Ask Question Forum:
Model Library:2025-02-08:A.I. model is online auto reply
C
O
M
P
U
T
E
R
2
8
Show
#
ASK
RECENT
←
- Underline
- Bold
- Italic
- Indent
- Step
- Bullet
- Quote
- Cut
- Copy
- Paste
- Table
- Spelling
- Find & Replace
- Undo
- Redo
- Link
- Attach
- Clear
- Code
Below area will not be traslated by Google,you can input code or other languages
Hint:If find spelling error, You need to correct it,1 by 1 or ignore it (code area won't be checked).
X-position of the mouse cursor
Y-position of the mouse cursor
Y-position of the mouse cursor
Testcursor
caretPos
Attachment:===
Asked by duncanb7
at 2024-05-06 07:03:50
Point:500 Replies:23 POST_ID:828549USER_ID:11059
Topic:
PHP Scripting Language;MySQL Server;JavaScript
Recently I'm working on my website for user login submit form and I google related information
at this link http://phpsense.com/2006/php-login-script/. And finally I successully complete the
login form based on the link example from those php files zipped into PHP-login.zip but I still
have some question please help on it
Question-1:The login form php file is login-form.php which require config.php file
In configure.php file which store my server's mysql databse root username and password for accessing
the database for checking user's login and password match
at this link http://phpsense.com/2006/php-login-script/. And finally I successully complete the
login form based on the link example from those php files zipped into PHP-login.zip but I still
have some question please help on it
Question-1:The login form php file is login-form.php which require config.php file
In configure.php file which store my server's mysql databse root username and password for accessing
the database for checking user's login and password match
<?php define('DB_HOST', 'localhost'); define('DB_USER', 'jatinder'); define('DB_PASSWORD', 'mypassword'); define('DB_DATABASE', 'mydatabase');?> 1:2:3:4:5:6:
THe question is , Because users can access my mysql database and at
the same time he can modifiy or change other users' information such as password
and login name besides himself. Is it Dangerours ? How to let the users only
can change his login information only and not to accesss others' information , please advise ?
Question-2 I have two different computers but users can login the form with the same login and same passwork.
How to avoid double same username login at different computers ? Do i need to write some php code to record
the status of users login saving into the mysql data when they are doing login and logout from the form.
Could you provide me some coding ?
Qestioon-3 Once the login success after login username is matching its password in the database
, the php code in login-exec.php will create php session variables to store members' id, firstname, lastname
like as follows
$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];"
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];"
$_SESSION['SESS_LAST_NAME'] = $member['lastname'];"
In auth.php which will be used for every website page for user authority checking and it will check
the session variable whether it is set or not.
The question is whether the session variables are saved in the my server instead of user computer ?
If so, is it dangerous because other users might be also doing the login form submitting at the same so the
variable is set even some users is NOT doing any login and they access the web page without login?
<"?php //auth.ph //Start session session_start();" //Check whether the session variable SESS_MEMBER_ID is present or not if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '')) { header("location: access-denied.php");" exit();" }?>" 1:2:3:4:5:6:7:8:9:10:
Question-4 What is session_regenerate_id() and session_write_close() doing for in login-exec.php ?
Please advise, and you can directly download the example PHP_login.zip files to save all files above at
the link for testing
Duncan
Attachment:config.phplogin-exec.phplogin-form.phpmember-index.phpauth.phplogin-failed.phploginmodule.css
Author: duncanb7 replied at 2024-05-06 19:59:50
//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}
In the code, only server or mysql adminstrator can know the exact password
to connect databse, and password is saved in php file at configure.php which
is NOT seen by other users in Browser, RIght , so how you can attack mysql database if you were to attack, Please advise
Duncan
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}
In the code, only server or mysql adminstrator can know the exact password
to connect databse, and password is saved in php file at configure.php which
is NOT seen by other users in Browser, RIght , so how you can attack mysql database if you were to attack, Please advise
Duncan
Author: duncanb7 replied at 2024-05-06 19:55:56
Even so, you can NOT see the php code inside so you can not know the exact name of
the sql database at my server, how you can database attack or delete the database on myserver through my server through limited information on my login-form web page ?
Please advise
Duncan
the sql database at my server, how you can database attack or delete the database on myserver through my server through limited information on my login-form web page ?
