Username and Password Exposed

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

But how does the user tell you their username and password for you to put it in a cookie, or check it against something in a database?

Mac
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

definantly thru a form

a form using POST

Code: Select all

<form method="post">
   <input type="text" name="username" />
   <input type="password" name="password" />
   <input type="submit" value="Login" />
</form>
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

exactly what I was trying to say ;)
whatever security layer you're wrapping around a connection (i.e. SSL) there are only three modes defined in http how users can initiate to send data to the server (get,post,put)
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

I think some people were forgetting the most basic step - the user has to tell you their username and password otherwise even the most paranoid checking mechanism is fairly useless... :lol:

Mac
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

the most secure website is that one not connected to the net :D
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

...lol

it's wouldn't be a real "web" site now would it ;)
User avatar
phice
Moderator
Posts: 1416
Joined: Sat Apr 20, 2002 3:14 pm
Location: Dallas, TX
Contact:

Post by phice »

hob_goblin wrote:definantly thru a form

a form using POST

Code: Select all

<form method="post">
   <input type="text" name="username" />
   <input type="password" name="password" />
   <input type="submit" value="Login" />
</form>
What's the use of the trailing (/) at the end of each input?
Image Image
Aaron
Forum Commoner
Posts: 82
Joined: Sun May 12, 2002 2:51 pm

Post by Aaron »

Why dont you just create a cookie thats checked in the header :

Code: Select all

$StrSQL = "SELECT * FROM unz_users WHERE username = '$HTTP_COOKIE_VARS&#1111;username]' AND password = '$HTTP_COOKIE_VARS&#1111;password]'";
$StrResult = mysql_query($StrSQL);

$row = mysql_fetch_assoc($StrResult);
$rank = $row&#1111;rank];
then in the page you want to be protected

Code: Select all

if (mysql_num_rows($StrResult) <= 0) 

&#123;echo "<table width="100%" border="0" cellspacing="0" cellpadding="5">
  <tr> ......&#125; else &#123;&#125;
creata
Forum Newbie
Posts: 4
Joined: Fri Sep 06, 2002 10:07 am

use md5() or crypt() to cover your password string

Post by creata »

everytime you handle password you should use the md5 or crypt function...

see the example below:
********
<?
$md5 = md5("hello");
echo $md5 . "<br>\n";
$password = "hello";
$pass = crypt($password, "xx");
echo $pass;
?>
********
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

phice wrote:
hob_goblin wrote:definantly thru a form

a form using POST

Code: Select all

<form method="post">
   <input type="text" name="username" />
   <input type="password" name="password" />
   <input type="submit" value="Login" />
</form>
What's the use of the trailing (/) at the end of each input?
It's XHTML as opposed to HTML. In XHTML (which is the latest version of HTML) all tags have to be closed either with a specific closing tag:

Code: Select all

<p>Text</p>
or with a closing slash inside the tag:

Code: Select all

<img src="blah.gif" width="x" height="y" />
<br />
<hr />
All attributes have to be in double quotes and everything has to be in lowercase as well.

Mac
Fallen_Angel
Forum Newbie
Posts: 3
Joined: Fri Aug 30, 2002 1:41 pm

Re: Login!

Post by Fallen_Angel »

Code: Select all

// sets cookies mmmmmm cookies....................
  // I think to check them both it is && but I am not shure!
  // so if it works it checks for username and password
  // and if there is no user / pass make set user and password!
if (!$http_cookies_vars&#1111;username] && !$http_cookies_vars&#1111;password])
  &#123;
  setcookie("username", "$user", "+3600"); // set by cookie name stran time
  setcookie("password", "$pass", "+3600");
&#125;
else &#123;
// now check to see if user and password are real if not then comeback
// with nothing! 
$StrSQL = "SELECT * FROM unz_users WHERE username = '$HTTP_COOKIE_VARS&#1111;username]' AND password = '$HTTP_COOKIE_VARS&#1111;password]'"; 
$StrResult = mysql_query($StrSQL); 
$row = mysql_fetch_assoc($StrResult);
&#125;
// get user and password from cookies that are set!
$usercoo=$HTTP_COOKIE_VARS&#1111;username];
$passcoo=$HTTP_COOKIE_VARS&#1111;password];
$passcoo=md5($passcoo);
print "welcome $usercoo your password is $passcoo (encrypted)";
Rember a newbie coded this!!!!!!!
Post Reply