First Problem
For some reason mysql_fetch_array(); is showing up as an invalid function.
http://daniel.valvi.co.uk/thf/login_check.php
I'm not sure what the problem is...
Second Problem
Never used sessions before. What should I do in order to ensure the security of my application when using sessions? Should I clean the session variables, should I regenerate a session after each login, etc.
Results 1 to 10 of 20
Thread: PHP Help - mySQL & Sessions
-
PHP Help - mySQL & Sessions
-
Post the code.
-
That's login_check.phpPHP Code:
$username = clean($_POST['username']);
$password = clean(encrypt($_POST['password']));
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
$row = mysql_fetch_array($result);
$id = $row['id'];
$select_user = mysql_query("SELECT * FROM users WHERE id='$id'");
$row2 = mysql_fetch_array($select_user);
$user = $row2['username'];
$get_level = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id'");
$row5 = mysql_fetch_array($get_level);
$level = $id['level'];
$pass_check = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id'");
$row3 = mysql_fetch_array($pass_check);
$select_pass = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id'");
$row4 = mysql_fetch_array($select_pass);
$real_password = $row4['password'];
Config.php which is require_once'd in the code contains the db conn.
PHP Code:$db_name = 'localhost';
$db_user = 'removed for security purposes';
$db_pass = 'removed for security purposes';
$conn = mysql_connect($db_name,$db_user,$db_pass);
$dbconn1 = mysql_select_db('removed for security purposes', $conn);
-
I cant help you with your first problem but for sessions,
- Make sure you destroy all sessions when the person closes the browser
- Definately create new sessions on login and dont add a remember me function if you are that bothered
- Make sure that session ID' arent in the browser link, if your using them in the links
- if youve given people a session before they log in, make sure that you assign them a new one when they do log in.
LOL i probably havent helped. lolBack for a while
-
- Make sure you destroy all sessions when the person closes the browser
Doesn't that happen automatically?
- Definately create new sessions on login and dont add a remember me function if you are that bothered
Yep already done that.
- Make sure that session ID' arent in the browser link, if your using them in the links
How would I do that?
- if youve given people a session before they log in, make sure that you assign them a new one when they do log in.
Thanks
-
Edited. Sessions are easy to secure. You could just use a little function for that:
Originally Posted by Fazon
Plus, make sure there is actually data in the database.PHP Code:function cleanme($string) {
$string = htmlspecialchars($string);
$string = mysql_real_escape($string);
$string = stripslashes($string);
return $string;
}
Last edited by Excellent2; 11-02-2009 at 12:02 AM.
Back for a while.
-
That's a ridiculous function, it undoes whatever you do. I could quite easily type in Originally Posted by Excellent2
and have it walk straight though.Code:' OR 1=1--
visit my internet web site on the internet
http://dong.engineer/
it is just videos by bill wurtz videos you have been warned
-
-
I thought ' OR 1=1-- gets blocked my mysql_real_escape?? Originally Posted by Jewish Bear
-
stripslashes removes what mysql_real_escape does Originally Posted by Blinger
visit my internet web site on the internet
http://dong.engineer/
it is just videos by bill wurtz videos you have been warned
Reply With Quote
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts