SitePoint Sponsor

User Tag List

Page 11 of 12 FirstFirst ... 789101112 LastLast
Results 251 to 275 of 295
  1. #251
    SitePoint Addict
    Join Date
    Oct 2001
    Posts
    359
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Kevin Yank
    Where are you seeing that, random?
    the place where i have session.save_path set in my php.ini, which is ..\WINNT\Temp dir.

  2. #252
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    That's correct; PHP's default session handler stores session data in a text file on the server. Thus, anyone who has access to that file on the server can view session data.

    PHP includes support for custom session handlers, which allow you to store session data more securely when necessary. The PHP Anthology, Volume II includes a solution entitled "How do I store sessions in MySQL?" that explains how to do this.

    Further reading: Custom Session Handlers in PHP4
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  3. #253
    SitePoint Addict
    Join Date
    Oct 2001
    Posts
    359
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks kevin, also another thing, setting vars as global like u did in db.php, shouldnt that be avoided.. cause i always thought global vars were to be avoided at all costs.

  4. #254
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Yes, there are better ways to store application configuration parameters than global variables, such as an .ini file. Since that wasn't the subject of the article, however, I chose to use a simpler approach that is still better than hard-coding the values.
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  5. #255
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    51
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Kevin,

    When I try to signup with a username that's already in the database, the error message doesn't display. Do you have an idea of what could be causing this? The page just re-loads with the fields still filled in, no error message.

    Thanks.

  6. #256
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    fadeski,

    Can you show me the exact code you're using for the query that checks for duplicate users? The code in the article is as follows:
    PHP Code:
        // Check for existing user with the new id 
         
    $sql "SELECT COUNT(*) FROM user WHERE userid = '$_POST[newid]'"
         
    $result mysql_query($sql); 
         if (!
    $result) { 
             
    error('A database error occurred in processing your '
                   
    'submission.\\nIf this error persists, please '
                   
    'contact [b]you@example.com[/b].'); 
         } 
         if (@
    mysql_result($result,0,0)>0) { 
             
    error('A user already exists with your chosen userid.\\n'
                   
    'Please try another.'); 
         } 
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  7. #257
    SitePoint Member
    Join Date
    Jun 2004
    Location
    UK
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi all,
    Thanks for this very useful tutorial, Kevin.
    I have tried it and it works fine.

    Just a question: I have notices that the name of the php file that is currently processed appears in the browser address bar for anyone to see. I would prefer if users could not see how pages are created and by which operaing system (linux, apache, php). Is there a way to change this? I'd prefer to see html file names in there.

    In particular, the protected page would be good with a .html extension instead of a .php

    How can I achieve this?

    Thanks for any feedback,

    Micha

  8. #258
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    See the article Search Engine Friendly URLs on SitePoint for techniques that allow you to modify the URL used to access a PHP script.
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  9. #259
    SitePoint Member
    Join Date
    Jun 2004
    Location
    UK
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Kevin for your quick reply.

    I found another simple way:
    I simply replaced the links to i.e. protectedpage.php with protetedpage (no extension) and it will now show up in the address bar as www.../protetedpage' giving the user no clues as to what type of file it is.

    Thanks,

    Micha

  10. #260
    SitePoint Zealot
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Redirect on signup

    Based on the sign -up page is there a way based on the information
    placed in the feilds of the sign-up form to redirect them to diffrent pages even store there information in diffrent tables, yes still have the access control , control it all

    for ex: say a user sign up for the first time and the have a question male or female, if the enter amle the information is stored in the male table and is redirected to the male index page with there catorgeies, and vise vera, is there a simple way to check for the information apon sign -up the redirct for each sign in?

  11. #261
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Yes. This is basic PHP form processing. Pick up a good PHP tutorial or book to learn how to redirect the browser based on data found in the database.
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  12. #262
    SitePoint Zealot
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Any Samples

    Quote Originally Posted by Kevin Yank
    Yes. This is basic PHP form processing. Pick up a good PHP tutorial or book to learn how to redirect the browser based on data found in the database.
    any example on how I my do this I have many books yet none seem to cover it from the point of sign up

    where would i place the if statement to redirect,

    and the if satement to store in the right table based on the form info selected

  13. #263
    SitePoint Member
    Join Date
    Aug 2004
    Location
    New Orleans
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am using a slightly modified version of Kevin Yank's access control script. After reading through this topic and a whole bunch of session topics in this forum (unless I missed something), I have yet to find a clear answer as to why the session expires after a few minutes and what can be done to extend the session life.

    In my own testing, I have somewhat come to the conclusion that the session.gc_maxlifetime setting in my .ini file is what is killing the session. But if I reset it at run time, the session still expires after about 24 minutes.

    If this has already been answered, I appologize for not finding it. Otherwise, thanks for the help.

