PHP - Question Regarding Protected In Oop

Hi,

I have built a registration and login system for a website, part of which I wish to protect certain pages.

The registration systems works well, as does the login BUT I am having difficulty with the next stage.

How do I then 'capture' the username and password that were entered by the user and get the PHP page I want to protect to check that these are valid? I guess it is a piece of code I need to put in the top of the protected page?

Here is the final piece of code (which then includes a link to the page I want to protect) from the login page which includes session_register, but then how can I use this information in the page I wish to protect?

//Now if everything is correct let's finish his/her/its login
session_register("username", $username);
session_register("password", $password);

echo "Welcome, ".$username." please continue onto our ".$sub." membership area...<a href=".$index.">click here</a>";
}


Thanks,
Simon

Hello:

I wanted to see if I can make my password protected pages in my admin area, and the login form "more secure."
I was told I should use MD5 / SALTING / HASHING to do this.

I have tried some online tutorials, but am not understanding it, so I wanted to start from what I have and build upon it>

This is my database table storing the myAdmins data (when I initially insert it into the database):
Code: [Select]
CREATE TABLE `myAdmins` (
  `id` int(4) NOT NULL auto_increment,
  `myUserName` varchar(65) NOT NULL default '',
  `myPassword` varchar(65) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;

INSERT INTO myAdmins VALUES("1","abc","123");

This is the login form I use:
Code: [Select]
<?php

include('../include/myConn.php');
include('include/myAdminNav.php');

session_start();
session_destroy();

$message="";

$Login=$_POST['Login'];
if($Login){
$myUserName=$_POST['myUserName'];
$myPassword=$_POST['myPassword'];

$result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$myPassword'");
if(mysql_num_rows($result)!='0'){
session_register("myUserName");
header("location:a_Home.php");
exit;
}else{
$message="<div class=\"myAdminLoginError\">Incorrect Username or Password</div>";
}

}
?>

<form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>">

<? echo $message; ?>

Username: <input name="myUserName" type="text" id="myUserName" size="40" />
Password: <input name="myPassword" type="password" id="myPassword" size="40" />

<input name="Login" type="submit" id="Login" value="Login" />

</form>



This is the code on top of each page I password protect:
Code: [Select]
<?
session_start();
if(!session_is_registered(myUserName)){
header("location:Login.php");
}
?>

Works well, but can it be "better"??

And, if I am allowing the admin to update his/her username or password, I do it this way:
Code: [Select]
<?php

include('../include/myConn.php');
include('include/myCheckLogin.php');

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
$myUserName = mysql_real_escape_string($_POST['myUserName']);
$myPassword = mysql_real_escape_string($_POST['myPassword']);

$sql = "

UPDATE myAdmins
   SET
      myUserName = '$myUserName',
      myPassword = '$myPassword'
  ";
mysql_query($sql) && mysql_affected_rows()

?>

<?php
}

$query=mysql_query("SELECT * FROM myAdmins") or die("Could not get data from db: ".mysql_error());

while($result=mysql_fetch_array($query))

{
  $myUserName=$result['myUserName'];
  $myPassword=$result['myPassword'];
}

?>


<form method="post" action="<?php echo $PHP_SELF;?>">
<input type="hidden" name="POSTBACK" value="EDIT">

Username: <input type="text" size="60" maxlength="60" name="myUserName" value="<?php echo $myUserName; ?>">
Password: <input type="password" size="60" maxlength="60" name="myPassword" value="<?php echo $myPassword; ?>">

<input type="submit" value="Submit" />
         
</form>


Should it be "better" .. ??

I don't seem to understand how to "encrypt" all of this to make it "stronger" ..

Ideas? Improvements?

I'm writing a script that opens a webpage and pulls out the pictures for editing.

The problem I'm having is the pictures are protected from hotlinking with htaccess. The script is on a different domain.

I know it's possible to do this but after much searching and experimentation I can't work it out.

Any ideas?

Hello everyone:

I wanted to see how I can make a simple login page (user name and password) that redirects to a page(s) if the login is correct. Also, I wanted to put protection on the page(s) that will send the user back to the login page if the credentials are nor correct.

I would imagine the username/password would be stored in a database table (Admins), and the correct login info would be stored in a session ..?

I am use to doing this with ASP, but never PHP. I want to make sure I understand how to do this properly and securely so I can use this as a model for other systems.

In ASP I would do a protected page like this:
a_login_check.asp
Code: [Select]
<%
if session("admin_user_name") = "" then
session.abandon
response.redirect "login.asp"
end if
%>

Protected-Page.asp
Code: [Select]
<!-- #include file="include/a_check_login.asp" -->
<html>
...
CONTENT

...
</html>

And of course there is the login page itself ...
(I thought it would be nice to add a "Forgot Password" link on the login page, but if that is too complicated I can do that later .. or is it easy ??)

Anyway, can someone point-out to me how to do this.

I would appreciate it!

when in a form, I wish to build a conditional that if the response to a radio button is a value of 2 (female), it will display an input requesting for users maiden name. If not 2 goes to the next input statement.

Here is code I was experimenting with:


<html>
<body>
<form action="" name="test"  method='POST'>
<input type="radio" id="sex" value=1 checked><label>Male</label>
<input type="radio" id="sex" value=2><label>Femaleale</label>

    <?php
    $result = "value";
    if ($result == 2)
        echo "<input type='int' id='gradYear' size='3' required>";
        else
        echo "Not a female!"
    ?>

    <input type="submit" value="GO">
</form>
</body>
</html>


The code passes debug, however, Not a Female is displayed.

