RE: [PHP] saving sessions

Florian Müller Thu, 04 Aug 2011 23:36:39 -0700

But please do not use cookies to store a password as code! Cookies are human 
readable with some add-ons....


Check like this:

if someone registers, insert it into a table:

<?php
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
mysql_query("INSERT INTO USER VALUES('" . $username . "','" . $password . "')");
header('location: register_success.php');
?>

Then, if someone wants to log in, use like this:

<?php
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
$sel = "SELECT * FROM USER WHERE USERNAME = '" . $username . "' AND PASSWORD = 
'" . $password . "'";
$unf = mysql_query($sel);
$count = mysql_num_rows($unf);
if ($count == 1) {
    header('location: login_success.php');
}
else {
    echo "Login not successful!";
}
?>

If you want to store something into cookies, use a name which is not good 
understandable, like a shortcut for a logical sentense:

Titcftmws   ("This is the cookie for the main webSite") or something ^^

In there, you can save username and password, but PLEASE save the password at 
least md5()-encryptet, so not everyone can save it.

Now you can check like this:

<?php
if ($_COOKIE['Titcftmws'] == mysql_real_escape_string($_POST["username"]) . "|" 
. md5($_POST["password"])) {
    //in the cookie is for the user with username 'jack' and password 'test' 
this value: "jack|098f6bcd4621d373cade4e832627b4f6"
    echo "you are logged in";
}
else {
    echo "not logged in!";
}
?>

This is as far as I know a quite high level of security, in comparisions with 
other ways.

Regs, Flo



> From: [email protected]
> Date: Fri, 5 Aug 2011 08:20:11 +0530
> To: [email protected]
> CC: [email protected]
> Subject: Re: [PHP] saving sessions
> 
> On Sat, Aug 6, 2011 at 7:56 AM, wil prim <[email protected]> wrote:
> 
> > Hello, im new to the whole storing sessions thing and I really dont know
> > how to ask this question, but here it goes.  So on my site when someone logs
> > in the login.php file checks for a the username and password in the table i
> > created, then if it finds a match it will store a $_SESSION [] variable. To
> > be exact the code is as follows:
> > if ($count=='1')
> > {
> > session_start();
> > $_SESSION['user']=$user;   // $user is the $_POST['user'] from the login
> > form
> > header('location: login_success.php');
> > }
> >
> > Now what i would like to know is how do i make my website save new changes
> > the user made while in their account?
> >
> > thanks!
> >
> >
> 
> You will have to store the user account related data in the database for
> persistence.... Or if the site not having a 'user account system'  you may
> use cookies to store the settings...
> 
> 
> 
> Midhun Girish

RE: [PHP] saving sessions

Reply via email to