  14. #264
    SitePoint Enthusiast AGGrrSSIVE's Avatar
    Join Date
    Mar 2001
    Location
    Hilton Head Island, SC
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Backwards Compatibility

    This article was extremely helpful. I successfully modified and used the code to develop an online college application on a server running PHP 4.3. No problem.

    However, I tried building a similar login system for an admin interface on an existing site running PHP 4.0 and it wouldn't remember the session variables. I could log in, but when I clicked on a link (even to the same page), it would ask me to log in again.

    Copied the same files and database to the server running 4.3 and it worked fine.

    Since this article was updated for version 4.2, is there any place to get the pre-update code to try on older versions? I have to build it on the 4.0 site and their host is not ready to upgrade.

    BTW, Kevin, your articles and books have helped to improve my skillset tremoundously. Thanks.
    I just may be the lunatic you're looking for. www.socialbaggage.com

  15. #265
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    For PHP 4.0, you'd need to make the following substitutions in the code:

    $_GET -> $HTTP_GET_VARS
    $_POST -> $HTTP_POST_VARS
    $_SERVER -> $HTTP_SERVER_VARS
    $_SESSION -> $HTTP_SESSION_VARS

    I'd really recommend updating the server, however. PHP 4.0 has a number of known bugs and security holes.
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  16. #266
    SitePoint Enthusiast AGGrrSSIVE's Avatar
    Join Date
    Mar 2001
    Location
    Hilton Head Island, SC
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Kevin Yank
    I'd really recommend updating the server, however. PHP 4.0 has a number of known bugs and security holes.
    Thanks for the speedy reply. I made your recommended changes and still had to do a really ugly workaround (that I'm ashamed to post here) to get it to work. It probably opened up a few of those security holes you mentioned, but sometimes we have no choice but to work within the confines of a client's environment. Fortunately, we weren't guarding government secrets or personal information on this one. I appreciate the help.
    I just may be the lunatic you're looking for. www.socialbaggage.com

  17. #267
    SitePoint Zealot
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    forgot or retrive password

    Helo all can any one help me with a remeber my password, to work with accesscontrol, I have only found ones that only change the current password then it email it to the user but that matching new password from the e-mail and in the phpAdmin does not work with the login , it makes the changes but i can log in with the new, is the any easier why I can just take the current password and e-mail it to the user without change it. here what i got....

    PHP Code:
    ?php 
    include("db.php"); 
    switch(
    $_POST['recover']){ 
       default: 
       include(
    "lost_pw_form.php"); 
       break; 
        
       case 
    "recover"
       
    recover_pw($_POST['email']); 
       break; 

    function 
    recover_pw($email){ 
       if(!
    $email){ 
          echo 
    "You forgot to enter your Email address <strong>Knucklehead</strong><br />"
          include(
    "lost_pw_form.php"); 
          exit(); 
       } 
       
    // quick check to see if record exists 
          
    dbConnect('blah_blah_blah'); 
       
    $sql_check mysql_query("SELECT * FROM login2 WHERE email='$email'") or die("problem in query");
       
    $sql_check_num mysql_num_rows($sql_check) or die("Failed Numb rows"); 
       if(
    $sql_check_num == 0){ 
          echo 
    "No records found matching your email address<br />"
          include(
    "lost_pw_form.php"); 
          exit(); 
       } 
       
    // Everything looks ok, generate password, update it and send it! 
       
    function makeRandomPassword() { 
            
    $salt "abchefghjkmnpqrstuvwxyz0123456789"
            
    srand((double)microtime()*1000000); 
            
    $i 0
            while (
    $i <= 7) { 
                 
    $num rand() % 33
                 
    $tmp substr($salt$num1); 
                 
    $pass $pass $tmp
                 
    $i++; 
            } 
            return 
    $pass
       } 
       
    $random_password makeRandomPassword(); 
       
    $db_password md5($random_password); 

        
      
    $sql "UPDATE login2 SET password = PASSWORD('$newpass') WHERE email = email";
        
       
    $subject "Your Password at the site"
       
    $message "Hi, we have reset your password. 
        
       New Password: 
    $newpass 
        
       Thanks! 
       The Staff 
        
       This is an automated response, please do not reply!"

        
     
    mail("$email","reissued login info","$message,"From: admin\@domainn.com"); 
       echo 
    "Your password has been sent! Please check your email!<br />"
      } 
    ?> 
    and here the form:

    <html>
    <head>
    <title>Untitled Document</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    <form action="send_pw.php" method="post">
    <p><span class="centertext">
    <fieldset><legend>Retrieve Lost or Forgotten Password</legend><br />
    Your Email Address: <input type="text" name="email" size="25" /><br /><br /><br />
    </fieldset><br /><br />
    <input type="hidden" name="recover" value="recover" />
    <input class="inputbutton" type="submit" name="Submit" value="Send" /></span></p>
    </form><feildset>


    <body>

    </body>
    </html>


    * note so i don't want to change it just give them back there current password in the e-mail

    * note in my sign -up i have changed the password to be random generated instead of the user picking it, which the can change after thier login

    any help would be a big help

  18. #268
    SitePoint Zealot
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Lost Pass problem - Users with PHP Sessions

    I have tried a few diffrent attempts for a for got you password script,

    one i have tried is to
    1. update the row with the password with md5
    2. update the row with the password with random password
    3. to ust retrive the orginal password with out change

    the all have connect and sent the e-mail to the user but none of the password that they get e-mail work.

    Only the Orginal password from sign-up works, which i have a script once they log on.

    Note: on the sign-up form , I create the password for the user with md5 or random and it gets e-mailed to them , rather then the user typing in a password upon sign up.

    could this be affecting it or is it a session thing thats storing the old password somehow?

  19. #269
    SitePoint Member
    Join Date
    Oct 2004
    Location
    USA
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Variables disappear from end of URL after accesscontrol

    I've searched the thread and haven't seen this posted, so please forgive me if I missed it.

    Here's my question, I'm using the accesscontrol.php Kevin shared in his article. Everything works great except for one thing. If the user links to a secured page by accessing a URL with a variable tacked on:

    Example:

    http://localhost/cg/country.php?cid=15

    He/she is prompted for their username and password, which works great, but then the page refreshes sending the user to:

    http://localhost/cg/country.php

    Of course, since the variable has disappeared from the end of the URL, the query does not execute, sending an error message to the user.

    What am I missing here? How can the variable stay tacked onto the URL when posting to $_SERVER['PHP_SELF']?

    Thanks in advance!

  20. #270
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    cdaley,

    $_SERVER['PHP_SELF'] gets a URL to the script that was run by the current request.

    $_SERVER['REQUEST_URI'] gets the URL to reproduce the current request, including the query string.

    So to answer your question, use $_SERVER['REQUEST_URI'] instead of $_SERVER['PHP_SELF'] and you should be okay.
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  21. #271
    SitePoint Member
    Join Date
    Oct 2004
    Location
    USA
    Posts
    6
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Kevin,

    Thanks! I'll try it out.

    Cheree

  22. #272
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Chicago
    Posts
    135
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Smile How will the code not be visible to the browser

    Quote Originally Posted by Kevin Yank
    Lentildal,

    Your hosting company is right -- you can modify PHP's include directory setting (normally configured in php.ini) with an .htaccess file in your site's root directory.

    Just create a text file called .htaccess in the root directory of your site that contains one line like the following:
    Code:
    php_value include_path .:/path/to/includes
    where /path/to/includes is the full path to the directory outside your Web root where you want to store your PHP include files.

    Of course, with a reputable hosting company it's fairly unlikely that they'll ever break PHP support and expose your scripts to the world, but you can never be too careful.
    11/11-How would this avoid someone seeing my code if the server was not working ?
    Last edited by Kevin Yank; Nov 11, 2004 at 22:17. Reason: Whoops -- unedited.

  23. #273
    SitePoint Author Kevin Yank's Avatar
    Join Date
    Apr 2000
    Location
    Melbourne, Australia
    Posts
    2,571
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by LemonHead
    11/11-How would this avoid someone seeing my code if the server was not working ?
    Because the sensitive code files are stored outside the Web root, they cannot be requested directly by a Web browser. So if PHP support fails, the files cannot be accessed over the Web and therefore cannot be compromised.
    Kevin Yank
    CTO, sitepoint.com
    I wrote: Simply JavaScript | BYO PHP/MySQL | Tech Times | Editize
    Baby’s got back—a hard back, that is: The Ultimate CSS Reference

  24. #274
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Chicago
    Posts
    135
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Thumbs up Include Path

    Thanks Kevin. I bought the book "Database Driven Website" and I was doing really well until I hit Chapter 10 and includes. Since I use a web hosting company I was not sure what to do so I'm glad this forum is available for questions such as mine.

    LH
    Chicago,IL

  25. #275
    SitePoint Member
    Join Date
    Nov 2004
    Location
    wisconsin
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have two sites using sessions to allow people to login. Each site uses the same session script and both are on the same server. If I log into one site, regardless if I logout, I cannot use the same browser window and immediately login into the second site without getting this error:

    Warning: session_register(): open(/tmp/sess_7171b3966735744f252403889edc7c9a, O_RDWR) failed: Permission denied (13) in /home/accountname/public_html/admin/login.php on line 2

    If I use a different window, I can login without any problems.

    Does anyone know why I have to use a new window and if there is a fix to this behavior? Or do I even want to fix it... is this a security issue?

    Thanks,
    David


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •