Big headache problem here. (securing cookies)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Big headache problem here. (securing cookies)

Post by Mightywayne »

Okay, I've just got the feeling I'm going in circles. Check this code out.

Code: Select all

$user = $_COOKIE['user'];

if (!isset($_COOKIE["user"]))
  die('<font color="red"><b><big>Error:</big></b></font><font color="black"><br><br>You must log in first! Click <a href="http://www.monbre.com">here</a> to go back to the homepage, and either signup or login.</font>');

$scookie = mysql_query("SELECT * FROM user WHERE securecookie = $user");

if ($user !=  $scookie)
die("Hmm. That's weird! It's almost as if you were TRYING to edit the cookie data to your advantage. Huh, silly goose.");
Okay, now. The cookie is set to 'encrypt' (I just used rand()) the username. Meaning, they log in, and then in the database entry "securecookie", it takes the rand() number I gave them for the cookie session, and puts it in there. Then I set $scookie to be equal to me going to the database entry "secure cookie", and searching for anyone with the cookie's value in there. It should only find one; if it finds two, I'll fix that later. But for now anyway, it's not working. It just says that everyone is trying to edit the cookie data. =/

What's up?
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

Why are you using cookies? You can just use sessions, and now have to worry about them changing the cookie.

Edit: But if you want to use your code how about something like this:

Code: Select all

$user = $_COOKIE['user'];

if (!isset($_COOKIE["user"]))
  die('<font color="red"><b><big>Error:</big></b></font><font color="black"><br><br>You must log in first! Click <a href="http://www.monbre.com">here</a> to go back to the homepage, and either signup or login.</font>');

$scookie = mysql_query("SELECT * FROM user WHERE securecookie = $user");
$scookie = mysql_fetch_array($scookie);
$scookie = $scookie['fieldofcode']; // you need to tell php which field the data is in

if ($user !=  $scookie)
die("Hmm. That's weird! It's almost as if you were TRYING to edit the cookie data to your advantage. Huh, silly goose.");
Last edited by tecktalkcm0391 on Sun Feb 04, 2007 2:05 pm, edited 2 times in total.
wildwobby
Forum Commoner
Posts: 66
Joined: Sat Jul 01, 2006 8:35 pm

Post by wildwobby »

you have to retreive the query.

mysql_query() doesn't magically give you the field you want


Use $somevar = mysql_fetch_array($cookie);
and then to get the username assuming the mysql field is username,

if (mysql_numrows == 1){
$somevar["username"];
} else {
echo "more than 2 results";
exit;
}
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

Oh, right, Array. Perfect. Forgot 'bout that. >_> Man I'm drained. Okie dokie.

I use cookies because I looked a 2 comparison articles, and it seemed like each style had its own flaws, and I'd rather deal with local flaws than server-side flaws.

Also, cookies are better for making games. Atleast, that's what one of the articles said. (not games exactly, though)

Thanks fellah'z.
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

.................................

Maybe it's the fact I'm stressed from the super bowl party. But what is wrong with this? >_> It looks exactly like the code above. Yes, that did indeed work, but now I'm trying to get their username from the table "user", where it is defined by their random code.

Code: Select all

$getuser = mysql_query("SELECT username FROM user WHERE securecookie = $scookie");
$user = mysql_fetch_array("$getuser");
$user = $user['username'];
echo "$user";
I even removed the fourth line and it didn't work.


Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/burnttoa/public_html/monbre/layout.php on line 29

Is the error.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Remove the quotes around $getuser... it's not a string.

Be careful of SQL injection holes too.
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

Ah. Thanks.

:takes a power nap before the party:
Post Reply