SitePoint Sponsor

User Tag List

Results 1 to 8 of 8

Hybrid View

  1. #1
    BoOm-Rocka! Smarky's Avatar
    Join Date
    Jun 2000
    Location
    England
    Posts
    1,319
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am currently building a member system with each user having there own login password. I posted about this a few weeks back and I have made a lot of progress ( I have been busy haven't been able to devote much time to it though). However I have three questions

    1) How do I allow the user to sign out? I am using session_start(); to start the season so how do i finish it.

    2) How I allow the user to set an option so they auto login with out them having to type there member details everytime. My current idea for this is to create a random value store this in a mysql database and also send this value to the user as a cookie and when they visit checking the cookie and comparing it to the value in the mysql database. Is this the right way of doing it any ideas how I would go about doing this?

    3) The users have a password these are stored in the database as plain text. Is this safe they shouldn't be able to access the database.

    Garlic bread, I've tasted it, it's the future

  2. #2
    Non-Member
    Join Date
    Apr 2000
    Location
    Waco, Texas.
    Posts
    188
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1) session_destroy();

    2)Your idea should work. Simply set a cookie with the username/password, and when a person tried to login, check to see if the cookie is set. If it is, compare the cookie's username/password to the mysql username/password, or else show the login form.

    3) Tee best way is to store the file outsite of <public_html> (or <www>).

  3. #3
    AdSpeed.com Son Nguyen's Avatar
    Join Date
    Aug 2000
    Location
    Silicon Valley
    Posts
    2,241
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1. use session_destroy() when they do click "logout" (normally they don't! time_out will come to play)

    2. Yeah, I think you go the right way, cookie shouldn't store any sensitive info.

    3. If you have concern about this, encrypt the password before putting into the db, as well as decrypt when extracting from the db.
    - Son Nguyen
    AdSpeed.com - Ad Serving and Ad Management Made Easy

  4. #4
    BoOm-Rocka! Smarky's Avatar
    Join Date
    Jun 2000
    Location
    England
    Posts
    1,319
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    should i be concered in theroy they shoundn't be able to read the contents of the database anyway right?

    each user has an ID see so if i give them some random data in a cookie and the random data is also put in the database next to the user ID it could read the cookie and then match it to a user ID. Although I ain't to clever with cookies and ain't to sure how to do it thats the theory
    Garlic bread, I've tasted it, it's the future

  5. #5
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by velocity
    should i be concered in theroy they shoundn't be able to read the contents of the database anyway right?
    Right. In fact, the question may be whether you think you need to see your users' passwords. When I build sites, I often store passwords using MySQL's PASSWORD() function, which hashes (processes) the password string into an unreadable form that cannot be converted back to the original password. Then, when verifying the entered password, I hash the entered value and compare it with the stored hash.

    The advantage here is added privacy for my client. Even though I built the site, I don't have access to the users' passwords. Although the actual security benefit is minimal if I still have database access, it does help to set my client's mind at ease.
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  6. #6
    Non-Member
    Join Date
    Apr 2000
    Location
    Waco, Texas.
    Posts
    188
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    kyank, how do you hash the inputed value? I would love to see an example of this.

  7. #7
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    In your INSERT statement, just set the value using PASSWORD(). E.g.:

    INSERT INTO myTable SET USERNAME=$user, PASS=PASSWORD($pass);

    Then, to check for a match:

    SELECT * FROM myTable WHERE USERNAME=$user, PASS=PASSWORD($pass);
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  8. #8
    BoOm-Rocka! Smarky's Avatar
    Join Date
    Jun 2000
    Location
    England
    Posts
    1,319
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yeah I think i will do this because some of these passwords will be my friends and a lot of people I guess use the same passwords for things so they don't forget. So i think it would be good for me not to have access to them
    Garlic bread, I've tasted it, it's the future


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •