Log in

View Full Version : [PHP] Best ways to Auth in PHP


Protege
18-04-2008, 01:01 PM
It's really the one area I'm not so sure in so I want to post my way, and then you can express your ways and how you do it, then what I can do to improve on mine.

Setting sessions;


function setSession($username, $host, $ip, $id) {
$time = date("dmogi");
$_SESSION["x"] = $username;
$_SESSION["xx"] = encrypt($username);
$_SESSION["xxx"] = $host;
$_SESSION["xxxx"] = encrypt($host);
$_SESSION["xxxxx"] = $ip;
$_SESSION["xxxxxx"] = encrypt($ip);
$_SESSION["xxxxxxx"] = $time;
$_SESSION["xxxxxxxx"] = encrypt($time);
mysql_query("UPDATE `users` SET `host` = '".$host."',
`hoste` = '".encrypt($host)."',
`ip` = '".$ip."',
`ipe` = '".encrypt($ip)."',
`time` = '".$time."',
`timee` = '".encrypt($time)."' WHERE `users`.`id` = '".$id.'" LIMIT 1;");
}
To check the Session;


function checkSession($id) {
$time_plus = $_SESSION["xxxxxxx"];
$time_expire = date("dmogi");
$time_new = $time_plus - $time_expire;
if($time_new < 30) {
if(encrypt($_SESSION["x"]) == $_SESSION["xx"]) {
if(encrypt($_SESSION["xxx"]) == $_SESSION["xxxx"]) {
if(encrypt($_SESSION["xxxxx"]) == $_SESSION["xxxxxx"]) {
if(encrypt($_SESSION["xxxxxxx"]) == $_SESSION["xxxxxxxx"]) {
$query = mysql_query(" SELECT * FROM `users` WHERE `username` = CONVERT( _utf8 '".$_SESSION["x"]."' USING latin1 ) COLLATE latin1_swedish_ci AND `host` = CONVERT( _utf8 '".$_SESSION["xxx"]."' USING latin1 ) COLLATE latin1_swedish_ci AND `hoste` = CONVERT( _utf8 '".$_SESSION["xxxx"]."' USING latin1 ) COLLATE latin1_swedish_ci AND `ip` = CONVERT( _utf8 '".$_SESSION["xxxxx"]."' USING latin1 ) COLLATE latin1_swedish_ci AND `ipe` = CONVERT( _utf8 '".$_SESSION["xxxxxx"]."' USING latin1 ) COLLATE latin1_swedish_ci LIMIT 0 , 30");
$rows = mysql_num_rows($query);
if($rows == 0) {
return false;
} elseif($rows > 0) {
$time = date("dmogi");
$_SESSION["xxxxxxx"] = $time;
$_SESSION["xxxxxxxx"] = encrypt($time);
mysql_query("UPDATE `users` SET `time` = '".$time."',
`timee` = '".encrypt($time)."' WHERE `users`.`id` = '".$id."' LIMIT 1;");
return true; }
} else { return false; }
} else { return false; }
} else { return false; }
} else { return false; }
} else { return false; }
}
Your views and comments are appreciated & your way be nice to see too.


Thread moved from Website Staff by --ss-- (Forum Super Moderator): Moved to the correct location :).
Florx
18-04-2008, 05:03 PM
Isn't that slightly over the top?
RYANNNNN
18-04-2008, 05:27 PM
Isn't that slightly over the top?

No :rolleyes:
MicroZune
18-04-2008, 07:01 PM
maybe u could use ur auth make a tut on user system or something
Protege
18-04-2008, 07:17 PM
Well I always thought over top was better than not alot, I don't think I should make a tutorial I just want to know what I should change and what is good.
Jackboy
18-04-2008, 08:08 PM
I would do that but i know for a fact i would have something like xx instead of xx somewhere and i wud cry myself to sleep over a bag of polish later that night
Protege
18-04-2008, 08:13 PM
You got me, I dont get what your on about man lol
Dentafrice
19-04-2008, 01:27 PM
I personally don't see why you're encrypting everything?

I mean, come on, the time doesn't have to be encrypted...

My set session:



private function set_session() {
global $db;
$get_user_3 = $db->query("SELECT * FROM users WHERE username='$this->username'");
$get_user_3_a = $db->fetch_array($get_user_3);
$uid = $get_user_3_a["id"];
$id = session_id();
$db->query("DELETE FROM session WHERE session_id='$id'");
$db->query("DELETE FROM session WHERE userid='$uid'");
$ip = $_SERVER["REMOTE_ADDR"];
$date = time();
$db->query("INSERT INTO session (session_id, ip, date, userid) VALUES('$id', '$ip', '$date', '$uid')");
$db->redirect("index.php");
}


My check_login:



public function check_login ()
{
global $db;
$id = session_id();
$start = $db->query("SELECT * FROM session WHERE session_id='$id'");
$start_n = $db->num_rows($start);
if ($start_n == "0") {
return "0";
} else {
$get_session_a = $db->fetch_array($start);
$user_id = $get_session_a["userid"];
$check_user = $db->query("SELECT * FROM users WHERE id='$user_id'");
$c_u_n = $db->num_rows($check_user);
if ($c_u_n == "0") {
return "0";
} else {
$timeout = $this->get_setting("timeout");
$now = time();
$last = $get_session_a["date"];
$check = $now - $last;
if ($check > $timeout) {
return "0";
} else {
if ($get_session_a["ip"] != $_SERVER['REMOTE_ADDR']) {
return "0";
} else {
$db->query("UPDATE session SET date='$now' WHERE session_id='$id'");
return "1";
}
}
}
}
}
Protege
19-04-2008, 02:40 PM
Well then I compared the plain text encrypted by the original encryption. Then I check it against the database.
Dentafrice
19-04-2008, 02:43 PM
If you're using sessions, you can't change them.. most of that is a bit useless.
Protege
19-04-2008, 02:46 PM
Show me your version of my script then.
Dentafrice
19-04-2008, 02:59 PM
Of your script? what are you talking about?
Protege
19-04-2008, 03:01 PM
the one at the start of the thread. amend it for me then.

Want to hide these adverts? Register an account for free!