Re: [PHP] Login script login
Richard Lynch wrote: And using a re-direct instead of an include is a shocking waste of HTTP resources imho, but that may not matter if traffic is low. I generally redirect there because on occasion the login process does stuff like clear out potentially pre-existing session data from another part of the site. Having it happen again because of the user refreshing the page needs to be avoided. The redirect accomplishes this. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On Fri, February 2, 2007 7:05 am, Jürgen Wind wrote: >> // Set up the session here, or however you're tracking the >> // current customer/user/whatever >> >> header('Location: /somewhere_else'); >> ?> >> >> Hope that helps. >> >> -Stut >> >> > be aware that you need a session_write_close(); before > header('Location... > or the session data might not be written to disk! If we're gonna get picuyane... The Location header technically requires a full URL. And using a re-direct instead of an include is a shocking waste of HTTP resources imho, but that may not matter if traffic is low. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
If you are splicing $_POST directly into your SQL, you are DEFINITELY doing it wrong, but not in the way that you think. Start reading here: http://phpsec.org On Fri, February 2, 2007 6:10 am, Dave Carrera wrote: > Hi Stut, > > I think i have found where i am going wrong. > > Its in the comparison login for the db result. > > So i select * from jfjfjfjf where custno=$_POST[number] > > But now i am getting messed up with if cust no not found then all i > get > is a blank page but hoping for an error > > And i dont think i am comparing the db result with the $_POST > correctly > > Struggling here a bit :-( > > Dave C > > Stut wrote: >> Dave Carrera wrote: >>> Hi All, >>> >>> Having a grey brain moment here and need some advise on the logic >>> of >>> this, should be simple, login script. >>> >>> I am checking validity of >>> >>> customer number >>> customer email >>> customer password (md5 in mysql) >>> >>> So i have my form with relevant fields >>> >>> Now i am getting problems with either sql or how i am handling , >>> and >>> showing, and errors. >>> >>> I think what i am asking is this >>> >>> If someone just hits the login button show error "All fields must >>> be >>> entered" >>> >>> If customer number dose not excist show relevant error >>> >>> If customer number ok but email not show error >>> >>> If customer number ok but email ok but password is not show error >>> >>> If all is ok set sessions, got this ok, and proceed. >>> >>> Any help with with this is very much appreciated. >>> >>> Kind Regards >>> >>> Dave C >> >> I'm not totally clear what the question was in there. Personally I >> keep this simple... >> >> > $_POST['number'] = >> (isset($_POST['number']) ? trim($_POST['number']) : ''); >> $_POST['email'] = >> (isset($_POST['email']) ? trim($_POST['email']) : ''); >> >> if (empty($_POST['number']) or >> empty($_POST['email']) or >> empty($_POST['password'])) >> { >> die('All fields must be entered'); >> } >> >> // Find the customer/user/whatever you need from the given details >> >> if (<>) >> { >> die('Unable to locate customer/user/whatever'); >> } >> >> // Set up the session here, or however you're tracking the >> // current customer/user/whatever >> >> header('Location: /somewhere_else'); >> ?> >> >> Hope that helps. >> >> -Stut >> > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On Fri, February 2, 2007 5:33 am, Satyam wrote: > In login scripts you usually don't tell which part of the login is > wrong, > otherwise, you are hinting at what is right. Once the customer is > logged > in, you are right to be as helpful as possible, but until the customer > proves who he/she is, you don't give away anything. Satyam is correct: It's more secure to not indicate when the username was incorrect differently from an incorrect password. But it's definitely also (very much) less user-friendly. For example, in seldom-used applications where the user is very likely to forget their username, such as 99% of the stupid websites that require me to register for something that needs no security in the first place, it's a royal pain in the ass. :-) You have to balance Security against Usability and make an informed intelligent decision. I also wondered why you have an ID number that somebody is supposed to remember, and an email, when either one should be sufficient for most applications, but it was easier to type out an answer than to get you to re-think your design decisions. :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On Fri, February 2, 2007 5:19 am, Dave Carrera wrote: > Having a grey brain moment here and need some advise on the logic of > this, should be simple, login script. > > I am checking validity of > > customer number > customer email > customer password (md5 in mysql) > > So i have my form with relevant fields > > Now i am getting problems with either sql or how i am handling , and > showing, and errors. > > I think what i am asking is this > > If someone just hits the login button show error "All fields must be > entered" $customer_number = (int) (isset($_POST['customer_number']) ? $_POST['customer_number'] : 0); $customer_email = isset($_POST['customer_email']) ? $_POST['customer_email'] : ''; $customer_password = isset($_POST['customer_password']) ? $_POST['customer_password'] : ''; if (!$customer_number || !strlen($customer_email) || !strlen($customer_password)){ $messages[] = "All fields are required"; } else{ $customer_number_sql = mysql_real_escape_string($customer_number); $customer_email_sql = mysql_real_escape_string($customer_email); $customer_password_sql = mysql_real_escape_string($customer_password); $query = "select "; $query .= " email = '$customer_email_sql' as email_ok $query .