Re: [PHP-DB] User authentication and redirect
Bastien Koert wrote:
I can't see why you simply dont do this
if ($LoginSuccessful)
{
$location = "";
}else{
$location = "../index.php";
}
header("location=$location");
If i don't have the solution, perhaps I am misunderstanding the problem
Bastien
From: "Vinny Lape" <[EMAIL PROTECTED]>
To:
Subject: RE: [PHP-DB] User authentication and redirect
Date: Fri, 15 Jul 2005 09:01:52 -0400
I think I need to explain my question better.
I have a db and the table contains 4 fields uid(pk) username password
location
I can authenticate the user / pass properly. The problem I am having is
getting the information from field location and defining it as
$location so
I can do the following: (when I make $redirectLoginSuccess =
"example.php"
all works fine)
$redirectLoginSuccess = "$location";
$redirectLoginFailed = "../index.php";
}
header("Location: " . $redirectLoginSuccess );
}
else {
header("Location: ". $redirectLoginFailed );
Here is where I query the db
$LoginRS__query=sprintf("SELECT username, password FROM webauth WHERE
username='%s' AND password='%s'",
get_magic_quotes_gpc() ? $loginUsername :
addslashes($loginUsername),
get_magic_quotes_gpc() ? $password : addslashes($password));
$LoginRS = mysql_query($LoginRS__query, $mysql) or die(mysql_error());
On the landing page im using this for security:
0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" .
urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>
-Original Message-
From: Ahmed Saad [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 14, 2005 8:34 AM
To: Vinny Lape
Cc: php-db@lists.php.net
Subject: Re: [PHP-DB] User authentication and redirect
hi Vinny,
On 7/13/05, Vinny Lape <[EMAIL PROTECTED]> wrote:
> If user validates then look at db entry location then redirect to
> mydomain.com/"location"/index.php
i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your "secured" page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication (which is not a very good idea).
-ahmed
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
you shouldn't do that (in my opinion) because of the following scenario:
Bob needs access from a shared terminal. Bob puts in his (authorized)
login information, and then bookmarks the resulting page. Fred comes
along. Fred is not authorized to access the database. Fred follows the
link out of curiosity, finds sensitive information, and either deletes
it all, sells it to a competitor, or otherwise screws with it because he
is bitter that he is being severly underpaid, all using either Bob's
session information, or no session information, depending on how the
session is set to expire. The best option is to put the login and login
check functions in a file, include that file at the beginning of all
your scripts which need access control, and then put the following code
at the beginning of the script:
if(login_check($user, $pass)
{
//allow access, main script body here
}
else
{
//deny access
echo "you aren't supposed to be here";
exit;
}
i hope i understood your problem correctly, and i hope i was of some
help...this is the way i wrote my project, but it was only
access-controlled on certain pages (i.e. inserting and deleting records)
--
Thomas Dodson
Programmer, Bioinformatics
S-327 Ag. Science North
Department of Entomology
University of Kentucky
Lexington, KY 40546-0091
Phone (859) 257-3169
Fax (859) 323-1120
Cell: (859) 420-1696
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] User authentication and redirect
Ahmed Saad wrote:
hi Vinny,
On 7/13/05, Vinny Lape <[EMAIL PROTECTED]> wrote:
If user validates then look at db entry location then redirect to
mydomain.com/"location"/index.php
i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your "secured" page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication (which is not a very good idea).
-ahmed
perhaps if i had read the original message more carefully...
here are some functions for session based authentication that i use for
one of my projects...they probably aren't as secure as they could be, im
relatively new to scripting languages.
#this file should be in the include directory (include_path from
php.ini), or the same directory as the functions which include it.
#be sure to check file permissions if it doesnt work correctly!
#This script assumes a database named DATABASE, and that user data
is stored in a table called users, with (at least) fields user,
password, and email. The password column must be char(32) type to accept
the encrypted pwd
#Thomas Dodson [EMAIL PROTECTED] 24 May 2005
function db_connect()
{
#connect to MySQL
$link = mysql_connect('HOST', 'USER','PWD') or die('Could not
connect: ' . mysql_error());
#select database
mysql_select_db('DATABASE') or die('Could not select database');
return $link;
}
function encrypt($string) #hash then encrypt a string. the password
column in the db must be CHAR(32) type
{
$crypted = crypt(md5($string), md5($string));
return $crypted;
}
function login($user, $password) #this logs in the user by checking
the name and pwd against the database. it returns true and writes the
{ #proper session variables if the
user/pwd combo matches, otherwise it returns false. do NOT use this script
#to check the session variables for
authorization, i wrote login_check() to do that.
$auth = false;
$link = db_connect();
$result = mysql_query("SELECT password FROM users WHERE user =
'$user'", $link);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$pass = $row['password'];
mysql_free_result($result);
mysql_close($link);
if ($pass === (Encrypt($password)))
{
session_start();
$_SESSION['userid'] = $user;
$_SESSION['pwd'] = $pass;
$auth = true;
}
return $auth;
}
function login_check($user, $password) #this checks to make sure a
user is logged in. if the user/pwd combo in the session var matches
{ #the table entry, it returns
true, otherwise it returns false. it does NOT write any session variables,
#so use this script and NOT
login() to check authorization
$auth = false;
if(!$user || !$password)
{
return $auth;
}
$link = db_connect();
$result = mysql_query("SELECT password FROM users WHERE user =
'$user'", $link);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$pass = $row["password"];
mysql_free_result($result);
mysql_close($link);
if ($pass === $password)
{
$auth = true;
}
return $auth;
}
function write_log($string) #adds a datestamp and writes to logfile
in /var/log. the owner of the file SL.log must be the same as the
{#the user running the apache process
(usually www-data)
$string = ' ' . $string . "\n";
$filehandle = fopen('/var/log/SL.log', 'a');
fwrite($filehandle, date('d M H:i:s')); #write date in format:
01 Jun 23:01:01
fwrite($filehandle, $string); #write log entry
fclose($filehandle);
}
function calcElapsedTime($time) #returns elapsed time in seconds
{
$diff = time()-$time;
$daysDiff = 0;
$hrsDiff = 0;
$minsDiff = 0;
$secsDiff = 0;
$sec_in_a_day = 60*60*24;
while($diff >= $sec_in_a_day)
{
$daysDiff++; $diff -= $sec_in_a_day;
}
$sec_in_an_hour = 60*60;
while($diff >= $sec_in_an_hour)
{
$hrsDiff++;
$diff -= $sec_in_an_hour;
}
$sec_in_a_min = 60;
while($diff
