PHP - Php Sessions And Security (login Script) - Expert's Help Needed Urgent!

hi for all
am installing php security user mangement but i got some errors during install am using xampp 1.7.7 for windows but when i runed the script for the first time i got this message
Warning: require_once(C:/xampp/htdocs/xampp/psumthemes/shared.js.php) [function.require-once]: failed to open stream: No such file or directory in C:\xampp\htdocs\xampp\psum\index.php on line 20Fatal error: require_once() [function.require]: Failed opening required 'C:/xampp/htdocs/xampp/psumthemes/shared.js.php' (include_path='.;C:\xampp\php\PEAR') in C:\xampp\htdocs\xampp\psum\index.php on line 20()

any ideas please my document root is C:/xampp/htdocs

hello.

i have 2 issues.

1.
im trying to create a session or a global for the pageName but im going in circles.

on each page i have the page name. for example: Code: [Select]
$pageName="adminHome";
each page has its own variables in the db which say how the page is layed out etc..

so the template index looks for the pageName and then pulls the correct layout from to db..

i need the template (and other pages) to get the $pageName="" everytime the page changes.

please help.


this code might help.

this is a basic page:
Code: [Select]
<?PHP
require_once("../includes/initialize.php");

$pName = "adminHome";
$page = Pages::find_by_pageName($pName);
echo $page->id."<br />";



this is my layouts/header.php where $session = new Session(); is located and its also looking for the pageName but i cant seem to get it to see it

Code: [Select]
<?PHP
require_once("../includes/initialize.php");
$session = new Session();

NEEDS TO FIND PAGE NAME HERE

if($pageName == "adminHome"){
   if (!$session->is_logged_in()) { $user=""; }else{ $user = User::find_by_id($_SESSION["user_id"]);  redirect_to("home.php");}
}else{
   if (!$session->is_logged_in()) { $session->message("Access denied."); redirect_to("pages/admin_login.php"); }else{ $user = User::find_by_id($_SESSION["user_id"]); }
}
?>

---------------------------------------------------------------------



PROBLEM 2.

problem 1 and 2 could be solved by the same thing really.

on the page i have the pageName. i then get the various bits from the db like the template_id, the layout_id etc... which are needed on other pages .

do i session each variable or put each in to a global or is there some other way.

for example:

Code: [Select]
$pName = "adminHome";
$page = Pages::find_by_pageName($pName);

echo $page->id."<br />";
echo $page->pageName."<br />";
echo $page->layoutTemps_id.'<br/>';
//ETC


now i want to put these into there own sessions or globals (or something else) to pass to other pages


ANY THOUGHTS...





i have a session class. but im not using it for this. maybe i could use it but im not sure how.

Code: [Select]
<?PHP
class Session {
private $logged_in=false;
public  $user_id;
public $message;



function __construct(){
// session_start();
$this->check_login();
$this->check_message();

 }//end function __construct() session start

/*
if($this->logged_in) {
// do something
} else {
// do something
} //end if
*/

public function is_logged_in() {

return $this->logged_in;

}//end function is_logged_in()



public function login($user) {

//database should find user based on username/password

if($user) {

$this->user_id = $_SESSION['user_id'] = $user->id;
$this->logged_in = true;

}//end if

}//function login($user)


public function logout() {

unset($_SESSION['user_id']);
unset($this->user_id);
$this->logged_in = false;

}//end function logout()

// you have to set the message
// this can set and get a message

public function message($msg="") {

if(!empty($msg)) {

//then this is "set message"
// make sure you understand why $this->message=$msg wouldn't work
// we have to store it in the session

$_SESSION['message'] = $msg;
} else {

// then this is "get message"
return $this->message;

} // end if

} // end function message($msg="")



private function check_login() {

if(isset($_SESSION['user_id'])) {

$this->user_id = $_SESSION['user_id'];
$this->logged_in = true;
}else{
unset($this->user_id);
$this->logged_in = false;
}//end if
}//end function check_login()


private function check_message() {

//is there a message stored in the session?

if(isset($_SESSION['message'])) {

// Add it as an attribute and erase the stored version

$this->message = $_SESSION['message'];
    unset($_SESSION['message']);

}else{

$this->message = "";

}//end if
}//end check_message()

}//end class session

$session = new Session(); //create a session
$message = $session->message();

?>


THANKS
rick

I have a shopping cart on my website with some minor errors. When you refresh the page it adds an extra quantity to the item when it shouldn't.

