Printable View
hi folks
i read kevin yank's article Managing Users with PHP Sessions and MySQL, it is very interesting but i have one problem.
kevin says to use a php.ini file to include certain bits of code. i have spoken with my hosting company and they say they dont allow me access to the php.ini file on the server but i can create an .htaccess file. is there a way to achieve the same results using .htaccess instead?
thanks
A
Several comments here recently about this. Try a search on htaccess.
You don't need to edit php.ini file.
for include file, use can paste include file in the same directory of your php file and use
include "/home/yourpath/include.inc.php";
Hi guys, thanks for your replies,
itsource: the reason i was asking was because kevin seems to suggest that putting the include files in your web directory is not secure in the event that php stops working on the server....
Quote:
In either case, you can choose to put your include files in the same directory as the file(s) that use them, or place them in the appointed directory. The latter choice is a safer for files containing sensitive information like passwords, because if the PHP support in your Web server ever fails, the information in PHP files not stored below your server's Web root directory will not be exposed to prying eyes.
Lentildal,
Your hosting company is right -- you can modify PHP's include directory setting (normally configured in php.ini) with an .htaccess file in your site's root directory.
Just create a text file called .htaccess in the root directory of your site that contains one line like the following:where /path/to/includes is the full path to the directory outside your Web root where you want to store your PHP include files.Code:php_value include_path .:/path/to/includes
Of course, with a reputable hosting company it's fairly unlikely that they'll ever break PHP support and expose your scripts to the world, but you can never be too careful. :)
hey kevin, thanks for replying
dont i need to be able to open the php.ini file and paste in my php scripts to use it?
my host said they wouldnt allow me access to the php.ini file.
btw - thought your article was v. good
thanks
L
Is there something wrong with the Sitepoint forums? I seem to remember this whole thread from two days ago. almost verbatim. It's deja vu all over again. Was I hallucinating? I wonder if I know what Saturday's Lotto numbers are going to be? :)
L,
You don't need to put any code in your php.ini file, no. What gave you the impression that you did?
er....where do i put the include files then?
lets take "db.php" for example, with all my database details, which directory do i put that in?
also a little further into the article you talk about changing the following options:
session.save_handler = files
session.save_path = C:\WINDOWS\TEMP
session.use_cookies = 1
do these not reside within the php.ini file?
thanks, sorry if im being a bit simple.
Lentil
The include files, as I explain in the article, should go in a directory on your Web server that is outside your Web site's directory structure. So for example if your Web site is in /home/lentildal/httpdocs, a good place for your include files would be in /home/lentildal/phpincludes. You'd then use the .htaccess file as I described above to add that directory to the PHP include_path.
Note that in a shared server scenario, you do NOT want to add the include_path change to the global php.ini file, as it would allow other users with sites on the system to run your include files as part of their scripts.
As for the session configuration parameters, those should indeed go in the php.ini file, but if your Web host has set up PHP for you then this has been done already.
ah, i see now
thanks for taking the time to explain
btw - could you point me in the direction of any tutorials or posts that would enable me to add a log feature to this script, to capture the username and time/date that anyone logged in and out, maybe just save them to a text file on the server?
thanks very much
..L
Hi all,
I just read Kevin Yank's article on managing users with PHP and MySQL, and have one question.
Kevin says,So how can I encrypt users' passwords but then be able to "un-encrypt" them to email them to the user in case they forget their passwords?Quote:
Of course, you can't store the passwords encrypted using MySQL's PASSWORD function if you want to implement this feature (since PASSWORD is a one-way operation that cannot be reversed).
http://www.webmasterbase.com/article/319/119
Thanks,
Corbb
You don't have to. If they can remember their username then you can have a "reset your password" email sent to their registered address with a link to a form that carries out an update, without ever reading the data...Quote:
Originally posted by JustForWebmasters
Hi all,
I just read Kevin Yank's article on managing users with PHP and MySQL, and have one question.
Kevin says,So how can I encrypt users' passwords but then be able to "un-encrypt" them to email them to the user in case they forget their passwords?
Thanks,
Corbb
Hi OriginalH,
So then their password would just be radmonly re-generated?
Thanks,
Corbb
That's correct.
Thanks Kev! :D
-Corbb
I don't understand why the script has to set register_session first before checking if the user is valid in database?
Why not just check if the user is valid first, then only set register_session?
Thanks,
Truong.
From my understanding, I believe that it's a speed thing. It's faster to check register_session than to check the database. Maybe...not quite sure...:)
The reasoning is as follows...
There are four situations in which this script may be run:To handle these four situations, you can choose from two algorithms:
- No session yet exists. The user has filled in the login form with a valid username/password.
- No session yet exists. The user has filled in the login form with an invalid username/password.
- The session is in place, with a valid username/password stored in it.
- The session is in place, but the username/password stored in it is no longer valid (e.g. the account was removed while the user was logged in).
Algorithm 1
Begin/Restore Session.
(Re)register the variables.
Validate the user/pass.
If invalid {
Unregister the variables.
Show access denied.
Exit.
}
Display content.
Algorithm 2
Begin/Restore the Session.
Validate the user/pass.
If Invalid {
If vars registered, unregister them.
Show access denied.
Exit.
}
(Re)register variables.
Display content.
The article uses Algorithm 1. Truong, you have proposed Algorithm 2. Both will work. At the time I wrote the article, I decided that #1 was tidier. Yes, it needlessly registers the variables if the values are invalid, but that saves the script having to check if the variables are registered before unregistering them.
I believe #1 is tidier because you can re-register session variables in PHP without it complaining, but if you try to un-register variables that aren't registered you'll get warning messages. It's been awhile, though, so that may have changed now.
I like the article...but I was unable to figure out where I add the db name?
I appreciate any help on this...Thanks
Now I'm getting:
Warning: Cannot send session cache limiter - headers already sent (output started at /home/mysite/public_html/php/accesscontrol.php:7) in /home/mysite/public_html/php/accesscontrol.php on line 12
in
accesscontrol.php
and
signup.php
I am using
dbConnect("db_name");
instead of Kevin's original
dbConnect("sessions");
Line 7 starts as fllows
<?php // accesscontrol.php
include("common.php");
include("db.php");
session_start();
if(!isset($uid)) {
php?>
SO line 12 is
session_start();
I am confused...Yes I am...Help! Thank You!
Quote:
Originally posted by UncleSam
I like the article...but I was unable to figure out where I add the db name?
I appreciate any help on this...Thanks
Could you please post the code where you define dbConnect()?
-Colin
OK...by reading a little bit more...and trying a couple of thing...it is now working.
I had to make one variation to the original code:
I moved the
session_start();
in accesscontrol.php file to make it 1st line.
Thanks a Lot Colin for trying, but the original function works! and Thanks Kevin!
UncleSam
By the way, to make things work,
I had to also change Multiple occurences:
from
dbConnect("sessions");
to:
dbConnect("db_name");
Works great!
UncleSam
Looks like you figured it all out. The error message you were getting occurs when PHP has already sent some HTML or other content to the browser when you call session_start(). Since accesscontrol.php shouldn't have had any output instructions or code outside the <?php ?> tags before session_start(), I'd have expected the problem to be in the file where you included accesscontrol.php. If that include didn't occur on the very first line of the file, or if there were any spaces or line breaks before the opening <?php of the include, that would explain the error you were getting.
But as I said, it sounds like you figured it out for yourself. :)