= ", password = md5('$customer_password_sql') as password_ok $query .= " FROM customer "; $query .= " WHERE customer_number = $customer_number_sql "; $customer_info = mysql_query($query) or die(mysql_error()); if (!mysql_num_rows($customer_info)){ $messages[] = "Invalid Customer Number"; } else{ list($email_ok, $password_ok) = mysql_fetch_row($customer_info); if (!$email_ok) $messages[] = "Invalid Email"; elseif (!$password_ok) $messages[] = "Invalid Password"; } } if count($messages)) echo "", implode("\n", $messages), "\n"; else require 'proceed.inc'; -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Stut wrote: > > > > I'm not totally clear what the question was in there. Personally I keep > this simple... > > $_POST['number'] = > (isset($_POST['number']) ? trim($_POST['number']) : ''); > $_POST['email'] = > (isset($_POST['email']) ? trim($_POST['email']) : ''); > > if (empty($_POST['number']) or > empty($_POST['email']) or > empty($_POST['password'])) > { > die('All fields must be entered'); > } > > // Find the customer/user/whatever you need from the given details > > if (<>) > { > die('Unable to locate customer/user/whatever'); > } > > // Set up the session here, or however you're tracking the > // current customer/user/whatever > > header('Location: /somewhere_else'); > ?> > > Hope that helps. > > -Stut > > be aware that you need a session_write_close(); before header('Location... or the session data might not be written to disk! just my 2 cent -- View this message in context: http://www.nabble.com/Login-script-login-tf3160341.html#a8766588 Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On p, 2007-02-02 at 12:10 +, Dave Carrera wrote: > Hi Stut, > > I think i have found where i am going wrong. > > Its in the comparison login for the db result. > > So i select * from jfjfjfjf where custno=$_POST[number] > > But now i am getting messed up with if cust no not found then all i get > is a blank page but hoping for an error because you get an empty result set if no match is found so check it like if ($row = mysql_fetch_array($result)) { // ok, found } else { // not found, error } or whatever sql you use hope that helps Zoltán Németh > > And i dont think i am comparing the db result with the $_POST correctly > > Struggling here a bit :-( > > Dave C > > Stut wrote: > > Dave Carrera wrote: > >> Hi All, > >> > >> Having a grey brain moment here and need some advise on the logic of > >> this, should be simple, login script. > >> > >> I am checking validity of > >> > >> customer number > >> customer email > >> customer password (md5 in mysql) > >> > >> So i have my form with relevant fields > >> > >> Now i am getting problems with either sql or how i am handling , and > >> showing, and errors. > >> > >> I think what i am asking is this > >> > >> If someone just hits the login button show error "All fields must be > >> entered" > >> > >> If customer number dose not excist show relevant error > >> > >> If customer number ok but email not show error > >> > >> If customer number ok but email ok but password is not show error > >> > >> If all is ok set sessions, got this ok, and proceed. > >> > >> Any help with with this is very much appreciated. > >> > >> Kind Regards > >> > >> Dave C > > > > I'm not totally clear what the question was in there. Personally I > > keep this simple... > > > > > $_POST['number'] = > > (isset($_POST['number']) ? trim($_POST['number']) : ''); > > $_POST['email'] = > > (isset($_POST['email']) ? trim($_POST['email']) : ''); > > > > if (empty($_POST['number']) or > > empty($_POST['email']) or > > empty($_POST['password'])) > > { > > die('All fields must be entered'); > > } > > > > // Find the customer/user/whatever you need from the given details > > > > if (<>) > > { > > die('Unable to locate customer/user/whatever'); > > } > > > > // Set up the session here, or however you're tracking the > > // current customer/user/whatever > > > > header('Location: /somewhere_else'); > > ?> > > > > Hope that helps. > > > > -Stut > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Hi Stut, I think i have found where i am going wrong. Its in the comparison login for the db result. So i select * from jfjfjfjf where custno=$_POST[number] But now i am getting messed up with if cust no not found then all i get is a blank page but hoping for an error And i dont think i am comparing the db result with the $_POST correctly Struggling here a bit :-( Dave C Stut wrote: Dave Carrera wrote: Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error "All fields must be entered" If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C I'm not totally clear what the question was in there. Personally I keep this simple... >) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ?> Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Dave Carrera wrote: Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error "All fields must be entered" If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C I'm not totally clear what the question was in there. Personally I keep this simple... >) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ?> Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
- Original Message - From: "Dave Carrera" <[EMAIL PROTECTED]> Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error "All fields must be entered" If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error In login scripts you usually don't tell which part of the login is wrong, otherwise, you are hinting at what is right. Once the customer is logged in, you are right to be as helpful as possible, but until the customer proves who he/she is, you don't give away anything. Satyam If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Login script login
Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error "All fields must be entered" If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php