Page 1 of 1

Big headache problem here. (securing cookies)

Posted: Sun Feb 04, 2007 1:57 pm
by Mightywayne
Okay, I've just got the feeling I'm going in circles. Check this code out.

Code: Select all

$user = $_COOKIE['user'];

if (!isset($_COOKIE["user"]))
  die('<font color="red"><b><big>Error:</big></b></font><font color="black"><br><br>You must log in first! Click <a href="http://www.monbre.com">here</a> to go back to the homepage, and either signup or login.</font>');

$scookie = mysql_query("SELECT * FROM user WHERE securecookie = $user");

if ($user !=  $scookie)
die("Hmm. That's weird! It's almost as if you were TRYING to edit the cookie data to your advantage. Huh, silly goose.");
Okay, now. The cookie is set to 'encrypt' (I just used rand()) the username. Meaning, they log in, and then in the database entry "securecookie", it takes the rand() number I gave them for the cookie session, and puts it in there. Then I set $scookie to be equal to me going to the database entry "secure cookie", and searching for anyone with the cookie's value in there. It should only find one; if it finds two, I'll fix that later. But for now anyway, it's not working. It just says that everyone is trying to edit the cookie data. =/

What's up?

Posted: Sun Feb 04, 2007 2:03 pm
by tecktalkcm0391
Why are you using cookies? You can just use sessions, and now have to worry about them changing the cookie.

Edit: But if you want to use your code how about something like this:

Code: Select all

$user = $_COOKIE['user'];

if (!isset($_COOKIE["user"]))
  die('<font color="red"><b><big>Error:</big></b></font><font color="black"><br><br>You must log in first! Click <a href="http://www.monbre.com">here</a> to go back to the homepage, and either signup or login.</font>');

$scookie = mysql_query("SELECT * FROM user WHERE securecookie = $user");
$scookie = mysql_fetch_array($scookie);
$scookie = $scookie['fieldofcode']; // you need to tell php which field the data is in

if ($user !=  $scookie)
die("Hmm. That's weird! It's almost as if you were TRYING to edit the cookie data to your advantage. Huh, silly goose.");

Posted: Sun Feb 04, 2007 2:03 pm
by wildwobby
you have to retreive the query.

mysql_query() doesn't magically give you the field you want


Use $somevar = mysql_fetch_array($cookie);
and then to get the username assuming the mysql field is username,

if (mysql_numrows == 1){
$somevar["username"];
} else {
echo "more than 2 results";
exit;
}

Posted: Sun Feb 04, 2007 2:20 pm
by Mightywayne
Oh, right, Array. Perfect. Forgot 'bout that. >_> Man I'm drained. Okie dokie.

I use cookies because I looked a 2 comparison articles, and it seemed like each style had its own flaws, and I'd rather deal with local flaws than server-side flaws.

Also, cookies are better for making games. Atleast, that's what one of the articles said. (not games exactly, though)

Thanks fellah'z.

Posted: Sun Feb 04, 2007 2:46 pm
by Mightywayne
.................................

Maybe it's the fact I'm stressed from the super bowl party. But what is wrong with this? >_> It looks exactly like the code above. Yes, that did indeed work, but now I'm trying to get their username from the table "user", where it is defined by their random code.

Code: Select all

$getuser = mysql_query("SELECT username FROM user WHERE securecookie = $scookie");
$user = mysql_fetch_array("$getuser");
$user = $user['username'];
echo "$user";
I even removed the fourth line and it didn't work.


Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/burnttoa/public_html/monbre/layout.php on line 29

Is the error.

Posted: Sun Feb 04, 2007 3:08 pm
by feyd
Remove the quotes around $getuser... it's not a string.

Be careful of SQL injection holes too.

Posted: Sun Feb 04, 2007 4:29 pm
by Mightywayne
Ah. Thanks.

:takes a power nap before the party: