Preserved Topic: PHP User Authorization $Pages that link to <a href="https://ozoneasylum.com/backlink?for=21093" title="Pages that link to Preserved Topic: PHP User Authorization" rel="nofollow" >Preserved Topic: PHP User Authorization\$

Author	Thread
ACharmedOne Bipolar (III) Inmate From: USA Insane since: Apr 2001	posted 08-03-2002 04:38 hey ya'll its been a while. Anyways I'm trying to do a user login script with $_SESSION to register variables for use in the site for profiles, etc. http://mistsoftime.neopages.net/verification.txt is the code. Its not logging anyone in, it just sends everything back to site.php and leaves them as Guest. Can anyone tell me where i screwed up? »What is life w/o Friends?
bitdamaged Maniac (V) Mad Scientist From: 100101010011 <-- right about here Insane since: Mar 2000	posted 08-03-2002 06:31 WOAAAAAAH INSECURE INSECURE!!!! first I don't know where this isn't working but here's a couple of ways to trouble shoot it. First after this line: $user = mysql_fetch_array($login); put: echo mysql_num_rows($login) (and get rid of your header stuff for trouble shooting) that's to see how many rows are being returned. you may also want to echo the sql to see what that looks like. Something like so: $sql = "SELECT * FROM users WHERE username='$username' AND password='$password'"; echo $sql mysql_query($sql); your security issue is that $authenticate can be set in the url /site.php?authenticate=1 and all is lost. .:[ Never resist a perfect moment ]:.
ACharmedOne Bipolar (III) Inmate From: USA Insane since: Apr 2001	posted 08-03-2002 09:07 lol thanks, but nm sorry ya'll I kept working on it and finally figured it out by redoing everything and getting some help from a friend on IRC. Thanks =) now i just have to figure out how to do a site search. »What is life w/o Friends?
GRUMBLE Paranoid (IV) Mad Scientist From: Omicron Persei 8 Insane since: Oct 2000	posted 08-03-2002 11:05 have a look at phpdig for your searching needs! http://phpdig.toiletoine.net/
ACharmedOne Bipolar (III) Inmate From: USA Insane since: Apr 2001	posted 08-04-2002 07:53 thanks, I'll check that out for the search thing, uhh one other thing, about the authenticated = 1 thing.. how could i get around that? cause im still using that and its still insecure o.0 »What is life w/o Friends?
mr.maX Maniac (V) Mad Scientist From: Belgrade, Serbia Insane since: Sep 2000	posted 08-04-2002 11:52 Instead of checking whether $authenticated variable is true or not, every time check if username & password are valid (just like the first time, when you set $authenticated to true, which should be necessary anymore)...
bitdamaged Maniac (V) Mad Scientist From: 100101010011 <-- right about here Insane since: Mar 2000	posted 08-05-2002 18:51 You can also unset authenticated early in your script Then do your check. For my user authentication stuff I'm using a totally tweaked version of this script for user authentication (I basically kept the theory but put it all in a class for ease of use). Essentially the best thing to do as Max said is to not set an authenticated varible but to just put your code within the if/else block where right now you are setting authenticated to true. .:[ Never resist a perfect moment ]:.

Preserved Topic: PHP User Authorization\$

Author

Thread

ACharmedOne
Bipolar (III) Inmate

From: USA
Insane since: Apr 2001

posted 08-03-2002 04:38

hey ya'll its been a while.
Anyways I'm trying to do a user login script with $_SESSION to register variables for use in the site for profiles, etc. http://mistsoftime.neopages.net/verification.txt is the code.
Its not logging anyone in, it just sends everything back to site.php and leaves them as Guest. Can anyone tell me where i screwed up?

»What is life w/o Friends?

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted 08-03-2002 06:31

WOAAAAAAH INSECURE INSECURE!!!!

first I don't know where this isn't working but here's a couple of ways to trouble shoot it.
First after this line:
$user = mysql_fetch_array($login);

put:
echo mysql_num_rows($login)

(and get rid of your header stuff for trouble shooting)

that's to see how many rows are being returned. you may also want to echo the sql to see what that looks like. Something like so:

$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
echo $sql
mysql_query($sql);

your security issue is that $authenticate can be set in the url
/site.php?authenticate=1

and all is lost.

.:[ Never resist a perfect moment ]:.

ACharmedOne
Bipolar (III) Inmate

From: USA
Insane since: Apr 2001

posted 08-03-2002 09:07

lol thanks, but nm sorry ya'll I kept working on it and finally figured it out by redoing everything and getting some help from a friend on IRC. Thanks =) now i just have to figure out how to do a site search.

»What is life w/o Friends?

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted 08-03-2002 11:05

have a look at phpdig for your searching needs!

http://phpdig.toiletoine.net/

ACharmedOne
Bipolar (III) Inmate

From: USA
Insane since: Apr 2001

posted 08-04-2002 07:53

thanks, I'll check that out for the search thing, uhh one other thing, about the authenticated = 1 thing.. how could i get around that? cause im still using that and its still insecure o.0

»What is life w/o Friends?

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted 08-04-2002 11:52

Instead of checking whether $authenticated variable is true or not, every time check if username & password are valid (just like the first time, when you set $authenticated to true, which should be necessary anymore)...

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted 08-05-2002 18:51

You can also unset authenticated early in your script

Then do your check.

For my user authentication stuff I'm using a totally tweaked version of this script for user authentication (I basically kept the theory but put it all in a class for ease of use).

Essentially the best thing to do as Max said is to not set an authenticated varible but to just put your code within the if/else block where right now you are setting authenticated to true.

.:[ Never resist a perfect moment ]:.