|
PHP - How To Store User Permissions Securely
HI All, Currently when my users log into my site i store their user level in a session. This allows admins to see more than normal users. I am worried that it would be very easy for someone to amend the session and give themselves admin rights. I am asking for advice on best practice for setting the user level of the logged in user. Where would you suggest i store this information so that only admins see the admin stuff. My navbar has a PHP if test running against $_SESSION['user_level'] and only admins see the admin panal. Similar TutorialsI have had a load of people who are silly enought to forget their username and or password so wish to add in the option for them to save their details in a cookie, and break my number one rule, never to use them!!! can anyone suggest how i can do this so it is stored safely like most websites do it. I have a site where I want another user that has a password fills out a form & it then downloads to my server. I want them to be able to then download that file from my site at the same time the form is submitted. I've tried adding this code to the bottom of the php file that the form points to but it just displays the file on the screen instead of downloading to the user's computer.
<?php
$file = '/site/downloadfile';
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;
}
?>
if I put the same code in a separate file it works perfectly but i don't want to add another file if i can help it. Any help appreciated
I am developing a system that with have 4 different levels of permissions. My question is this. From a structure standpoint, some systems will have the administrators area in one file and the users admin area in another file. Others will have a level of permission with all the different levels of administrative tasks, menus, etc, coming from the database. Is one of these better than the other or does it matter. From a coding standpoint it would be much easier to just have permissions and allow access to user menus and admin pages accordingly. Thanks in advance. guys how to add a user agent field to this codes so that one can keep a track wht all user agents crawled? $ip = $_SERVER['REMOTE_ADDR']; $file_ip = fopen('counter/ip.db', 'rb'); while (!feof($file_ip)) { $line[]=fgets($file_ip,1024); } for ($i=0; $i<(count($line)); $i++) { list($ip_x) = split("\n",$line[$i]); if ($ip == $ip_x) {$found = 1;} } fclose($file_ip); if (!$found) { $file_ip2 = fopen('counter/ip.db', 'ab'); $line = "$ip\n"; fwrite($file_ip2, $line, strlen($line)); $file_count = fopen('counter/count.db', 'rb'); $data = ''; while (!feof($file_count)) { $data .= fread($file_count, 4096); } fclose($file_count); list($today, $yesterday, $total, $date, $days) = split("%", $data); if ($date == date("Y m d")) { $today++; } else { $yesterday = $today; $today = 1; $days++; $date = date("Y m d"); } $total++; $line = "$today%$yesterday%$total%$date%$days"; $file_count2 = fopen('counter/count.db', 'wb'); fwrite($file_count2, $line, strlen($line)); fclose($file_count2); fclose($file_ip2); } Unfortunately I have no code for this yet cuz I don;t even know if its possible... I am programming an application that is used by a couple of stores, which could end up being a lot of stores. Anyways, the basis is that the stores would, though a separate application (and therefore separate database) create a username and password, I now want to use this username and password to do the following 1. Allow them to login to my application using the same username and password 2. I want the store the username in a session to pull tables based on the username from my database For instance, a user has the login store123, after loggin in it now pulls the information from the tables store123_items, store123_prices, store123_settings, etc. Now my database will have quite a lot of store###_tables I am, sadly, a noobie to PHP and I do recall seeing an article (somewhere on the net, and I stupidly forgot to bookmark it, knowing I would need it eventually) on how to access multiple databases easily. Now because they are both under my account I can use the same username and password for both, its accessing the MySQL username/password database and storing the info I know I am lacking on how to do it. Any ideas? Please Help me on how to create a website using with code n a little bit explanation using PHP n phpmyadmin. The mainthing that i need to do is using php create a simple site that logs on by connecting it to the phpmyadmin database such that i need to store the user details like name,mobile number,age,loaction,lattitude n longitude in database.Also i need to retrieve the database whenever required!!! Can Any1 please help how to do this...It means a lot to me n i'm a new User n Beginner to learn these things!!! Thank u for reading this I have users becoming members and allowed them to upload their own photos. But when they try to upload 5MB photos, it takes time to upload the photo, and sometimes server gives a timeout error. I have searched and found javascripts that uploads to the server but I have noticed that it has security problems. So how do you let users to upload photos ? This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=348558.0 Hello, I am trying to implement a remember me feature on my site, but am having problems doing so securely. I would like the cookies that remember your info to be sent securely over ssl, but the problem is all of my pages are http. I do not want to force everyone to be https because it is not needed. Is there a way to tell php to check for the cookies via ssl even though the page request was http? Thank you! weee Hey, I know this questions get asked a lot but here is a different version of it. What is a simple and secure method for storing data/passwords? I know there is a lot of debate in this subject but I run a browser game off my server and just want the data to be encrypted. is this good enough or is this easy to crack? Code: [Select] <?php $password = 'abcdefg'; $salt = 'whateversecrethash'; $pw_hash = md5($salt.$password); ?> or I just found this tutorial is this up to date and actually a good method? http://webhole.net/2010/10/30/php-password-encryption-with-salt/ Hey guys i have a script that i made with multiple permissions.. i need to add in the pages restitutions for diffrent levels.. so i got the level $query = "SELECT * FROM users WHERE `username`='$username_from_cookie'"; $numresults=mysql_query($query); $numrows=mysql_num_rows($numresults); // get results $result = mysql_query($query) or die("Couldn't execute query"); // now you can display the results returned while ($row10= mysql_fetch_array($result)) { $permissions= $row10["permissions"]; echo '$permissions'; } Now to restick im ok with like to but more then that i get confused.. this shows navigation on levels of permissions.. if ($row10['permissions'] == 2) { print "<a href=\"U.php\"><img src=\"./Icons/Users.png\" title=\"Prof\" /></a>"; } else { print "<img src=\"./Icons/Users_o.png\"/>"; } 2 levels if ($row10['permissions'] == 5) { print "<a href=\"Prof_1.php\"><img src=\"./Icons/sec.png\" title=\"Enseignant(e)\"/></a>"; } elseif ($row10['permissions'] == 2) { print "<a href=\"Prof_1.php\"><img src=\"./Icons/sec.png\" title=\"Enseignant(e)\"/></a>"; } else { print "<img src=\"./Icons/sec_o.png\" title=\"Enseignant(e)\"/>"; } ok so instead of have 10 lines of codes can i $row10['permissions'] == 5&2&3 ??? and can i do if not permissions ==5 redirect to loggin.. thanks Dear Coder Bro, I made a simple php script which copy some files to the server directory through a php loop. It means it will copy some 1000+ files via loop & store into a directory. The script worked fine before some 2 - 3days, Suddenly i saw that script is executing but no files copied to the server's directory. I checked the directory permission & it was 755. I changed the permission to 777 and run the script once again and it worked success... But the problem is the directory permission automatically changes to the old 755. I don't know how it happen. I need to change the directory permission to 777 when i begin to run the script. My Question is. 1.) Why did the directory permission automatically changes to 755. ? 2.) How to solve this problem to avoid the every time directory permission changing behavior ? I Hope expert coder guys will respond soon...! So here is a concept of a permission system that I haven't really seen any where else. Now usually conventional permissions are usually stored in columns whilst the record specifies a bit which is then used to determine if the record has access to that permission.
Below is my concept of how permissions should be done, I'm looking for someone who can help me create the system in a way which would be easily implementable by other applications such as MyBB. In my case I have multiple game servers, and most of my players have accounts created on my forums which are powered by MyBB, I'm currently in the process of integrating their MyBB accounts across all my related game servers, but one thing I've noticed is that I have multiple permission systems created for all of my servers so right now I'm also trying to integrate all of them into one system so please try and understand that I designed this system in a way that could be used by multiple applications.
Any constructive criticism is accepted.
So the idea is that you have 1 table, I'll just list it here to make it easier to follow: - uniperms_nodes Now the uniperms_nodes table will contain the following columns:
- key (Int, Not Null, Primary Key, Auto Increment)
- type (Enum('USER', 'GROUP'), Not Null)
- id (Int, Not Null)
- permission (Varchar(255), Not Null)
- description (Text)
Now here is how it works,a record is inserted into the uniperms_nodes table containing the necessary information. Here is an example:
INSERT INTO `uniperms_nodes` (`type`, `id`, `permission`, `description`)
VALUES ('GROUP', '1', 'my.test.node', 'A simple permission');
With this information inserted, I can simply use the following query in order to get all of the permissions related to the GROUP with the ID of 1. SELECT `permission` FROM `uniperms_nodes` WHERE type='GROUP' AND id=1;With this array of permission nodes I can simply just check if the array has 'my.test.node', if the array contains 'my.test.node' then that means that the group I queried has access to that permission. Now the reason I have the types USER and GROUP is because maybe you would like to give permissions to individual users, but maybe you wouldn't necessarily want to create a new group. I'm currently looking for someone to help me create a lovely interface for this system, so that it's easier for the user to modify a group/user's permissions. If you're interested feel free to message me here on the forums or via email. kieron.wiltshire@outlook.com Edited by KieronWiltshire, 19 November 2014 - 11:15 AM. Hi I've got a file upload script i've written and I have set the folder to 777 to allow uploads With the permission set to 777 does this open me up to potential uploads from 3rd parties? (ie: viruses etc)? So I thought what I would do is 