Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 6 of 6
  1. #1
    Member Taffu's Avatar
    Join Date
    Dec 2006
    Posts
    34
    Member #
    14486
    In an ongoing project I'm working on, I'm trying to build a user authentication system that stores SESSION data in my user/session tables rather than using cookies. The problem I'm running into is actually storing the SESSION data into the tables and retrieving them via session_start().

    To start, I have my tables (we'll call them user_db and session_db). In user_db, I have the following fields: user_id, username, user_password, session_key - and in session_db, I have the following fields: session_id, session_key, user_id.

    Now there's a few things that are new to me, that I'm doing when building my login.php page and working with the sessions. In attempting to use functions, my first roadblock is comparing the login information to the tables stored login information and using a function to do so. I'm having trouble using a 'return' to send back vars to the login.php page (my functions are on an included functions.php page). For instance, I'm using:
    PHP Code:
    <?php
    $pgf_root_path 
    './';
    include(
    $pgf_root_path 'function.php');
    include(
    'config.php');
    include(
    'opendb.php');
     
    if(isset(
    $_POST['login']));
    {
    $username $_POST['username'];
    $password sha1(strip_tags($_POST['user_password']));
    // Here I want to use my functions returns to compare what I'm going to do.
    // This part I can't figure out what to do, or how to reference the function
    // in my comparison.
    // I ultimately want two possible responses, so an 'if' and 'elseif' or 'if' and 'else' 
    // to define my comparison.
    // The first comparison would be a "True" value returned from my check_user()
    // function that would check the userdata in the table to verify/auth user/pass.
    // The second comparison would be a "False" value returned from my 
    // check_user() function that would find that the information did not match the info
    // stored in the table and return the user to the login form with a message included
    // stating their info was not found.
    }
    else
    {
    // Echo my login form here
    }
    ?>
    Then my function:
    PHP Code:
    <?php
    function check_user($username$password)
    {
    $query "SELECT * FROM user_db WHERE username = $username, user_password = $password";
    $numofrows mysql_query($query) or die(mysql_error());
    if(
    $numofrows==1// This is the "True" var
    {
    return(
    1// Don't know if I'm doing it right here
    }
    else
    {
    return(
    0// Or doing it right here
    }
    }
    ?>
    Now in doing this, you essentially see what I'm trying to do. Return "1" if "True", and "0" if "False". True being username/password verified, False being not verified...try to login again. I don't know how to get those return values from the function to the login script for the two actions I'm tring to do there.

    Now inside these two actions, I want to do a start_session() in the first (True) where I can store the sid (encrypted either sha1 or md5) into the session_db and retrieve it upon login. I haven't the foggiest on how to do this...but I kinda know what I "should" do based on what I want to achieve. Basically I'm clueless on not only using the sid in a SQL query to insert it into the session_db, and then I don't know how to retrieve it via an SQL query inside the start_session() function...should I use another function imported from the functions.php page? And if so, how would that work?
    Owner - http://www.project-guild.com (in development)

  2.  

  3. #2
    Member
    Join Date
    Apr 2007
    Posts
    96
    Member #
    15165
    Quote Originally Posted by Taffu
    PHP Code:
    <?php
    $username 
    $_POST['username'];
    $password sha1(strip_tags($_POST['user_password']));

    $query "SELECT * FROM user_db WHERE username = $username
    ?>
    I need more time to think about what you are trying to ask, but in the meantime...
    Do not do the code I have quoted above for security reasons as it can lead to SQL injection. You have to be vigorous about cleaning up user input.

  4. #3
    Member
    Join Date
    Apr 2007
    Posts
    96
    Member #
    15165
    Let me try to clarify what I think you are asking.
    You do not want to store any session data in a cookie?

