| php code [message #177415] |
Mon, 26 March 2012 15:05  |
shaurya077
Messages: 1
Registered: March 2012
Karma: 0
|
Junior Member |
|
|
hi frds .....
i'm working on a small assignment based on php
in this assignment i just created a login page (username and password
required)
but it is working all right
but after login there i created a welcome page but in which welcome
page php scripts didn't showing the name of user
like "hi! shaurya"
my php code is for login check:
<?php
include("config.php");
session_start();
if($_SERVER["REQUEST_METHOD"]=="POST")
{
$myusername=addslashes($_POST['user_name']);
$mypassword=addslashes($_POST['pass_word']);
$sql="select id from userinformation WHERE username='$myusername' and
password='$mypassword' ";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
$active=$row['active'];
$count=mysql_num_rows($result);
if($count==1)
{
session_register("myusername");
$_SESSION['login_user']=$myusername;
header("location:welcome.php");
}
else
{
$error="name and password is invalid";
echo $error;
}
}
?>
this scripts is used to check the data filled bu user and after that
this welcome page comes (code):
<?
//screen after verification
include('lock.php');
echo $login_session;
?>
reply plz....
|
|
|
|
| Re: php code [message #177417 is a reply to message #177415] |
Mon, 26 March 2012 16:21  |
J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
shaurya077 wrote:
> hi frds .....
> i'm working on a small assignment based on php
> in this assignment i just created a login page (username and password
> required)
> but it is working all right
> but after login there i created a welcome page but in which welcome
> page php scripts didn't showing the name of user
>
> like "hi! shaurya"
>
> my php code is for login check:
>
> <?php
>
> include("config.php");
>
> session_start();
>
> if($_SERVER["REQUEST_METHOD"]=="POST")
> {
> $myusername=addslashes($_POST['user_name']);
> $mypassword=addslashes($_POST['pass_word']);
>
>
> $sql="select id from userinformation WHERE username='$myusername' and
> password='$mypassword' ";
>
> $result=mysql_query($sql);
>
> $row=mysql_fetch_array($result);
>
> $active=$row['active'];
>
> $count=mysql_num_rows($result);
>
> if($count==1)
> {
> session_register("myusername");
session_register is deprecated and shouldn't be used.
> $_SESSION['login_user']=$myusername;
this is enough to store a value to the session.
> header("location:welcome.php");
> }
> else
> {
> $error="name and password is invalid";
>
> echo $error;
>
>
> }
> }
>
>
> ?>
>
> this scripts is used to check the data filled bu user and after that
> this welcome page comes (code):
>
> <?
>
> //screen after verification
>
> include('lock.php');
>
> echo $login_session;
If you use the same variable as you had in storing the user name to the
session, then you would get the name.
--
//Aho
|
|
|
|
| Re: php code [message #177418 is a reply to message #177415] |
Mon, 26 March 2012 16:03 |
Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Mon, 26 Mar 2012 08:05:29 -0700 (PDT), shaurya077 wrote:
> hi frds .....
> i'm working on a small assignment based on php
> in this assignment i just created a login page (username and password
> required)
> but it is working all right
> but after login there i created a welcome page but in which welcome
> page php scripts didn't showing the name of user
>
> like "hi! shaurya"
>
> my php code is for login check:
>
> <?php
>
> include("config.php");
>
> session_start();
>
> if($_SERVER["REQUEST_METHOD"]=="POST")
> {
> $myusername=addslashes($_POST['user_name']);
> $mypassword=addslashes($_POST['pass_word']);
>
>
> $sql="select id from userinformation WHERE username='$myusername' and
> password='$mypassword' ";
>
> $result=mysql_query($sql);
>
> $row=mysql_fetch_array($result);
>
> $active=$row['active'];
>
> $count=mysql_num_rows($result);
>
> if($count==1)
> {
> session_register("myusername");
> $_SESSION['login_user']=$myusername;
>
> header("location:welcome.php");
> }
> else
> {
> $error="name and password is invalid";
>
> echo $error;
>
>
> }
> }
>
>
> ?>
>
> this scripts is used to check the data filled bu user and after that
> this welcome page comes (code):
>
> <?
>
> //screen after verification
>
> include('lock.php');
>
> echo $login_session;
>
> ?>
>
>
> reply plz....
Where is $login_session set?
--
41. Once my power is secure, I will destroy all those pesky time-travel
devices.
--Peter Anspach's list of things to do as an Evil Overlord
|
|
|
|
| Re: php code [message #177419 is a reply to message #177415] |
Mon, 26 March 2012 20:49 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Mon, 26 Mar 2012 08:05:29 -0700, shaurya077 wrote:
> if($_SERVER["REQUEST_METHOD"]=="POST") {
> $myusername=addslashes($_POST['user_name']);
> $mypassword=addslashes($_POST['pass_word']);
>
> $sql="select id from userinformation WHERE username='$myusername' and
> password='$mypassword' ";
ewwwwww.
at the very least, store some sort of hash of the p/w, and not the pw
itself.
eg:
saving password, take the md5 sum of the password and store it.
reading password, take the md5 of the given password and check that
against the db.
