName'])) ? $_POST['userName'] : '';
    $password = (isset($_POST['userPassword'])) ? hash('sha512', $_POST['userPassword']) : '';
    
  # Sanity Check - Validation goes here
    if(empty($username))
      throw new Exception('Incorrect Username or Password');
      
  # Build SQL Query
    $query = sprintf("SELECT `role` FROM `user` WHERE `username`='%s' AND `password`='%s' LIMIT 1;",
                     mysql_real_escape_string($username),
                     mysql_real_escape_string($password));
                     
  # Fetch Resultset from the database
    $result = mysql_query($query);
    
  # Fetch User's Role from the Resultset
    if($result && mysql_num_rows($result) == 1) {
      $user = mysql_fetch_assoc($result);
      
      if($user['role'] == 0) {
        $role = 'Admin';
      } else {
        $role = 'User';
      }
    } else {
      throw new Exception('Incorrect Username or Password');
    }
?>

Re: Login users

Posted: Wed Mar 17, 2010 3:05 pm
by decpariem
thanks your post is very useful. for the post method it seems that with flash and utf-8 is not working.
that's why i can't use it. and i use utf-8 cause i have greek text. i'll follow the other advice though.
thank you

Re: Login users

Posted: Wed Mar 17, 2010 7:11 pm
by flying_circus
decpariem wrote:it seems that with flash and utf-8 is not working.
As long as both your form and flash use the same character set, I cant see why it would make a difference.

Re: Login users

Posted: Thu Mar 18, 2010 9:31 am
by decpariem
I've been dealing with the same question. I've tried everything else.
Worked only with POST.
Can't understand why! But now it's working.