Any help the code is below.

$cart = $_SESSION['cart'];
$action = $_GET['action'];
switch ($action) {
case 'add':
if ($cart) {
$cart .= ','.$_GET['id'];
} else {
$cart = $_GET['id'];
}
break;
case 'delete':
if ($cart) {
$items = explode(',',$cart);
$newcart = '';
foreach ($items as $item) {
if ($_GET['id'] != $item) {
if ($newcart != '') {
$newcart .= ','.$item;
} else {
$newcart = $item;
}
}
}
$cart = $newcart;
}
break;
case 'update':
if ($cart) {
$newcart = '';
foreach ($_POST as $key=>$value) {
if (stristr($key,'qty')) {
$id = str_replace('qty','',$key);
$items = ($newcart != '') ? explode(',',$newcart) : explode(',',$cart);
$newcart = '';
foreach ($items as $item) {
if ($id != $item) {
if ($newcart != '') {
$newcart .= ','.$item;
} else {
$newcart = $item;
}
}
}
for ($i=1;$i<=$value;$i++) {
if ($newcart != '') {
$newcart .= ','.$id;
} else {
$newcart = $id;
}
}
}
}
}
$cart = $newcart;
break;
}
$_SESSION['cart'] = $cart;

I have an array and I'd like to find the most popular value in the array. example.

$arr = array(1,1,1,1,2,2,3,4,5,5,5,5,5,5,5,3,4,198,10293,1,2);

I would like only display 5 please.

I've been thinking that I needed to build a database to store sessions in. However, seeing a post in another topic got to pondering if I really need it now.

My site is very small and as of now the login script makes the normal sessions variables, member id, display name, etc., and I've also thrown in http_user_agent.

If sessions are destroyed by logging out or by closing the browser is a session database really needed?

How much does site size matter? Say on a very small site (10-15 people a day, no money changing hands, just logging in and posting) or medium small site (50-100 people a day, no money ...) ?

Thanks

Can someone please help to find the most important login precautions in terms of security. For example, I'think the most important is:
1. string escaping, prevent SQL injections
2.
3.
...

I know It's hard to find and consider all of them, that's why I'd like to have a list of the most important.

Checking to see if I am going in the right direction, any suggestions would be appreciated!

I am setting up SESSIONs for login and setting a time limit on them.

I have basically 2 scenarios that I need to code for.

1. Registerd user w/good billing has all access
2. Registerd user w/expired billing & Guest user can only go to certain pages and have limited access

This is my login page, will validate the login info and either sends user to one page or another or gives error that the login is incorrect

<?php

// http://www.daniweb.com/forums/thread124500.html

  session_start(); // starting session

  if( isset($_POST['submitLogin'])) {

    include('library/login.php');
    login();
    mysql_select_db('test');

    // username and pswd from login
    $userID=$_POST["userID"];
    $pswd=$_POST["pswd"];

    // to protect from MySQL injection
    $userID = stripslashes($userID);
    $pswd = stripslashes($pswd);
    $userID = mysql_real_escape_string($userID);
    $pswd = mysql_real_escape_string($pswd);

    $sql="SELECT * FROM user WHERE userID='$userID' and pswd='$pswd'";
    $result=mysql_query($sql);

    while ($r=mysql_fetch_array($result)) {
      $exp_date=$r["exp_date"];
      $todays_date=date("Y-m-d");
    }

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);

