Can't get my login script to work

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

lolpix
Forum Commoner
Posts: 41
Joined: Sat Jul 17, 2004 2:20 am

Post by lolpix »

Here is what I do, it may be not be the best way (feyd probably knows the best way to do damn near everything, respectfully), but it works. I add a hidden form field. In this case I would handle it like so name="login_attempted" value="TRUE", then I would look for $login_attempted to be true like so...

Code: Select all

<?php

if ($_POST['login_attempted'] == TRUE) 
{
    // Login has been attempted

} else {

   // Display initial login form

}

?>
This way allows you to differentiate between a virgin view and a view that requires error reporting to the user.

I check for $login_attempted to differentiate between many possible forms being submitted.
lolpix
Forum Commoner
Posts: 41
Joined: Sat Jul 17, 2004 2:20 am

Post by lolpix »

To be more truthful, I am sort of paranoid, and what I would do in real life is have the hidden form be name="login_attempted" value="1" and cast the value of $login_attempted to an integer before checking it like so...

Code: Select all

<?php

$login_attempted = (int) $_POST['login_attempted'];

if ($login_attempted == 1)
{

    // Login has been attempted

} else {

    // Show form

}

?>
You probably do not need to do this, but I find it to be a good practice. I am not an expert mind you, but I do have a certain talent at breaking things when asked to test to break. Confining user input to small integers whenever possible seems to me to be a good step towards writing more secure scripts.
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

oh

Post by fresh »

so just go like this:

Code: Select all

<input type='hidden' name='login_attempted' value='1'>
<input type='submit' name='sub'>
and send that to my php, with your code added?? Is that the guist of it??

Thanks guys :)

P.s. you know your right, that is more secure, because if I didn't use that, the user could do a little something, change a little something else, and send sql querys to my db, with that addition, it will add to the sql string, thus rendering it useless, plus, without it the script will become useless as well... good idea :)
lolpix
Forum Commoner
Posts: 41
Joined: Sat Jul 17, 2004 2:20 am

Post by lolpix »

Sorry, I have been off trying to pay the rent. Has this worked for you at all?
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

lolpix wrote:To be more truthful, I am sort of paranoid, and what I would do in real life is have the hidden form be name="login_attempted" value="1" and cast the value of $login_attempted to an integer before checking it like so...

Code: Select all

<?php

$login_attempted = (int) $_POST['login_attempted'];

if ($login_attempted == 1)
{

    // Login has been attempted

} else {

    // Show form

}

?>
You probably do not need to do this, but I find it to be a good practice. I am not an expert mind you, but I do have a certain talent at breaking things when asked to test to break. Confining user input to small integers whenever possible seems to me to be a good step towards writing more secure scripts.

and that makes it harder for me to copy and paste your form onto my site and then add malicious things to it.... why?

if($var == TRUE)
if((int)$var == 1)

Doesn't really change anything.
lolpix
Forum Commoner
Posts: 41
Joined: Sat Jul 17, 2004 2:20 am

Post by lolpix »

and that makes it harder for me to copy and paste your form onto my site and then add malicious things to it.... why?

if($var == TRUE)
if((int)$var == 1)

Doesn't really change anything.
Good point, the only thing it does insure is that whatever $var is, is now an integer. We could test for === but that still does not insure anything. But in this case all we are checking for is that the form has been submitted, not that it has been validated. In this case it is probably not all that helpful, as I think I noted. But it still seems to me to be a good habit in general, because casting a variable to an integer or absolute value strips out any lexigraphical content.
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

Post by fresh »

so far my original method seems to be more secure, sql injections arent any good, since the script which querys the db will not parse unless the page has indeed been submitted first.. agreed???
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

it's just as secure to go:

Code: Select all

&lt;form action="process.php"&gt;
&lt;form items&gt;
&lt;/form&gt;

Code: Select all

<?php
if(count($_POST) == 0){
header("Location:process.php");
}
else {
//do stuff
}
?>
Checking to see if the form is submitted doesn't check security, it's just a way to display/process when needed..
mysql_escape_string on the other hand does..
Post Reply