SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 42
  1. #1
    ********* Articles ArticleBot's Avatar
    Join Date
    Apr 2001
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Article Discussion

    This is an article discussion thread for discussing the SitePoint article, "Managing Users with PHP Sessions and MySQL"

  2. #2
    Ralph
    SitePoint Community Guest
    Excellent!!

  3. #3
    SitePoint Member
    Join Date
    Jul 2004
    Location
    Milky way
    Posts
    14
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Great tutorial!

  4. #4
    SitePoint Addict caddyfixr's Avatar
    Join Date
    Aug 2004
    Location
    Albuquerque, NM
    Posts
    249
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is a gem and I refer others to to it as often as I can. thanks Kevin.

    Steve

  5. #5
    SitePoint Member
    Join Date
    Sep 2004
    Location
    Texas
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is by far the best tutorial on this subject on the entire web!

    Thank you

    Tanker2004

  6. #6
    Paulcan
    SitePoint Community Guest
    Great tutorial! Using Postgres as db but the fundementals learned are very, very helpful!

  7. #7
    KyoZed
    SitePoint Community Guest
    Excellent Tutorial, Exactly what I was looking for and was very easy to understand and figure out how to tweak to what I wanted to do..

  8. #8
    Chief Procrastinator arano's Avatar
    Join Date
    Mar 2003
    Location
    Australia
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is the best and clearest description of sessions and for that matter a useful version of a login script that I have found, normally tutorials are very vauge and are not presented in an actual usable situation.

    Good work

  9. #9
    SitePoint Addict ARSA's Avatar
    Join Date
    Apr 2003
    Location
    San Juan, Puerto Rico
    Posts
    215
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Awesome material, very clear and very efficient. It helped me understand more about the sessions, and how to create the backbone for my access control :D thank you very much!

  10. #10
    SitePoint Member Jesse.tunderman's Avatar
    Join Date
    May 2004
    Location
    Netherlands - Bussum
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Great tutorial! ...still one question...

    First I want to thank you for this tutorial. Just what I was looking for!
    Everything is working fine, but I'm trying to figure out how to make a logout button? I've done the following:

    I've created a logout.php which the logout button is refering to:

    PHP Code:
    $_SESSION = array(); 
    session_destroy();
    $login_page "index.php";
    header("Location: $login_page"); 
    But when I open logout.php the following error appears:

    Warning: session_destroy(): Trying to destroy uninitialized session in /home/jesse/www/sub/supplytool/logout.php on line 3

    Warning: Cannot modify header information - headers already sent by (output started at /home/jesse/www/sub/supplytool/logout.php:3) in /home/jesse/www/sub/supplytool/logout.php on line 5

    Could someone please help me out? Thanks in advance...

  11. #11
    Taufik Kurniawan
    SitePoint Community Guest
    Kevin Great Works!
    It is very simple, clear, informative and comprehensive.
    I can understand easily and try it on my production website http://www.suksesinternet.com.

    However, Can you add some security measures to avoid "session hijacking" ....please do write me email or post it on your website ...

    Cheers ..

  12. #12
    nikola
    SitePoint Community Guest
    You should do this:
    <?php
    //start the session
    session_start();

    //check to make sure the session variable is registered
    if(session_is_registered('uid')){

    //session variable is registered, the user is ready to logout
    session_unset();
    session_destroy();
    $login_page = "http://www.yoursite.com/";
    header("Location: $login_page");
    }
    else{

    //the session variable isn't registered, the user shouldn't even be on this page
    header( "Location: http://www.muzejpriboj.co.yu/my_site" );
    }
    ?>

  13. #13
    Taufik Kurniawan
    SitePoint Community Guest
    Warning: Cannot modify header information - headers already sent by (output started at /home/jesse/www/sub/supplytool/logout.php:3) in /home/jesse/www/sub/supplytool/logout.php on line 5

    Could someone please help me out? Thanks in advance...

    Add this in the first line of your code
    ob_start();

  14. #14
    Stuart
    SitePoint Community Guest
    I could not get this to work properly until I changed the password table to be 41 characters long rather than the given 16. At 16 it was truncating the password created by MySQL. After setting it to 41 passwords could be properly read.

  15. #15
    Squiggle
    SitePoint Community Guest
    Not a bad article, but security appears not to have been considered. Page 3 uses raw data from the user and inserts it into both a SELECT statement and an INSERT statement, giving an attacker the opportunity to insert malicious SQL to create his own account, to gain unauthorised access or to cause damage to existing data.

    Readers are advised to read up on SQL injection before making use of the information in this article on a live server.

  16. #16
    Jacob
    SitePoint Community Guest
    I canīt get the sessions to work. I can log in but when I follow a link to another page where login also is required I need to type in my username and password again!

  17. #17
    arun
    SitePoint Community Guest
    in a system where there r 2 types of users say adminstrator and guest, if v r using this type of setting session variables , then while the administrator is logged on, any user who knows the address can view those pages. how do v get around this prolem?

  18. #18
    SitePoint Enthusiast
    Join Date
    Oct 2004
    Location
    Sweden
    Posts
    49
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Add another column in the database called userlevel or something
    if admin value = 1 if normal user value = 0

    then you check admin-pages with this:
    PHP Code:
    if($_SESSION['userlevel'] == 1) {
    //ADMINS-STUFF HERE!
    } else {
    echo 
    'I don\'t think so!';

    of course you have to set the session first, but it shouldn't be a problem.

    Something like that.
    Saywoot.net - Online Comic!

  19. #19
    Wadge! F4nat1c's Avatar
    Join Date
    Oct 2005
    Location
    South Wales, UK
    Posts
    1,134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't like the use of javascript when alerting the user of an error. If it is being processed server-side, the errors should be processed sever side, and echo'd back to the user.
    OMFG SitePoint ROXORZ TEH BIG ONE111!
    Wish you were invisible?

  20. #20
    Tom
    SitePoint Community Guest
    This script uses unvalidated form input data to perform a MySQL query. It would be extremely easy for a malicious user to launch a dangerous SQL injection attack.

  21. #21
    Kit-10
    SitePoint Community Guest
    This is a great start. But remember you will need to secure your scripts like Tom has mentioned against SQL injection attacks as well as others by validating the input.

  22. #22
    vagelis
    SitePoint Community Guest
    I can't get it to work. When i try to login the protectedpage.php and while the registration has been done, i keep getting the message "access denied". What's wrong?

  23. #23
    BearCy
    SitePoint Community Guest
    Yeah, it works thx a lot. But I don't understand why PASSWORD function is neccesary in the sql script. When 1 removed it from the code, it worked.

  24. #24
    SitePoint Enthusiast
    Join Date
    Feb 2005
    Posts
    35
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Excellent tutorials.

    PASSWORD encrypts the password as it is inserted into the database. You can store the password unecrypted but it will be visible to admins who look at the database.

    Re: SQL injection - any links to useful tutorials on how to protect from these kind of attacks. What extra code do we need to add to a script like this to add security against this type of attack.

    Thanks,

    Chris

  25. #25
    Daniel Turner
    SitePoint Community Guest
    To protect against SQL attacks I just did:
    $VARIIBLE = mysql_real_escape_string(trim($POST))

    Then inserted the varibles

    (Trim isn't needed but gets rid of any spaces at the ends while your at it)

    As for the PASSWORD function I replaced it with a few md5 and sha1 encryptions for better security


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •