Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Hi Fellows!
I hope someone can give me a better idea about this. I use two session file for my login process to the site one is session.php and other is welcomesession.php and they are as follows:
Now can [s]u[/s] you [s]pls[/s] please explain me how secure are this to use and if not what can i do to make it secure. I do not have ssl capabilities.
I would really appreciate your quick response.
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:11. Please use proper, complete spelling when posting in the forums. AOL Speak, leet speak and other abbreviated wording can confuse those that are trying to help you (or those that you are trying to help). Please keep in mind that there are many people from many countries that use our forums to read, post and learn. They do not always speak English as well as some of us, nor do they know these aberrant abbreviations. Therefore, use as few abbreviations as possible, especially when using such simple words.
Some examples of what not to do are ne1, any1 (anyone); u (you); ur (your or you're); 2 (to too); prolly (probably); afaik (as far as I know); etc.
Session are not the only thing you have to pay with it to secure your web application. And SSL protect only data when it transfer between the client and the server.
SSL don't provide Authorisation mecanisms or ACL.
If you want to secure your application, first you have to answer a question : What do you want to protect ? Application file, user data, user access...
You'll find more information in this web site : http://phpsec.org
[/url]
Thanks rmouali, Well, obviously I want to protect userdata first so could [s]u[/s] you [s]pls[/s] please tell me what route I should go.
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:11. Please use proper, complete spelling when posting in the forums. AOL Speak, leet speak and other abbreviated wording can confuse those that are trying to help you (or those that you are trying to help). Please keep in mind that there are many people from many countries that use our forums to read, post and learn. They do not always speak English as well as some of us, nor do they know these aberrant abbreviations. Therefore, use as few abbreviations as possible, especially when using such simple words.
Some examples of what not to do are ne1, any1 (anyone); u (you); ur (your or you're); 2 (to too); prolly (probably); afaik (as far as I know); etc.
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Hi fellows!
Well I am too confused now. I have read many things about session scurity in different forums as well, I am getting more and more confused as I am reading. Here is the process I am following.........
My loing page where users input the id and password it take the input and call the other file to process which is....
include "include/session.php"; # INCLUDE SESSION FILE HERE#
include "include/dbconnection.php";
?>
$userid=mysql_real_escape_string($userid);
$password=mysql_real_escape_string($password);
if($rec=mysql_fetch_array(mysql_query("SELECT * FROM tbl_login WHERE userid='$userid' AND password = '$password'"))){
if(($rec['userid']==$userid)&&($rec['password']==$password)){
include "include/newsession.php"; # IT INCLUDE NEWSESSION FILE#
echo "<p class=data> <center>Successfully,Logged in<br><br><a href='logout.php'> Log OUT </a><br><br><a href=welcome.php>Click here if your browser is not redirecting automatically or you don't want to wait.</a><br></center>";
print "<script>";
print " self.location='welcome.php';"; // Comment this line if you don't want to redirect
print "</script>";
}
}
else {
session_unset();
echo "<font face='Verdana' size='2' color=red>Wrong Login. Use your correct Userid and Password and Try <br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}
?>
Now if someone could please have a look and let me know how secure is this to use ( I know that nothing is hundred percent secure) and if not pls explain me elaborately. I would appreciate your help a lot.[quote]
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]