A better design for authorization/authentication
Posted: Sun Apr 23, 2006 1:11 pm
feyd | Please use
1)Can I use include like this? header and connect as well.
2)Should I use meta redirect or Header()?
3)I register using this name '<b>a</b>', it viewed username as 'a' but I can login using '<b>a</b>' or 'a'. Should I use strip_tags in this case? I know there are htmlspecialchars(), preg_replace(), eregi_replace(), htmlentities() out there, I don't quite know when to use them. Could anyone briefly explain each of them and give me some simple examples?
----------------------------------------------------------------------------------------------------
For result.php(process output of register.php)
1)I don't quite know the flow of checking the inputs, hope someone can guide me bout this. But this is what I coded:
----------------------------------------------------------------------------------------------------
I think I'm writing too much in one post. I'll continue to ask for the next post. Hope I can get some guidances here. Thanks in advance!
feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Hi, I'm new here. Hope I'm not posting in the wrong area.
I just started to code in php in 2 weeks time(so am just a newbie), hope can learn more from creating a member site.
Installed php 4.4.2 and mysql 4.1.X on my machine. Trying to approach older version of php first, coz php 5 is quite tough for a newbie like me now.
So, back to the topic. What I've created on my localhost are register.php, login.php, auth.php, result.php, main.php, user.php, connect.php, install.php, header.php. Hopefully the name tells what are the files containing.
I hope I can list down all my questions before showing all of my codes here.
----------------------------------------------------------------------------------------------------
For login.php
1)Do I need to set session or unset_session() in this page? Or no need?
2)What if a person is logged in, and he visits login.php, what should I do?
3)Is a client side validation for input required in this particular page? eg Javascript.
4)other than user and pw field, what else should I implement on this login page?
----------------------------------------------------------------------------------------------------
For auth.php (This is the page that process the login.php inputs and output the result.)Code: Select all
<?php
include 'connect.php';
if(isset($_POST['submit'])){
$player=$_POST['userid'];
$password=$_POST['password'];
$player=strip_tags($player);
$password=md5($password);
$query = "select * from gm_users where playername='$player' and password='$password'";
$result = mysql_query($query) or die("Takda orang ini!") ;
$result2=mysql_fetch_array($result);
if($result2)
{
session_start();
$_SESSION['player']=$player;
//header("Location: http://localhost/web/test/user.php");
echo '<meta http-equiv="refresh" content="2;url=http://localhost/web/test/user.php" />';
include 'header.php';
print "Logged in successfully<br>";
print "If the browser doesn't redirect, click on ";
print "<A href='user.php'>User Panel</a>";
exit();
}
else
{
include 'header.php';
print "Wrong username or password or non-activated account.<br />";
print 'Go back <a href="login.php">login</a> or <a href="main.php">main</a>';
}
}else{
include 'header.php';
//echo "nothing here";
}
?>2)Should I use meta redirect or Header()?
3)I register using this name '<b>a</b>', it viewed username as 'a' but I can login using '<b>a</b>' or 'a'. Should I use strip_tags in this case? I know there are htmlspecialchars(), preg_replace(), eregi_replace(), htmlentities() out there, I don't quite know when to use them. Could anyone briefly explain each of them and give me some simple examples?
----------------------------------------------------------------------------------------------------
For result.php(process output of register.php)
1)I don't quite know the flow of checking the inputs, hope someone can guide me bout this. But this is what I coded:
Code: Select all
if(password==password2){
if(!password || !password2)
//show error no password enter
elseif(username>15 ||username<3||username was taken|| !username)
//show error
else{
//md5(password)
//input data into db
//session_start();
//redirect to user.php
}
}
else
//show error of password not matchI think I'm writing too much in one post. I'll continue to ask for the next post. Hope I can get some guidances here. Thanks in advance!
feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]