You could always just send them to a login error page.
Otherwise, the only ways to transfer information between different php pages that I know of are POST, GET, cookies, and write it to a db/file.
You don't want cookies, writing it to a file/db is not needed, so looks like either post or get.
the only problem with using post or get is that all pages in your site will have to keep forwarding the variables, otherwise if they go back a page they will no longer be logged in. So you have to use at least session cookies to determine whether a person is still logged in or not.
PHP and XML
Let's talk about SAX
yeh i use cookies to keep track if their logged in or out. but im trying to avoid cookies becasue not everyone has them enabled and you can just edit your cookie file to do stuff that maybe your not supposed to etc.
i decided to use the assiging variables at the end of the address way for the error reporting. my only slight concern is some browsers might trip up wth stuff like ! : and , being in the address
>>wth stuff like ! : and , being in the address
so don't put them in the address bar...why would you need to use those characters?
::edit::
Yes quite a few people disable or block cookies, but gmail and other sites for email make you use them. So if people need to log into your site then they need to use cookies, it's not uncommon.
also, cookies can be very safe for this type of thing. You just need to store the info in a hash of some kind, something unreadable. That way they can't just change a 0 to a 1 and get access, know what I mean?
Last edited by Waldo2k2; 02-22-2006 at 12:34 AM.
PHP and XML
Let's talk about SAX
php has that md5(); function. which im kind of thinking is a good idea, but if someone wanted to get in theres probally some kind of md5 reading programs out there
It may be better to use sessions, or something that simulates sessions. With sessions, the attacker has to get the session key, which would often be a MD5 or SHA1 hash, and so would be difficult (aside from 'social engineering' and carelessness). Another (but potentially slow) way would be to store the user id and some hashed key that changes on each page load, and then validate the user on each page load.also, cookies can be very safe for this type of thing. You just need to store the info in a hash of some kind, something unreadable. That way they can't just change a 0 to a 1 and get access, know what I mean?
MD5 is a cryptographic hash algorithm, and while there are rainbow tables that allow people to 'reverse' the hashing for pre-computed values, no method other than brute force is known to get the original message given only the hash. Of course, I suggest using SHA1 with sha1() instead of MD5 anyway.php has that md5(); function. which im kind of thinking is a good idea, but if someone wanted to get in theres probally some kind of md5 reading programs out there
Look up a C++ Reference and learn How To Ask Questions The Smart WayOriginally Posted by Bjarne Stroustrup (2000-10-14)
Cain & Abel.php has that md5(); function. which im kind of thinking is a good idea, but if someone wanted to get in theres probally some kind of md5 reading programs out there
As, laserlight said, there is no real way of "undoing" a hash other than brute force hashing a dictionary file until you get a match. Though, doing so is actually surprisingly fast, these days.
*Note: SlyMaelstrom does not condone hacking.
Sent from my iPadŽ
yeh thats how i would do it. create a genourmous loop that puts in every character possibility in every order and check its md5 with the target md5Cain & Abel.
As, laserlight said, there is no real way of "undoing" a hash other than brute force hashing a dictionary file until you get a match. Though, doing so is actually surprisingly fast, these days.
*Note: SlyMaelstrom does not condone hacking.
Why would you put every character in every possible order? That's not what a dictionary file is, at all. Dictionary files consist of real word, combinations of real words, predictable usage of dates and initials (ie. gb1964). Most of which is compiled from other successful attempts of cracking. If all the passwords were just completely random combinations, what would be the point of hashing them in the first place?
Sent from my iPadŽ
some people do make random passwords. my passwords never form words, it would be more fool proof. but none of that is important
whats the command in php to check a string variable for a certain string of text within it.
ie i have a this variable $dir which is a location to the directory your browsing (im making a online web site control panel thing like alot of free web hosts have) and i want to say like
if in $dir theres the string "hosted/../" (spelled like that in that order) to change $dir to = "hosted"
i searched the php website i cant find the command for this. im using the latest version of php (im trying to make it so the user cant browse into directories hes not supposed to be in)
also is there a command to remove the last certain amount of characters from a string
ie
actualy does the double quotes make it an array of characters not a string?PHP Code:$oldstring="tenletters";
$newstring=takeofflast($oldstring, 7);
if($newstring=="ten")
{
echo("it worked");
}
Last edited by MisterSako; 02-25-2006 at 03:44 PM.
What you have to understand is when people bruteforce, they aren't looking for *your* password, they're looking for *any* password.
Here is your string function
http://us2.php.net/manual/en/function.strpos.php
...and your other question
PHP Code:$foo = substr("Hello World!", 0, -7); // returns "Hello"
$foo = substr("Hello World!", 0, -8); // returns "Hell"
$foo = substr("Hello World!", 0, -1); // returns "Hello World"
Last edited by SlyMaelstrom; 02-25-2006 at 03:51 PM.
Sent from my iPadŽ
ok another command question
i know stristr(); can find the first occurance of a character within a string. but how about the last occurance?
ie i have $dir=hosted/blah/blah2
i need it to seperate off blah2 by only looking at the string starting after the last /
nevermind, i should of done this before. typicg in stuff like
last occrance of string "php" in google usualy finds the command as the first result
im being dumb
2 things that you will need if you want to make a secure login system, beyond what you have, and also to be a decent PHP programmer:
Prepared statements, learn them, love them, thank your deity of choice for them, if you want to know why they are needed, look up SQL injection.
PHP Documentation, download that, and you will solve 90% of your problems, PHP has horid error reporting, but that documentation makes up for it because everything is laid out and every PHP command is in there.
Another thing for when you move to multiple files, consider making the seperate files classes, then you can just call them and use them at your discretion. Who ever said putting the form post to the same file makes for ugly stuff, it is really simple with well placed comments and using the format:
I picked up PHP programming because I was given the task of reworking the security and adding a bunch of features to the site. I had about 30 pages of PHP dumped on me and not one day in my life scripting with it. Luckly it is a lot like Perl (so simular it ........es me off sometimes when I try to use a function that is in one, and not the other) so it was a quick learning process.Code:if($_POST['HAX']){ // do stuff exit (0); //So that you don't go farther into the file }
Wikipedia and Google will be your friends if you can't find the type of command or usage of a command you are looking for in the documentation.
