security / user login

[Niv3k]

I'm wondering if its possible to set the user this way... $PHP_AUTH_USER = $Username;
$PHP_AUTH_PW = $Password;
I have a flash login screen that will post two variables, username and password, to a php script. Or will I have to open the MySQL table and record the session ID. If so, how do I get/test the session ID in PHP?

Kevin

 

[gerrygerry]

I didn't quite understand the second part of what you asked, but you can assign values to these variables.

It doesn't usually do much good though.

Lemme know if you have anymore questions! I am currently working on a small security script that you can just require() before any file is displayed and I have dealt with this a bit lately. -gerrygerry
Go To

http://quickfreewebsite.com!

 

[Niv3k]

Oooh... I'd love to hear more about the require() script you're writing. I'll try to explain what I'm asking a little better:

--User logs in on a pretty flash screen.
--Login info (Username and password) sent to a php script that references their id from a database.
--If it's a good login, capture session id, set session variables equal to Client id, session id (redundancy check), and file id's for the available reports.
--Show client a list of available pdf's that they can download. (But only their forms.)

for information on what I'm doing there with the reports, see thread434-254124.

Does the script you are writing have a function in it that would perform some security check?

Kevin

 

[gerrygerry]

Sounds almost like exactly what I have! Mind you, I haven't really checked any security holes, I am just using this as login/authentication script perfectly though! This version wasn't set up to use different levels of admin like the one at home (you wanna see that one too?), but this one works fine! Another thing I should mention: this code has some optimizations to do!

Here's my code:

-=[secure.php]=-

<?
 if(!$called_from_index){exit;}

 session_start();
 if(!session_is_registered('valid_login'))
 {
  if(!isset($username) || !isset($password))
   {unset($failure);}
  else
   {$failure = 1;}
  MYSQL_CONNECT($db_host, $db_user, $db_pass);
  MYSQL_SELECT_DB($db_name);
  $query  = &quot;SELECT * FROM &quot;.$db_users;
  $query .= &quot; WHERE username='&quot;.$username.&quot;'&quot;;
  $query .= &quot; and password='&quot;.$password.&quot;'&quot;;
  $query .= LIMIT 1&quot;;
  $results = MYSQL_QUERY($query);
  while($row = MYSQL_FETCH_ARRAY($results))
   {
     session_register('valid_login');
   }
 }
 
 if(!session_is_registered('valid_login'))
 {
   require('header.php');
   require('login.php');
   require('footer.php');
   exit;
 }
?>

To use this, do something like this (with an index?action= calling syntax):

-=[index.php]=-

<?
$called_from_index = 1;
  /* each script checks this to 
     ensures they are not called 
     independently from index.php */

require('vars.php'); 
  /* holds vars for all scripts   */

require('secure.php');
  /* will give login page if not 
     logged in                   */

switch($action)
{
 case 'show':
  require('SomePDF.pdf');
 break;

 case 'new':
  require('header.php');
  require('new.php');
  require('footer.php');
 break;

 case 'edit':
  require('header.php');
  require('edit.php');
  require('footer.php');
 break;

 case default:
  require('header.php');
  require('menu.php');
  require('footer.php');
 break;
}
?>

I will post my latest secure.php when I get home from school (7:00pm PST).

Good luck! -gerrygerry
Go To

http://quickfreewebsite.com!

 

[Niv3k]

I like, I like, but I have a couple of questions/suggestions:
1: secure.php - Why did you add "LIMIT 1" to $query? If ["username"] is the primary key, you cannot have 2 records with the same username anyway...
2: index.php - Instead of using require() inside the switch, I would think that include() would be a better bet. require() always adds the text of the page regardless of whether that line is executed or not, whereas include() will only add the file if that line gets executed... (inside a switch or if)
3: I love the $called_from_index switch! That's awesome!

Kevin

 

[Niv3k]

Although here is one security hole:
I can type header.php?called_from_index switch=1 into my URL bar and then I screwed the pooch. You might want to change the scope of that variable...

Kevin

 

[gerrygerry]

Well, like I said, it's a work in progress. I'm glad this'll help you!

As for the $called_from_index problem, you might wanna try setting it to a very obscure variable value ($called_from_index = "orange pie does not taste too good", or to take it a step further, set the value to a random unique value (see

http://www.php.net/manual/en/function.uniqid.php),

and pass that value in sessions for each page to compare/check.

I picked require, because without it, the script may keep running! wouldn't it be a terrible thing if the script never even checked for a user login? LOL

I'm so glad this is helping you! -gerrygerry
Go To

http://quickfreewebsite.com!

 

[Niv3k]

Well, I will have to bow to your expert authority on how good or bad orange pie tastes! But, yeah, that is an option...

 

[gerrygerry]

I promise, it's horrible! Maybe it'd be better served chilled or something, but warm orange pie is the worst thing ever! LOL

The more I think about it , the better the uniqid sounds. I think I will be adding that one to my script tonite when I get home. -gerrygerry
Go To

http://quickfreewebsite.com!