    You might be confusing session id with session data?
    In a typical php setup, the session data gets stored in the file systme (like in the /tmp folder)
    Now for the server to be able to find the relevant data for a user (with a session) it stores a unique identifier in a cookie on the users system. That is the only cookie that is stored there. You can get around even this, if you specify to not have php put the session in a cookie and you start passing the php session id in the actual URI http://somedomain.com/?PHPSESSID=asdofijoasdf

  5. #4
    Member Taffu's Avatar
    Join Date
    Dec 2006
    Posts
    34
    Member #
    14486
    None of what I'm currently coding is live, this is strictly for my own testing purposes before I get into cleaning things up from user input so that I can avoid sql injection and other security measures.

    As for trying to clarify what I'm trying to do, maybe this will help. Essentially, the main goal here is to use functions to declare returns, and then use those returns to declare what's going to happen on the page. For instance, with the login:

    First, my function from my functions.php file:
    PHP Code:
    function user_check($username$password
    {
    $sql "SELECT * FROM 'TBL_USERS' WHERE 'USER' = $username AND 'USER_PASS' = $password";
    $rs mysql_query($sql) or die(mysql_error());
    $numofrows mysql_num_rows($rs)
    if(
    $numofrows == 1)
    {
    return 
    true;
    }
    else
    {
    return 
    false;
    }

    Then, the actual login.php page:
    PHP Code:
    include($pg_root_path 'include/functions.php');
    if(isset(
    $_POST['login']))
    {
    open_db() // This function (in functions.php) opens my database - if this doesn't work, I'll simply use an include('file') to do so
    $username $_POST['username'];
    $password sha1(strip_tags($_POST['password']));
     
    verify_login($username$password)
    {
    if(
    true)
    {
    header('location:login.php?mode=go');
    }
    elseif(
    false)
    {
    header('location:login.php?mode=deny');
    }
    close_db() // Again, same as above with open_db()
    }
    else
    {
    // This is where my form will go, output through php using some 
    // modifiers based on $_GET['mode='], as seen above included
    // in my header locations.
    // ['mode=go'] will call a redirect to the index.php page
    // ['mode=deny'] will call the form back with a "user does not exist" error
    // login.php without ['mode='] will simply open the login form

    I just don't know if I'm calling the function properly and utilizing the returns properly. I'm writing some test pages now. You'll notice some constants up in the function, and there is a constants.php page that's required() in the functions.php page. The actual MySQL query is going to be in a database.php file (which will be required in functions.php) that will store all database queries required for functions that need to use the database, and will be included in the function where you see the "$sql = " as a function (ie. userdata() function that will query the user database for a basic SELECT * result and assign the result to a variable).

    Once I've tackled this part, I'll "attempt" to use a session_set_save_handler() function to store session info in a db, however...this is a giant hurdle for me that's currently 2nd in line, hehe. If I can't get the login working, there's really no point in starting sessions. Hope this clarifies some of what I'm trying to do here. Thanks in advance for any replies.
    Owner - http://www.project-guild.com (in development)

  6. #5
    Member
    Join Date
    Apr 2007
    Posts
    96
    Member #
    15165
    In your login page, you could do this...
    PHP Code:
    include($pg_root_path 'include/functions.php');

    $error = array();

    open_db();

    //note, you should write a sanitize function

    if(empty($_POST['username']))
        
    $error["username"] = "Must provide a username";
    else
        
    $username sanitize($_POST["username"]);

    if(empty(
    $_POST["password"]))
        
    $error["password"] = "Must enter a password";
    else
        
    $password sha1(sanitize($_POST["password"]));

    if(!
    count($error))
    {
        if(
    verify_login($username$password) != true)
            
    $error["verify"] = "Error logging in";
    }

    close_db();


    //if we do not have a count in the error array, push them to next page
    if(!count($error))
    {
        
    header("Location: index.php");
        die();
    }
    else
    {
        
    //we need to show the form again, we can use our error array to spit out messages
        
    include("form.php");


  7. #6
    Member Taffu's Avatar
    Join Date
    Dec 2006
    Posts
    34
    Member #
    14486
    Ok, that gives me some ideas...I'll have to work on this over the weekend and see if I can make some progress...thanks for the input
    Owner - http://www.project-guild.com (in development)


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 09:13 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com