1: Set folder to 777 to allow uploads 2: Upload file 3: Set folder to 755 to disable uploads Would this be the best method to do it? Or is that a waste of time and am I safe just leaving it as 777 Thanks Wasn't sure exactly where to post this at but here is my issue. I have a directory setup where multiple developers work on a project and they all have "group" access to the folder and files(read, write, execute) so the permissions on the php files need to be 775 so they can upload and overwrite the files via FTP. The problem is that PHP files will not work with permissions of 775 and throw a internal server error unless I change it to something lower. Is there a way to overcome this for these files? I'm doing a flash app where i save webcam images to a folder on the server. I'm able to make this work when running of xampp on my machine, I create the required folder structure and I'm able to read from that folder and display the images, however once i move the stuff onto a live server, it fails to create the folders and it seems to be a permission problem. Is it server specific? i've tried chmod etc but I don't think i'm doing it right. any help, pointers for a non php developer would be most helpful. here's my code snippet <?php //This project is done by vamapaull: http://blog.vamapaull.com/ //The php code is done with some help from Mihai Bojin: http://www.mihaibojin.com/ $uid = $_GET[uid]; $structure = './images/' . date("Ymd") .'/' . $uid. '/'; // To create the nested structure, the $recursive parameter // to mkdir() must be specified. if(is_dir($structure)) { echo "Exists!"; } else { echo "Doesn't exist" ; if (!mkdir($structure,'0777', true) ) { die('Failed to create folders...'); } } if(isset($GLOBALS["HTTP_RAW_POST_DATA"])){ $jpg = $GLOBALS["HTTP_RAW_POST_DATA"]; $img = $_GET["img"]; $filename = 'images/' . date("Ymd"). "/" .$uid. "/img_". mktime(). ".jpg"; file_put_contents($filename, $jpg); } else{ echo "Encoded JPEG information not received."; } ?> Hello needed for permissions well dont know even how to ask . im building simple betting and im want to add message if user has submitted bet but problem im got is once user submit all other bets comes with message how to make it work separate for every single row Here is my code Code: [Select] $statom = $TSUE['TSUE_Database']->query("SELECT count(*), b.betid, a.betid, a.memberid, a.chosen_team FROM rasta_betters a, rasta_betting b WHERE memberid = ".$TSUE['TSUE_Member']->info["memberid"]." AND b.betid = a.betid "); $arr = mysqli_fetch_array($statom); if ($arr[0] > 0) { $forma = '<div class="success">You have placed bet here</div>'; } else{ $team1 = $row['team1']; $team2 = $row['team2']; $pisk = '<input type="checkbox" name="komanda" value="'.$team1.'" />'; $pisk2 = '<input type="checkbox" name="komanda" value="'.$team2.'" />'; $komanda = ''; $komanda = $team1.$pisk; $komanda2 = ''; $komanda2 = $team2.$pisk2; $forma = 'This bet end on:'. date('Y-m-d H:i:s',$row['finish']).''; eval("\$betting_form = \"".$TSUE['TSUE_Template']->LoadTemplate('betting_form')."\";"); $forma .= $betting_form; } $TSUE['TSUE_Member']->info["memberid"] that is actual user id gets id auto Hey, practicing my PHP for the first time, starting with a simple upload script with Xampp. Script: Code: [Select] $target = '/Uploads'; $uploadedfile = $target . basename($_FILES['file']['name']); if(move_uploaded_file($_FILES['file']['tmp_name'], $target)){ echo "The file ". basename($_FILES['file']['name'])." has been uploaded."; } else { echo 'Failed'; } error_reporting(E_ALL); It echos out a successful, but the file is nowhere? Uploads is inside htdocs. Checked my php.ini file: file_uploads = On upload_tmp_dir = "C:\xampp\tmp" upload_max_filesize = 128M Just wondering if there are any permission i may have missed? This topic has been moved to Other Libraries and Frameworks. http://www.phpfreaks.com/forums/index.php?topic=357211.0 Can someone please give me some guidance on how to deal with the following warning Quote
Warning: move_uploaded_file(../usernet/img/60ff59c9f0a830.45733158.jpg): Failed to open stream: Permission denied in /opt/lampp/htdocs/site/admin/add_post.php on line 23 All directories and files in the path have full owner permissions and I've made myself the owner of them all (I'm on a linux system). I've also done the same with the /tmp folder. I can't even think of anything else to change and haven't found anything online that solves the issue. in case it's needed, the php is as follows: <?php
require("assets/initializations.php");
if(isset($_POST['add_post']) && !empty($_FILES['post_image'])) {
$filename = $_FILES['post_image']['name'];
$file_tmp_name = $_FILES['post_image']['tmp_name'];
$filesize = $_FILES['post_image']['size'];
$file_ext = explode('.', $filename);
$file_act_ext = strtolower(end($file_ext));
$allowed = array('jpeg', 'jpg', 'png', 'gif');
if(!in_array($file_act_ext, $allowed)) {
header("Location: add_post.php?message=file_type_not_allowed");
} else {
if($filesize > 10000000) {
header("Location: add_post.php?message=file_too_large");
} else {
$file_new_name = uniqid('', true) . "." . $file_act_ext;
$dir = "../usernet/img/";
$target_file = $dir . basename($file_new_name);
move_uploaded_file($file_tmp_name, $target_file);
echo "<script>alert('Image uploaded successfully');</script>";
}
}
}
I do get the javascript alert that's it's been successfully uploaded, but the image doesn't make it into the specified directory and I get the warnings at the top. I'm also, probably obviously from the path, using XAMPP server for development. TIA |
|||||||