    // If result matched $userID and $pswd, table row must be 1 row
if($count == 1) {
      session_register("userID");
      session_register("pswd");

      $_SESSION['userID'] = $userID;
      
      // verifies billing
      if ($exp_date >= $todays_date) {
        // billing is up to date
        echo "<meta http-equiv='refresh' content='0;url=session2.php'>";
      }
      else  {
        // billing has expired
        echo "<meta http-equiv='refresh' content='0;url=expBilling.php'>";
      }
    }
    else  {
      // login form for when there us an incorrect user/password
      echo " <div id='incorrect'>Please verify the username or password.</div>
      <form method='post' action='' name='login' id='login'>
        <div id='loginForm'>
          <fieldset>
            <span class='textbox'>
              <label for='username'>Username: </label> <input type='text' name='userID' size='25' class='cells' value='$userID'>
              <br><label for='pswd'>Password: </label> <input type='password' name='pswd' size='25'class='cells' value='$pswd'>
              <br><label for='pswd'>&nbsp;</label>Remember Me:  <input type='checkbox' name='Remember' value='21'>
              <br><label for='blank'>&nbsp;</label><a href='resetPswd.php'>Forget Your Password? </a>
              <br><label for='blank'>&nbsp;</label><input type='image' value='Login'  src='img/button_login.gif' width='64' height='25'
                  onmouseover=\"javascript:this.src='img/button_login2.gif';\" onmouseout=\"javascript:this.src='img/button_login.gif';\">
              <input type='hidden' name='submitLogin' value='true'>
            </span>
          </fieldset>
        </div>
      </form>
      ";
    }
  }
  else  {
    // log in form
    echo "
      <form method='post' action=''  name='login' id='login'>
        <div id='loginForm'>
          <fieldset>
            <span class='textbox'>
              <label for='username'>Username: </label> <input type='text' name='userID' size='25' class='cells'>
              <br><label for='pswd'>Password: </label> <input type='password' name='pswd' size='25'class='cells'>
              <br><label for='pswd'>&nbsp;</label>Remember Me:  <input type='checkbox' name='Remember' value='21'>
              <br><label for='blank'>&nbsp;</label><a href='resetPswd.php'>Forget Your Password?</a>

              <br><label for='blank'>&nbsp;</label><input type='image' value='Login' src='img/button_login.gif' width='65' height='25'
              onmouseover=\"javascript:this.src='img/button_login2.gif';\" onmouseout=\"javascript:this.src='img/button_login.gif';\">
              <input type='hidden' name='submitLogin' value='true'>
            </span>
          </fieldset>
        </div>
      </form>
      ";
  }
  
?>

If the billing is good then user will go here

<?PHP
  session_start();

  // session timing
// set timeout period in seconds
$inactive = 15;

// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
  $session_life = time() - $_SESSION['timeout'];
    if($session_life > $inactive)  {
      session_destroy(); }
}

$_SESSION['timeout'] = time();

// END session timing



  if(!session_is_registered(userID)){
    header("location:login.php");
  }
?>

<html>
<body>
  Login Successful
</body>
</html>

If the billing has expired user goes here

<?php
  session_start();

  // session timing
// set timeout period in seconds
$inactive = 15;

// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
  $session_life = time() - $_SESSION['timeout'];
    if($session_life > $inactive)  {
      session_destroy(); }
}

$_SESSION['timeout'] = time();

// END session timing


  // if the user has been timed out or not logged in
  if(!session_is_registered(userID)){
    header("location:form.php");
  }

  // user is logged in and their billing is good
  else {
    echo "Warning! <b>";
    echo $_SESSION['userID'];
    echo "</b> Your billing has expired ";
  } // end session

?>

I also created this page to test what happens when a non-subscriber trys to go to a page without logging in, it also
test the billing and blocks a user whose billing is expired.

