Page 1 of 1

not sure how to start the coding, any ideas?

Posted: Mon Nov 24, 2003 3:27 am
by malcolmboston
hi again guys :(

OK, this time i have kind of a problem that i cant seem to find explained anywhere.

Basically, i have a login section on my site, now i want people to be able to view and edit there account details from my MySQL server (database: TDN, table : Login)
now i know how to show results from a MySQL table very easily just not sure how to show a recent from a specific logged in user, so they only see there account details, i have a cookie set there username so i was wondering if tehre was a way of checking the username from the cookie (which will always be a valid username beause it only gets set after someone has suceeded in logging in) and then showing the records relevant to that cookie
for eg
(this is not PHP coding)

cookie = username of person logged in
PHP checks cookie for the username and passes it to MySQL
MySQL shows the relevant records for that username

i understand its a filtering option but cant seem to figure out what they should be

have read the PHP manual, says nothing about any of this and to be honest the manual is so annoying in my opinion, for anyone new to PHP it would of been alot more productive to give us some nice (and pretty complex) tutorials and examples explaining what the code is doing not the 2 tutorials you get that are useless, anyone got that off my chest, :(

By the way, i am quite knowledgable about MySQL. so i should understand what you are saying, if you could just give me an idea of what the code would look like because at the moment i need to really start doing things myself with PHP.

Thanks In Advance

Posted: Mon Nov 24, 2003 5:19 am
by qads
you have username in the cookie? 8O
what if i change the my username in the cookie after i login to yours? i will be able to see ur account information and change it, not a good idea!

are you just useing cookies to check if the user is logged in? if so thenu got big problems. you should use sessions, here some tutorials:

viewtopic.php?t=6521
http://www.hotscripts.com/PHP/Tips_and_ ... index.html (try to find simple ones at first!)

Posted: Mon Nov 24, 2003 5:23 am
by malcolmboston
i am using sessions and .htaccess to verify a login, the cookie is used to pass a form variable to other pages in the logged in section of the site, i suppose there must be other ways of doing what i want to do but im not sure, i mean MySQL must be able to pull records from a specificv usder right? i just dont know where to start........

Posted: Mon Nov 24, 2003 5:29 am
by infolock
i think what he's saying is that AFTER the user has been verified, he can change the user information from within the cookie to gain visuals on another user ( which he is absolutely correct in saying if you are passing that cookie information to mysql... )

Posted: Mon Nov 24, 2003 5:36 am
by malcolmboston
hmmmmm
well luckily thats not what im doing, sorry for the confusion

ill explain how my site works

someones goes to login.php
when they fill out there username and password field, there username is written into a cookie so on every page until they log out it will say Hello %yourname%, thats all the cookie is used for

When someone attempts a login request, and suceeds, the site is checking there username and password against a MySQL database and verifying the info is correct, then they can get in, the cookie has nothing in it except the persons username, as soon as they login a session is started and destroyed when they logout

My site i believe is secure enough for my needs, the standard user will not be able to get in (hell, i cant get in!) any other way than the login, folders have .htacess, all restricted pages have login checks on them so if the session hasnt started they are refused entry, MySQL server is possibly crackable although a site can never be 100% secure no matter what anyone says

Still need help.......

Posted: Mon Nov 24, 2003 5:55 am
by infolock
well, don't get us wrong man, we aren't trying to bark at you and stuff.. we are just trying to give you some pointers on making your site even more secure by pointing out vulnerabilities that script kiddie hackers of the world would love to take advantage of :P

i think it was just this statement that got the fire rollin though :
have a cookie set there username so i was wondering if tehre was a way of checking the username from the cookie
again, as qads pointed out, one fo the best ways to approach this would be through the use of [php_man]sessions[/php_man].

however, if you are looking for examples and such, those things are available on a lot of various websites...

2 in particular

http://www.hotscripts.com
http://www.evilwalrus.com

others of interest would be :
http://www.phpbuilder.com
http://www.phpscripts.com
http://www.scriptz.com/
http://www.zend.com/
http://www.onlamp.com/pub/a/php/2003/07 ... tions.html - for security
http://www.zend.com/zend/tut/feedback.php - for cookies
http://www.devshed.com/Server_Side/PHP/ ... page1.html - for sessions

hope that helps...

Posted: Mon Nov 24, 2003 6:30 am
by m3mn0n
If you store a plaintext username and an encrypted password into a cookie and only allow access to pages if both match records in the database, I'm pretty sure the site is secure.

Posted: Mon Nov 24, 2003 6:37 am
by malcolmboston
i dont know, them script kiddies are pretty handy with there programs and besides if you can get away with not showing the user there password through any means like that then that can only make your site more secure

still no-one know how i would start my SQL query?

Posted: Mon Nov 24, 2003 7:29 am
by qads
you said that after login, a session is started, why not assigne the user id in a session var? this is how i would do it:

Code: Select all

<?php
// user has filled out the login form...
if(isset($_POST['login']))
{
$username = addslashes(trim($_POST['username']));
$password = md5($_POST['password']);
$query = mysql_query("selecy ID from users_table where username = '$username' AND password = '$password' limit 1");
$check = mysql_num_rows($query);
if($check == 1)
{
//user is in the database and was found..
session_start();
$row = mysql_fetch_array($query);
$_SESSION['user_id'] = $row['ID'];
$_SESSION['username'] = $username;
//send the user to another page..
header("location: your_page.php");
exit;
}
else
{
//user was not found in the database...
echo "incorrect username and password!";
}
}
?>
^^ this is only to give you a idea, you can move the username and user id between the pages without having to set the cookie at all :D.
i didnt test the above code, i just typed it up here, hope it gives you some idea.

you also may wanna make sure that the username and password fields are filled in before allow this code to be run.

EDIT:: forgot to tell you how to use the session to get users info :P

something liek this would work nicely.

Code: Select all

<?php
session_start();
$user_id = (int)$_SESSION['user_id'];
//code to check if user is logged in <here>
//now, to get the user info;
$info = mysql_fetch_array(mysql_query("select username, email, nickname,phone,bla,bla from users_table where ID = $user_id limit 1"));
//now to show info;
echo "Username: "$info['username'];
?>
hope this helps.

Posted: Tue Nov 25, 2003 10:44 am
by malcolmboston
thank you very much

i will try this out tonight

Mal

Posted: Tue Nov 25, 2003 10:57 am
by d3ad1ysp0rk
I'm assuming he wants to keep them logged in even AFTER they close the window.. meaning sessions wouldnt work, right?

I'd save usernames/passwords in the cookie.. not just the username

Posted: Tue Nov 25, 2003 11:00 am
by malcolmboston
well, fortunately i want exactly the opposite

the site needs to be as secure as is possible by me, so if the user closes there window then unfortunately for them they've gotta log back in

Posted: Tue Nov 25, 2003 11:03 am
by d3ad1ysp0rk
oh, then sessions would work perfectly
sorry for the mistunderstanding :P