My question is - Can I do this and if so, what value do I test against id='sex' or value. I tried each one but gave the same results. I realize that $_POST[sex] would be used after the submit button is clicked. But this has me stumped.

Thanks for the assis in advance.

hi php people,

I am wondering will  if the code below will work when I call $C->getafoo() will I get foo;  I keep getting an error at this point  return $this->A->a(); saying  the method is not there

Code: [Select]
class A{
  public function a(){
    return "foo";
  }
}

class B {
  public $A;

  function __construct($A) {
    $this->A = $A;   

  }

  public function geta(){
    return $this->A->a();
  }
}


class C extends B{
  public function getafoo(){
   return geta();
 }

}
$C = new C(new A());

echo $C->getafoo();

Hello, i am currently working on a project and i have been on google and nothing has helped i am trying to detect characters in the URL so for example XSS if someone typed in the URL:

home.php?=<script>document.cookie();</script>

OR

home.php?=<?php echo file_get_contents("document.txt", "a");

How would i be able to make a kind of firewall to detect this?   and if it does then redirect to another page.   Thanks.

In php, which function is best used to act something like the sql "LIKE" command? and how would that function be used like?

Hi,

I am looking into a way of adding addons to a class I made.. I thought something like this would work, but not sure how to implement it:

Code: [Select]
<?php
class foo {
    function foobar($text) {
        $text = $text . 'b';
        return $text;
    }
}
class bar extends foo {
    function foobar($text) {
        $text = $text . 'c';
        return $text;
    }
}

$var = new bar();
$var->foobar('a'); // this would then return abc
?>

Now i want to be able to call up foo, and it calls the foobar of foo, and the foobar of bar.
is that possible?

hosh

Just get started with OO in PHP. If I create an object while on one page and then call another page, can I still access that first object, or is it destroyed when the second page is called? For example, if I have on page1.php:

Code: [Select]
$obj = new $MyObject();
and then call page2.php, is it possible to still access $obj while on that page?

I'm considering getting a VPS, but I'm not entirely sure what this would be able the handle. The specs doesn't look that good to me, but my friend swears it will handle running apache/php/mysql handling large websites and databases without a problem. I want to run multiple databases that just store statistics and I'm a bit worried about the RAM and the company doesn't even mention a cpu.

Here's the specs:
256MB RAM
300GB HDD
10Mbps unmetered
1 IP Address

My friend runs two counter-strike: source servers off his VPS (same stats).. so I'm actually considering this, but it just seems like it's not powerful enough.

Oh.. forgot the most important part.. it's only $9.

I'm trying to secure my login system as much as possible from SQL injections and other attacks. I know that by using mysql_real_escape_string() you can prevent that and I'm using that on for example the username input, but I would like to know if you hash the password before you send it to the database with MD5, do you still need to use mysql_real_escape_string()?

A very quick and simple example:

Code: [Select]
<?php

$un = $_POST['username'];
$pass = $_POST['password'];
$pass = md5($pass);

mysql_query("SELECT * FROM users WHERE password='$pass' AND username='$un'");

?>

If someone wrote a possible SQL query in the password input, wouldn't that be rendered useless as the md5 will hash it before sending it and therefor "hide" it? Or is there any other reason you wouldn't want people to use sertain characters/symbols in their passwords?

Hello. I'm trying to pull information out of an xml file. However I'm a bit lost in getting the actual value.

Code: [Select]
$url="http://ws.audioscrobbler.com/2.0/?method=artist.getimages&artist=Dr%20Feelgood&limit=1&autocorrect=1&api_key=c107c9b5c09cb5693b6c19409dd984c1";

$xml = simpleXML_load_file($url,"SimpleXMLElement",LIBXML_NOCDATA);

$largesquare=$xml->images->sizes->size[2];
Is what I have but its not pulling the information. The above url will give you the link to a set xml file for this example. And I want to get the info for the

Code: [Select]
<size name="largesquare" width="126" height="126">http://userserve-ak.last.fm/serve/126s/43173899.jpg</size>
I'm sure I'm doing something wrong that's a simple fix but I am lost here. In the sizes there are 6 different size options each with different names and I have no idea how to pull the one with the correct name that I need.

Thank you to who ever can help me sort this out.

I have been away from PHP for a long time and I was looking over my old scripts. I did PHP OOP at one time and I used a paticular method to connect all my methods up and load them. I have been looking at other peoples code and when I look at my code it does not even feel like OOP, I want to know how to you link all the methods (or is it called functions?) in a class up and return them? I use to do this:

Code: [Select]
<?php
class quickFUNC
{
 
function note_pad()
{
// code for notepad
}
 
function quickAdminFunc()
{
// code for admin func
 
$this->note_pad();
}
 
 
}
 
$quickFUNC = new quickFUNC;
 
if(isset($_GET['id']))
{
$act = $_GET['id'];
}
else
{
$act = NULL;
}
 
switch ($act)
{
 
 
case 1:
 
//some random code to launch case 1
 
break;
 
default:
$quickFUNC ->quickAdminFunc();
 
 
?>



This was my code back in the days, as you can see the notepad was called in the admin function then made the admin function default in the case switch.  I looked at all my script and the all are layed out like this :S..

Can I get some help please, thank you.

I have an issue with the below code

Code: [Select]
if ($gtype == "%24L" || $gtype == "$L")
The value actually starts with the dollar sign then L, but its being read as a variable that's not assigned so it showing as blank. so the question is how to I get to check and see if the value of gtype actually is $L in a way that it wont read $L as a variable and as a value instead?