<?php
session_start();

// session timing
// set timeout period in seconds
$inactive = 15;

// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
  $session_life = time() - $_SESSION['timeout'];
    if($session_life > $inactive)  {
      session_destroy(); }
}

$_SESSION['timeout'] = time();

// END session timing

  // if the user has been timed out or not logged in
  if(session_is_registered(userID)){

    // verify billing if user comes in directly thru this page

    include('library/login.php');
    login();
    mysql_select_db('test');

    $userID = $_SESSION['userID'];

    $sql="SELECT * FROM user WHERE userID='$userID'";
    $result=mysql_query($sql);

    while ($r=mysql_fetch_array($result)) {
      $exp_date=$r["exp_date"];
      $todays_date=date("Y-m-d");
    }

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);

    // If result matched $userID and $pswd, table row must be 1 row
if($count == 1) {
      // checks dates
      if ($exp_date >= $todays_date) {
        // billing is up to date
            echo "Welcome: ";
            echo $_SESSION['userID'];
      }
      else  {
        // billing has expired
        echo "<meta http-equiv='refresh' content='0;url=expBilling.php'>";
      }
    }
    // END verify billing
  }
  // user is logged in and their billing is good
  else {
    echo "Welcome: ";
    echo "Non-user can view this stuff.";
    echo "<br><a href='form.php'>Click here to register</a>";
  } // end session
?> 


These are all test pages once I get the coding right I will incorporate it into the real pages.

i just discovered a hole in my scripts relating to access .

1. have a simple login form
2. based on the type of user , he is directed to a page for his options .
3. I now realise that altho each page therefter checks for sessions of the user , he can easily  change the url to that of another user and there is no way to prevent it.
4. How can i make sure that each time a page is accessed it is only by the user whom it is meant for.


Relevant code snippets below . Thanks ! Swati

login.php
---------


<?php
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);

//Process this if statement only if form was submitted
if($_POST['submit']){
session_start();

$username=$_POST['username'];
$password=$_POST['password'];
include ("link.php"); // contains db info


    //Test for login success
    $sql = "SELECT * FROM Users WHERE Username='$username' AND Password = '$password'";
    $result = mysql_query($sql);
    if  ($myrow = mysql_fetch_assoc($result)){
//  echo $sql;
       
        $login_success = 'Yes'; 
        $userid = $myrow["Userid"];
       $usertype = $myrow["UTID"];
        
        $status = "On";
        $url = $PHP_SELF."?".$_SERVER['QUERY_STRING'];; 
        $logout = 'logout.php';

        $_SESSION['id']=session_id();
        $_SESSION['userid']=$userid;
        $_SESSION['usertype']=$usertype;


       $sql2= "insert into Log (Sessionid,Userid,IP,Date,File, Status) values('$_SESSION[id]','$userid','$ip','$tm', '$url', '$status')";
$result2 = mysql_query($sql2) or die  ('no access to database: ' . mysql_error());
//        echo mysql_error();      }

}
}      
?>



Each subsequent page has this header
==============================
 
 
 <?
header("Cache-Control: public");

include ("log.php"); //db info for DB along with session start
if(!isset($_SESSION['userid'])){
 echo "<center><font face='Calibri' size='2' color=red>Sorry, Please login and use this page </font></center>";
 exit;}
?>

 
 
The url of each page :
 
Code: [Select]

www.abc.com/example/type1.php?Userid=USER1ID
 

and such a user can easily change the url to 
  Code: [Select]

www.abc.com/example/type2.php?Userid=USER1ID

and access all the options of type2.php

I'm using a login form which allows me enter the pages as member only
the only thing that I need to do is to include the file safe.php and the user has to login in order to see the content of this page. so far so good.

if I use my subscription forms ( spread over 2 pages) the first page can be filled in properly however when I come to the second page (where I included the safe.php aswell I think I loose the session ID that I got after logging in the first time) I am redirected to the login page which I don't want. how can I avoid this?