Please advise
Duncan
Accepted Solution
Expert: stevepwales replied at 2024-05-06 10:00:28
50 points GOOD
If you have a master password which you use to login thriugh phpmysqladmin or any other program for security reasons create a new user with permissions to access only the db needed. for example if you had a logon which you used to connect to see all your databases this would have permissions to create drop and do a lot of other stuff. if i were to do a sql injection attack if you were using that user on the web if successful i could delete 10 databases. with a seperate user you could set permissions so i could only access 1 database and nit able to alter drop tables. hope you understand how important the user permission inside mysql are
Author: duncanb7 replied at 2024-05-06 09:48:37
May be let me correct something ?
I am using xammp on window xp(php on PC version) and I set it as my server now in which to access phpMyadmin, I need other new login and password to access the
mysql database
On my Linux share-server , after logging in Cpanel login with password, it doesn't need other password to access the mysql or phpMyadmin,
Yes, it might be worked using account password to access the database for both
type of my server instead of any phpMyadm password and login
Let me try later on. Os I think question-1 is not issue now.
I am using xammp on window xp(php on PC version) and I set it as my server now in which to access phpMyadmin, I need other new login and password to access the
mysql database
On my Linux share-server , after logging in Cpanel login with password, it doesn't need other password to access the mysql or phpMyadmin,
Yes, it might be worked using account password to access the database for both
type of my server instead of any phpMyadm password and login
Let me try later on. Os I think question-1 is not issue now.
Assisted Solution
Expert: stevepwales replied at 2024-05-06 09:18:32
50 points GOOD
Why not to use root account for web connections mysql
http://dev.mysql.com/doc/refman/4.1/en/security-guidelines.html
http://dev.mysql.com/doc/refman/4.1/en/security-guidelines.html
Assisted Solution
Expert: stevepwales replied at 2024-05-06 09:12:33
50 points GOOD
Answer to 4 is yes the logon will still work one is for assigning a new session id the other is to be used when eveything which needs to be done with the session is done like on lohout
Assisted Solution
Expert: stevepwales replied at 2024-05-06 09:02:37
50 points GOOD
Yes thats the one i mean not server password mysql db root password you need to create a second user in the mysql management environment wether that is phpmysqladmin or mysql administrator. create a user like webuser giving it selecr update delete insert should be eniugh
Expert: stevepwales replied at 2024-05-06 08:57:55
Have you 2 diffeerent logins one is root password used to creare mysql instance and can be used to connect on the mysqlserver on the server - create a second user to be used over the web with the right privilages. and answer to question 3 yes they will need to logon they wont be able to use any of the sess vars from the other user
Author: duncanb7 replied at 2024-05-06 08:54:46
TYPING mistake and correction:
I mean root password that is NOT my server adm password, it is the root password
for mysql database only on my server
I mean root password that is NOT my server adm password, it is the root password
for mysql database only on my server
Author: duncanb7 replied at 2024-05-06 08:54:01
I mean root password that is my server adm password, it is the root password
for mysql database only on my server
for mysql database only on my server
Author: duncanb7 replied at 2024-05-06 08:52:26
If don't use root password , how the users connect to sql database on the server
for login and password match check ?
for login and password match check ?
Expert: stevepwales replied at 2024-05-06 08:50:07
Dont use root password for my sql this can be used in sql injection attacks since the root password is the master login you can be fully comprised. yes the details dont stay there a clever sql injection attack can use this which is why you should set up a user other than the root password ans allow only relevant permissions - i stress again dont use the root account with mysql as that is trouble waiting to happen do not use in web applications
Assisted Solution
Expert: Ray Paseur replied at 2024-05-06 08:31:57
50 points GOOD
how to avoid double login at two different comptuer with the same username login and same password ?
You should redesign your application so that this is not a requirement. The reason goes to the nature of client/server systems. Clients make requests and servers respond. The action is atomic, complete and stateless on both sides of this relationship. There is no such thing as a logged-in user; there is only a client request that sends data showing that the client is logged in (probably a cookie) So here is the problem you will have if you try to keep clients from logging in on two different computers.A client will login and you will make some kind of record on your server about the login. The client will forget to log out. Now the server must decide when the client has to be logged out. Until that decision is taken and implemented, the client is locked out of your server. This creates a very, very bad user experience. In modern computing, clients may use many different devices to access your server at the same time. Smart phones, tablets, desktop or laptop computers, etc. If you create a site that locks them out when they are using one device and does not let them use a second device until they log out from the first device, you should not be surprised if the clients go away and never come back.
