Small, short code snippets that other people may find useful. Do you have a good regex that you would like to share? Share it! Even better, the code can be commented on, and improved.
For people that still use cookies in their site its vital that they cant be edited in any manner. I used this in the include the was on every page to be extra safe.
<?php
if (isset($HTTP_COOKIE_VARSї'Username']) && isset($HTTP_COOKIE_VARSї'Password'])){
$user = $HTTP_COOKIE_VARSї'Username'];
$pass = $HTTP_COOKIE_VARSї'Password'];
$link = "SELECT * FROM members_table WHERE username='$user' AND password='$pass'";
$res = mysql_query($link);
$check = mysql_num_rows($res);
if ($check == 0){
echo "Dont edit the cookie!";
echo '<meta http-equiv=refresh content="1; url=logout.php">';
die;
}
}
if (isset($HTTP_COOKIE_VARSї'Username']) && (!isset($HTTP_COOKIE_VARSї'Password']))){
echo "Dont edit the cookie!";
echo '<meta http-equiv=refresh content="1; url=logout.php">';
die;
}
if (!isset($HTTP_COOKIE_VARSї'Username']) && (isset($HTTP_COOKIE_VARSї'Password']))){
echo "Dont edit the cookie!";
echo '<meta http-equiv=refresh content="1; url=logout.php">';
die;
}
?>
If both are set then the first if checks to make sure the username and password match. The next two if's run if only one is set. If any condition is met then the user is sent to logout.php which destroys the cookie.
i thought that by now most of us would know that passing the credentials between server and client in a cookie are just plain evil.
only send them an id, let's call it session_id, and then store the data on the server-side in a database... and every time the user provides this cookie, check the database if the id is valid, check if the time hasn't expired, check if he's still using the same browser, etc... virtually: re-invent sessions :p
Also, I noticed that some browsers have the meta refreshes switched off (Disabled) so it is wise to create somthing in there which allows the user to click if they are not redirected within a given amount of time.