this is the  content of safe.php
Code: [Select]
<?php
// Pagina: safe.php: Includen if you want te securise your page just add it at the top of your page
include("config.php");

if(isset($_SESSION['user_id'])) {
 // Inloggen correct, updaten laatst actief in db
 $sql = "UPDATE gebruikers SET lastactive=NOW() WHERE id='".$_SESSION['user_id']."'";
 mysql_query($sql);
}else{
 if(isset($_COOKIE['user_id'])) {
  $sql = "SELECT wachtwoord,status FROM gebruikers WHERE id='".$_COOKIE['user_id']."'";
  $query = mysql_query($sql);
  $rij = mysql_fetch_object($query);
  $dbpass = htmlspecialchars($rij->wachtwoord);
  $dbstatus = htmlspecialchars($rij->status);
  if($dbpass == $_COOKIE['user_password']) {
   $_SESSION['user_id'] = $_COOKIE['user_id'];
   $_SESSION['user_status'] = $dbstatus;
  }else{
   setcookie("user_id", "", time() - 3600);
   setcookie("user_password", "", time() - 3600);
   echo "Cookies incorrect. Cookies verwijderd.";
   header("Location: inloggen.php");
  }
 }else{
  header("Location: inloggen.php");
 }
}
?>

Hello.

I am coding a remember me feature. Everything is working, except i am being logged in using cookies even when i want to use a session.

To login using a cookie i must select the checkbox, for sessions i must leave it blank.

Here is my code, if someone could spot a mistake i would be really grateful.

Login page
Code: [Select]

<?php

ob_start();

// starting session...
session_start();

// requiring connection...
require("functions.php");



// assigning variables...
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$submit = mysql_real_escape_string($_POST['submit']);
$rememberme = $_POST['rememberme'];

// querying database...
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
$numrows = mysql_num_rows($query);

if ($numrows != 0)
{
while ($row = mysql_fetch_assoc($query))
{
$db_username = $row['username'];
$db_password = $row['password'];
}
}

// verifying login details...
if ($submit)
{
if (!empty($username) && !empty($password))
{
if ($username == $db_username && $password == $db_password)
{
if ($rememberme = "on")
{
setcookie("username", $username, time() + 7200);
        header('Location: tablets.php');
}
else
{
        $_SESSION['username'] = $db_username;
        $url = $_SESSION['origin'] ? $_SESSION['origin'] : "main.php"; 
            unset($_SESSION['origin']);
            header('Location: ' . $url);
            exit;
}
}
else
{
echo "Incorrect login details";
}
}
else
{
echo "You must type in username and password";
}
}


ob_end_flush();

?>


Login form
Code: [Select]
<?php

session_start();

require("connect.php");

if (isset($_SESSION['username']) || isset($_COOKIE['username']))
{
header('Location: main.php');
}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Login</title>

<link rel="stylesheet" type="text/css" href="form.css" />

</head>
<body>




<form method="post" action="login.php">
<div class="box">
<h1>Login</h1>
<label>
<span>Username</span>
<input type="text" class="input_text" name="username" id="name" /> 
</label>
<label>
<span>Password</span>
<input type="password" class="input_text" name="password" id="password" />
</label>
<input type="checkbox" name="rememberme" />
<label>
<input type="submit" class="button" value="Login" name="submit" />
</label>
</div>
</form>




</body>
</html>

Hi

What is the best way of handling a login system with sessions, I have read that you should never hold the password in a session, so what should you hold in the session in order to access a users data?

I'm trying to create a simple session on a form page that determines if you've signed in. If you haven't, it kicks you to the login page. But for some reason, what I have isn't doing that. When I open the page, it loads, but only prints the url on a blank page, instead of actually going to the url.