Rgds
Denis McMahon
|
|
|
|
| Re: php code [message #177420 is a reply to message #177419] |
Tue, 27 March 2012 03:54 |
Michael Fesser
Messages: 215
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
.oO(Denis McMahon)
> On Mon, 26 Mar 2012 08:05:29 -0700, shaurya077 wrote:
>
>> if($_SERVER["REQUEST_METHOD"]=="POST") {
>> $myusername=addslashes($_POST['user_name']);
>> $mypassword=addslashes($_POST['pass_word']);
>>
>> $sql="select id from userinformation WHERE username='$myusername' and
>> password='$mypassword' ";
>
> ewwwwww.
>
> at the very least, store some sort of hash of the p/w, and not the pw
> itself.
Correct, but ...
> eg:
>
> saving password, take the md5 sum of the password and store it.
> reading password, take the md5 of the given password and check that
> against the db.
.... even better would be a salted hash. Unsalted hashes are easy to
crack, so it's not much of a difference to plain-text passwords.
Additionally a proper escaping is required in order to prevent SQL
injection attacks (see mysql_real_escape_string()). addslashes() should
be avoided.
Micha
--
http://mfesser.de/blickwinkel
|
|
|
|
| Re: php code [message #177421 is a reply to message #177415] |
Tue, 27 March 2012 08:37 |
Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 3/26/2012 5:05 PM, shaurya077 wrote:
> hi frds .....
Hi shaurya,
> i'm working on a small assignment based on php
> in this assignment i just created a login page (username and password
> required)
> but it is working all right
> but after login there i created a welcome page but in which welcome
> page php scripts didn't showing the name of user
OK, clear enough.
First tip: Make sure you have error reporting set to the right values.
If you are using a session variable that isn't set, you want an
error/notice/warning, not an empty string!
How do you set error reporting to a sensible value?
While you are developing, I suggest you want to see ALL.
http://nl.php.net/manual/en/function.error-reporting.php
Also look at "display errors". Make sure it is on.
http://nl.php.net/manual/en/errorfunc.configuration.php#ini.display-errors
You can set "display errors" to "1".
Use ini_set() or .htaccess with php_value (if on Apache), or whatever,
to set it to "1".
The easiest is probably to use ini_set() in your script.
Once you go live and actually expect people using it, you change
"display errors" to "0".
If you have appropriate error reporting, and you use an uninitialized
variable (eg $_SESSION["mycat"]), you will get a descriptive notice:
exactly what you need during development!
>
> like "hi! shaurya"
>
> my php code is for login check:
>
> <?php
>
> include("config.php");
What happens in config.php?
Are you sure it can be included BEFORE session_start()?
>
> session_start();
>
> if($_SERVER["REQUEST_METHOD"]=="POST")
> {
> $myusername=addslashes($_POST['user_name']);
> $mypassword=addslashes($_POST['pass_word']);
This is a bit cumbersome formulated I think.
Easier/clearer/better is:
if (isset($_POST['user_name']) && isset($_POST['pass_word'])){
$myusername=addslashes($_POST['user_name']);
$mypassword=addslashes($_POST['pass_word']);
}
(addslashes is bad, but I come back to that later.)
In your code you only test for REQUEST_METHOD being POST, but that
doesn't mean that $_POST['user_name'] and $_POST['pass_word'] was send.
It is better to test if the variables you expect are ALL set.
About addslashes: One rule: Never use that function. Period. :-)
It is good you think about avoiding SQL injection, but you need better,
specialized functions to escape the (possibly dangerous) content of
$_POST['user_name'] and $_POST['pass_word'].
addslashes simply don't do it right: it only safeguards you against 4
characters:
'
"
\
NUL
You need a better function.
In your case (mysql) follow Michael's advice and look into
mysql_real_escape_string().
Remember that you need a different escape function for each database.
>
>
> $sql="select id from userinformation WHERE username='$myusername' and
> password='$mypassword' ";
Like Denis said: It is not very nice of you to store people's passwords
in plaintext in the database.
If some funny people crack your system they have access to all those
passwords. Use a hash with a salt.
"Hashing and salt" is all very technical, so look it up when you have
time to study it.
What you do (storing passwords in plain text) is fine during testing,
but very bad when you build anything serious.
>
> $result=mysql_query($sql);
>
> $row=mysql_fetch_array($result);
>
> $active=$row['active'];
>
> $count=mysql_num_rows($result);
>
> if($count==1)
> {
> session_register("myusername");
Remove that line session_register() and NEVER use session_register again.
Put it on the same heap as addslashes and never look at it again.
> $_SESSION['login_user']=$myusername;
This is OK.
>
> header("location:welcome.php");
Add an exit here.
PHP runs on with your script after the header, unlike VB/ASP.
So:
header("location:welcome.php");
exit;
If you don't do that, you risk that something else gets executed (if you
have more code under the if/else block.).
> }
> else
> {
> $error="name and password is invalid";
>
> echo $error;
>
>
> }
> }
>
>
> ?>
>
> this scripts is used to check the data filled bu user and after that
> this welcome page comes (code):
SO the following code is from welcome.php, right?
>
> <?
>
> //screen after verification
>
> include('lock.php');
>
> echo $login_session;
>
You want to use the session again on this page, so you must first start
it again.
Add:
session_start();
And then echo what you want FROM THE SESSION.
echo $_SESSION['login_user'];
> ?>
>
>
> reply plz....
I hope that helped.
Regards,
Erwin Moller
--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]