All the other parts of this question are anticipated and answered with working code examples in the article here:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
Author: duncanb7 replied at 2024-05-06 08:25:29
Please correct for my answer to the question based on your comment
Answer-1
When php program is terminated, the server's mysql root username and password
won't left on user browser or computer, and user can't see the mysql root password
since it is php coding for security. So it is safe users can change the mysql database
at the server
Anwer-2
For double login, in php, I can write some sql coding in php record
the statue of users such as login and logout into mysql databse . So
php coding can sovle the issue.
Anwer-3
The session variable is saved in the user computer instead of server so other
users can NOT access the page in other computer without correct login.
Answer-4 those two session_regenerate_id() and session_write_close() function
is no use in this example, I also check even without those function, the login
is still work
Please advise
Duncan
Answer-1
When php program is terminated, the server's mysql root username and password
won't left on user browser or computer, and user can't see the mysql root password
since it is php coding for security. So it is safe users can change the mysql database
at the server
Anwer-2
For double login, in php, I can write some sql coding in php record
the statue of users such as login and logout into mysql databse . So
php coding can sovle the issue.
Anwer-3
The session variable is saved in the user computer instead of server so other
users can NOT access the page in other computer without correct login.
Answer-4 those two session_regenerate_id() and session_write_close() function
is no use in this example, I also check even without those function, the login
is still work
Please advise
Duncan
Author: duncanb7 replied at 2024-05-06 07:58:40
FOr Question-1 and question3, just ask something in simple way,
Once all php file is completely run or done, user can NOT get
any information from mysql root username and password, Is it right ?
ANd only thing left for the user is just his session id(member id from mysql databse I created) stored in my browswer as cookies, RIght ?
FOr question-2, could you comment a little bit, how to avoid double login at
two different comptuer with the same username login and same password ?
Duncan
Once all php file is completely run or done, user can NOT get
any information from mysql root username and password, Is it right ?
ANd only thing left for the user is just his session id(member id from mysql databse I created) stored in my browswer as cookies, RIght ?
FOr question-2, could you comment a little bit, how to avoid double login at
two different comptuer with the same username login and same password ?
Duncan
Assisted Solution
Expert: stevepwales replied at 2024-05-06 07:57:00
50 points GOOD
For duplicare login try setting the status whem the session starts and closes it on session end with flag in db think thats all of them
Assisted Solution
Expert: stevepwales replied at 2024-05-06 07:53:43
50 points GOOD
Session data is usually stored after your script terminated without the need to callsession_write_close(), but as session data is locked to prevent concurrent writes only one script may operate on a session at any time. When using framesets together with sessions you will experience the frames loading one by one due to this locking. You can reduce the time needed to load all the frames by ending the session as soon as all changes to session variables are done
Assisted Solution
Expert: stevepwales replied at 2024-05-06 07:50:46
50 points GOOD
session_regenerate_id() will replace the current session id with a new one, and keep the current session information
Assisted Solution
Expert: stevepwales replied at 2024-05-06 07:47:48
50 points GOOD
3 session vars are unique to the user so not dangerous
Expert: stevepwales replied at 2024-05-06 07:46:34
2. When the user logs in u can get his id then use that in update statement allowing him then to only update his id
Expert: stevepwales replied at 2024-05-06 07:44:09
I would not use root user name and password for access from web form to db set up specific user with relevant permissions if the root password is compramised you are in trouble.
Author: duncanb7 replied at 2024-05-06 07:35:11
THanks for your quick reply,
SOrry not next time more question in one thread.
This time could you answer me those four question for exception
Please advise, I want to know the concept how it works for the coding ?
DUncan
SOrry not next time more question in one thread.
This time could you answer me those four question for exception
Please advise, I want to know the concept how it works for the coding ?
DUncan
Assisted Solution
Expert: Ray Paseur replied at 2024-05-06 07:14:59
50 points GOOD
You might get better results if you ask one question at a time. At EE, the experts answer questions in exchange for reward points. Four part questions mean more work for fewer points. Simple economics, eh?
Here is the design pattern for PHP client authentication:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
Here is the book that teaches you enough to understand and answer all of the questions you asked above. It's a good investment both in time and money.
http://www.sitepoint.com/books/phpmysql4/
Here is the design pattern for PHP client authentication:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
Here is the book that teaches you enough to understand and answer all of the questions you asked above. It's a good investment both in time and money.
http://www.sitepoint.com/books/phpmysql4/