Page 1 of 2
Database id, password access by absolute newbie...
Posted: Mon Dec 15, 2003 4:32 am
by Azhrarn
Hi,
I have a database which needs access from two types of users: reader and writers.
I have a login page which allows people to login to the search function or to the "insert" function.
This main page reads an id and a pwd and posts them to the second page.
The second page opens a connection to the db just to test if the id and pwd are valid. It also containes a form to enter a car model and number plate.
I then pass this info to a third page which searches the db and displays the results.
In order to pass the id and pwd from the second to the third page tho, I am using a hidden field in the form, which is not a good idea because the password is plainly visible.
Could anyone suggest a better way to pass the variables from one page to another, or for another way to do the whole process?
Sorry if you ve answered this before, but I ve looked EVERYWHERE on google and can t find anything.
I ve been working on php for 3 days and 2 have been spent lookign for a solution to this.
Thanks to all in advance
Azh
Posted: Mon Dec 15, 2003 4:38 am
by malcolmboston
save it in a session
Code: Select all
session_start();
$_SESSION['sessionname'] = $_POST['value_of_form_field'];
then to retrieve
i think thats correct, hope it helps anyway
Posted: Mon Dec 15, 2003 4:38 am
by m3mn0n
[php_man]setcookie[/php_man]()
Posted: Mon Dec 15, 2003 4:40 am
by Nay
I am using a hidden field in the form, which is not a good idea because the password is plainly visible.
Sami, isn't a cookie just as bad as $_GET, $_POST or a hidden form field? It's all from the dark side of the force

.
I mean.........Client Side.
-Nay
Posted: Mon Dec 15, 2003 4:41 am
by malcolmboston
<--- loves the way sami always replies with a link (a very helpful one at that though)
it is also achievable with cookies, but has some security risks, it is probably easier to do it with cookies, one drawback with cookies though are header (already sent blah blah) so your code has to be well thought out if you are starting a session as well, another major drawback is that cookies cannot be created and read on the same page, cookies can also be read, altered and this is the security risk that made me stop using them for such methods that you are describing, check out sessions (possibly with MD5 hashing if the info is sensitive)
check out the link though for a more in-depth explanation
Posted: Mon Dec 15, 2003 4:45 am
by Azhrarn
hehe this must be the fasted forum on the planet.
Thanks to all you you!
Just one more question, how would a "real" php programmer structure this issue?
thx
Posted: Mon Dec 15, 2003 4:46 am
by malcolmboston
believe me it is
what do you mean by structure this issue?
im not godly but i tend to look at security
Cookies are awful at doing htings like this, so awful they should be banned
sessions can be made transparent and therefore v-difficult to find out the values inside them, unless you got a serious site (microsoft for eg) which u shud invest in SSL and full MD5 hashing
my 2 cents if i havent answered your Q, please feel free to clarify
Posted: Mon Dec 15, 2003 4:47 am
by m3mn0n
To bypass that header's already sent stuff I would send it to a processing page, that is pure php, and then to the next part of the form.
Cookies/sessions are more safe because as he said then the content is not viewable within the html code, or in the screen's URL bar.
Posted: Mon Dec 15, 2003 4:53 am
by Azhrarn
Thx malcolmboston,
what i meant is that an experienced programmer would hadly use three pages for a simply query.
Was wondering how you d do it.
Also, does anyone get the feeling in Php that things just start and stop working without reason?
Anybody have a Visual C++ like debugger for php handy

Ciao
Azh
Posted: Mon Dec 15, 2003 5:01 am
by Nay
@Sami,
Does this (Mozilla): Edit -> Preferences -> Privacy & Security -> Cookies -> Manage Stored Cookies.
I can well see what's stored. Even if you delete the cookie after using it, it's still viewable. Plus, I think with cookies, you'll have to refresh before PHP can use it.
-Nay
Posted: Mon Dec 15, 2003 5:03 am
by m3mn0n
My debugger is internet explorer.
Zend has one I believe:
http://php.weblogs.com/discuss/msgReader$435?mode=day
Posted: Mon Dec 15, 2003 5:04 am
by Nay
Sami, you never fail to scare me

.
-Nay
Posted: Mon Dec 15, 2003 5:05 am
by m3mn0n
LOL
Posted: Mon Dec 15, 2003 5:05 am
by malcolmboston
if u can get zend studio (by any means necessary) get it, its great
and btw fyi im pretty much newbie but have done all the things you are asking about
sami knows
<------------------------------------------------->
more than me
and info lock knows
<----------------------------------------------------------------->
more than me
i would do it like this
first page
Code: Select all
session_start();
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
please note that it is very important that your input fields are named username and password for the PHP to know where the get the values from
2nd page
Code: Select all
session_start();
// this is used to retrieve the data
print $_SESSION['username'];
print $_SESSION['password'];
and to connect to teh DB like this (MySQL example coming up
Code: Select all
mysql_connect_db ("localhost, .$_SESSION['username'], .$_SESSION['password']";
this might note work, like i said im no PHP guru, but the general idea is the same, if u need anything else just ask
Posted: Mon Dec 15, 2003 5:13 am
by Nay
malcolmboston wrote:if u can get zend studio (by any means necessary)
I don't like the sound of that

. Anyway, here's something I advise, from my experiance. I'm sure "username" and "password" is a very commonly used terms for log in(s). I was on a shared server and when I did an echo $_SESSION['username'] it echoed something else I wasn't expecting - at different times.
So here's what I did:
Code: Select all
session_name("nays_session"); // states a name for the session
session_start(); // starts session
Hope that helped,
-Nay