Code: [Select]
<html>
<title>form</title>
<link rel="stylesheet" type="text/css" href="style.css">
<body>

<?php
session_start();

if(isset($_SESSION['id']) && is_numeric($_SESSION['id'])) {
      

if (isset($_POST['submitted'])) {
$errors = array();


if (empty($_POST['scientific_name'])) {
$errors[] = 'you forgot to enter the scientific name';

} else {
$sn = trim($_POST['scientific_name']);
}

if (empty($_POST['common_name_english'])) {
$errors[] = 'you forgot to enter the common name';

} else {
$cne = trim($_POST['common_name_english']);
}

$description4 = trim($_POST['common_names_spanish']);
$description5 = trim($_POST['common_names_french']);
$description6 = etc. etc.

if (empty($errors)) {

require_once ('3_z_mysq1_c0nn3ct.php');

$query = "INSERT INTO plantae (scientific_name, common_name_english, etc.)
 VALUES ('$sn', '$cne', '$description4', '$description5', '$description6', '$description7', etc.)";

$result = @mysql_query ($query);


if ($result) {

if(isset($_POST['scientific_name']))
{
$plant_id=mysql_insert_id();
}


exit();
} else {
echo 'system error. No plant added';

echo '<p>' . mysql_error() . '<br><br>query:' . $query . '</p>';


exit();

}
 mysql_close();

} else {

echo 'error. the following error occured <br>';
foreach ($errors as $msg) {

echo " - $msg<br>\n";

}

} // end of if

} // end of main submit conditional


echo '<form action="insertaplant1.php" method="post"><fieldset><legend><b>Enter your new plant here</b></legend>


form fields here.

</form>'; 
      } else { 
       
      $url = 'http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);

if((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
          $url = substr($url, 0, -1);
        }

$url .= '/login.php';

echo $url;
     
       exit(); 
       }

?>

I have a login system that uses a flat file database.  The flat file is in a directory outside the public_html.  My questions;

1- Is is still possible to hack into that file?

Currently I do not encrypt the passwords as I have been told that having the file outside the public_html makes the file unavailable to the public.  This allows me the advantage of sending the Username and Password to the user in an email if they forget there password or username.  Otherwise- I would have to set up a more complicated method to allow them to change their password to re-gain access to the site.  I have an SSL on the site also so I am not worried about packet sniffing.

Thanks

I have made a classified website. it works and I am proud of it. But as far as securing it goes, I have done almost nothing and I am sure, if in case the site becomes popular, it would be compromised with ease.

So I have started reading a book ' essential php security' and am reading several articles on php security online , but am still unable to wrap my head around the whole security issue.

Can someone help me ? there are a lot of unfamiliar topics, filtering, escaping , validating, session hijacking etc etc and it all goes over my head.

Its a classified website , considering this on what should I concentrate on as far as security goes ? 
btw what I have managed to do is use mysql_real_escape_string on every var going into a mysql $query.

Thanks

Hi All,

My goal is to process all redirects serverside and simply return the user to the 'final' URL.

Here's my function to get the final URL:
PHP Code:
function get_final_url($url){ 
    global $final_host; 
        $redirects = get_all_redirects($url); 
        if (count($redirects)>0){ 
          $final_url = array_pop($redirects); 
          if(substr($final_url,0,7) != 'http://' && !empty($final_host)) 
            { $final_url = 'http://'.$final_host.$final_url; } 
                return $final_url; 
        } else { 
                return $url; 
        } 

Here's the cURL execution:

$ch2 = curl_init();      
                        curl_setopt($ch2,CURLOPT_URL,$url); 
                        curl_setopt($ch2, CURLOPT_FOLLOWLOCATION, true); 
                        curl_setopt($ch2,CURLOPT_POST,''); 
                        curl_setopt($ch2,CURLOPT_POSTFIELDS,''); 
                        curl_exec($ch2); 
                        curl_close($ch2); 

For some reason, this works no problem, posts any data over to the URLs serverside, redirects serverside, and passes the client to the final URL, with none of the redirection displayed via HTTPWatch or any similar debug utility. Sometimes, however, it does show phases of redirection.

Any insight into what I might be doing incorrectly?

Thanks SO much in advance.
E