This is an article discussion thread for discussing the SitePoint article, "Managing Users with PHP Sessions and MySQL"
| SitePoint Sponsor |
This is an article discussion thread for discussing the SitePoint article, "Managing Users with PHP Sessions and MySQL"
Excellent!!
Great tutorial!
This is a gem and I refer others to to it as often as I can. thanks Kevin.
Steve
This is by far the best tutorial on this subject on the entire web!
Thank you
Tanker2004
Great tutorial! Using Postgres as db but the fundementals learned are very, very helpful!
Excellent Tutorial, Exactly what I was looking for and was very easy to understand and figure out how to tweak to what I wanted to do..
This is the best and clearest description of sessions and for that matter a useful version of a login script that I have found, normally tutorials are very vauge and are not presented in an actual usable situation.
Good work
Awesome material, very clear and very efficient. It helped me understand more about the sessions, and how to create the backbone for my access control :D thank you very much!
First I want to thank you for this tutorial. Just what I was looking for!
Everything is working fine, but I'm trying to figure out how to make a logout button? I've done the following:
I've created a logout.php which the logout button is refering to:
But when I open logout.php the following error appears:PHP Code:$_SESSION = array();
session_destroy();
$login_page = "index.php";
header("Location: $login_page");
Warning: session_destroy(): Trying to destroy uninitialized session in /home/jesse/www/sub/supplytool/logout.php on line 3
Warning: Cannot modify header information - headers already sent by (output started at /home/jesse/www/sub/supplytool/logout.php:3) in /home/jesse/www/sub/supplytool/logout.php on line 5
Could someone please help me out? Thanks in advance...
Kevin Great Works!
It is very simple, clear, informative and comprehensive.
I can understand easily and try it on my production website http://www.suksesinternet.com.
However, Can you add some security measures to avoid "session hijacking" ....please do write me email or post it on your website ...
Cheers ..
You should do this:
<?php
//start the session
session_start();
//check to make sure the session variable is registered
if(session_is_registered('uid')){
//session variable is registered, the user is ready to logout
session_unset();
session_destroy();
$login_page = "http://www.yoursite.com/";
header("Location: $login_page");
}
else{
//the session variable isn't registered, the user shouldn't even be on this page
header( "Location: http://www.muzejpriboj.co.yu/my_site" );
}
?>
Warning: Cannot modify header information - headers already sent by (output started at /home/jesse/www/sub/supplytool/logout.php:3) in /home/jesse/www/sub/supplytool/logout.php on line 5
Could someone please help me out? Thanks in advance...
Add this in the first line of your code
ob_start();
I could not get this to work properly until I changed the password table to be 41 characters long rather than the given 16. At 16 it was truncating the password created by MySQL. After setting it to 41 passwords could be properly read.
Not a bad article, but security appears not to have been considered. Page 3 uses raw data from the user and inserts it into both a SELECT statement and an INSERT statement, giving an attacker the opportunity to insert malicious SQL to create his own account, to gain unauthorised access or to cause damage to existing data.
Readers are advised to read up on SQL injection before making use of the information in this article on a live server.
I canīt get the sessions to work. I can log in but when I follow a link to another page where login also is required I need to type in my username and password again!
in a system where there r 2 types of users say adminstrator and guest, if v r using this type of setting session variables , then while the administrator is logged on, any user who knows the address can view those pages. how do v get around this prolem?
Add another column in the database called userlevel or something
if admin value = 1 if normal user value = 0
then you check admin-pages with this:
of course you have to set the session first, but it shouldn't be a problem.PHP Code:if($_SESSION['userlevel'] == 1) {
//ADMINS-STUFF HERE!
} else {
echo 'I don\'t think so!';
}
Something like that.
Saywoot.net - Online Comic!
I don't like the use of javascript when alerting the user of an error. If it is being processed server-side, the errors should be processed sever side, and echo'd back to the user.
OMFG SitePoint ROXORZ TEH BIG ONE111!
Wish you were invisible?
This script uses unvalidated form input data to perform a MySQL query. It would be extremely easy for a malicious user to launch a dangerous SQL injection attack.
This is a great start. But remember you will need to secure your scripts like Tom has mentioned against SQL injection attacks as well as others by validating the input.
I can't get it to work. When i try to login the protectedpage.php and while the registration has been done, i keep getting the message "access denied". What's wrong?
Yeah, it works thx a lot. But I don't understand why PASSWORD function is neccesary in the sql script. When 1 removed it from the code, it worked.
Excellent tutorials.
PASSWORD encrypts the password as it is inserted into the database. You can store the password unecrypted but it will be visible to admins who look at the database.
Re: SQL injection - any links to useful tutorials on how to protect from these kind of attacks. What extra code do we need to add to a script like this to add security against this type of attack.
Thanks,
Chris
To protect against SQL attacks I just did:
$VARIIBLE = mysql_real_escape_string(trim($POST))
Then inserted the varibles
(Trim isn't needed but gets rid of any spaces at the ends while your at it)
As for the PASSWORD function I replaced it with a few md5 and sha1 encryptions for better security
Posting Permissions
Bookmarks