Got three questions this time.

1) How can I make it so that an admin has to log in, but only once, until they log out? I don't think cookies're pretty safe, and right now, every time you submit something on a form, it asks to log in again.

2) How can I spread the login session over multiple files, so I don't have to stuff everything into one huge file, but so that people can't just go to their URL and use the stuff in there?

3) In my database, the passwords're encrypted by choosing the Password function (using PHPMyadmin) Is there any way to do that with the user-submitted passwords as well? Comparing the two gives untrue between an encrypted and an unencrypted string, which's a bit of a problem.

Some problems apparently'll be solved by using sessions. Those're going weird, though. Got some problems with them.

1) The session-id changed with each page-load.
2) It nags.


1) This's how my session starts:
session_start();
$session_id = session_id();
session_register("id");

At first, I didn't use a session_register()-function on $session_id. Adding it didn't have any effect, as it apparently keeps recreating the session. I'll be checking for if($session_id == NULL) to do the session_start(), but I don't think that'll fully get it to work.

2) It says this:
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\xampp\htdocs\Web1\Eindoef\admin.php:9) in C:\xampp\htdocs\Web1\Eindoef\login.php on line 9

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\xampp\htdocs\Web1\Eindoef\admin.php:9) in C:\xampp\htdocs\Web1\Eindoef\login.php on line 9
The first 11 lines of login.php are this:
<html>
<head>
</head>

<body>
<?php *


session_start();
$session_id = session_id();
session_register("id");

The ninth line is session_start(); I don't know why it nags, nor how to solve it, but it sure disrupts my page.

You MUST put the session_start() as the first thing in your file. THis has to be sent before any headers. As soon as you leave a single empty line or a HTML tag in front of it, you'll get the 'headers allready sent' error!

Edit: and you can use the supergloblal $_SESSION['varname'] to store and retreive stuff in your session variable!

Aye, that takes care of that, and the session ID stays consistent now. Thanks :cheers:

3)
you have to compare 2 encrypted passwords together.
I think you can do a mysql query which gives an encrypted password.
password(whatever) or something like that

You could also use the php-function crypt() (http://nl2.php.net/manual/en/function.crypt.php) to accomplish one-way encryption.

The crypt()-function encrypts in a different way. As for the password... I put an unencrypted one in for testing purposes, but the query's not working properly.
Session-ID: f638205c9db7afdecdd9e9e1eda8e1d0
Login: kak
Logged in:

That's what I get after filling in username and password. My code's this:
<?php session_start();
$session_id = session_id();
session_register("id");
?>

<html>
<body>
<?php
include_once("connection.php");

$paswrd = $_POST["paswrd"];
$login = $_POST["login"];

$SQL_query = "SELECT count(Naam) FROM webmasters WHERE Naam = $login AND Paswoord = $paswrd";
$logged_in = mysql_query($SQL_query, $db_connection);
session_register("logged_in");
$test = $_SESSION["logged_in"];

echo "<br><br>Session-ID: ", $session_id, "<br>Login: ", $login, "<br>Logged in: ", $test, "<br><br>";

echo "<div class='content'><div class='sub_content_noscroll'><table>
<form method='post' action='admin.php' name='frmLogin'>
*<tr><td>Login: </td><td><input type='text' name='login' /></td></tr>
*<tr><td>Paswoord: </td><td><input type='password' name='paswrd' /></td></tr>
*<tr><td><input type='submit' name='submit' value='Log in' /></td></tr>
</form>
</table></div></div>";

?>
</body>
</html>

I don't see what's wrong with this.

This should work if the password is in the db in plain text. If it's encrypted you're not going to get any results from the query. That is why crypt could be handy. You store the passwords in the db with crypt and check it against the crypted entered password. This way you won't be able to get the password from the db, 'cause only the crypted version is ever stored.
I don't really know how to use the MySQL encrpytion in PHP, but from the docs i gather you should be able to create the following query:

SELECT * FROM table WHERE login = '$login' AND password = ENCRYPT('$password')

There are a couple of encrypt/decrypt function you can use in a query: check the documentation! (http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html)

Edit: mofo typos

I don't have the time to fill out a full reply at the moment (I'll reply fully later), but a few immediate notes.

Sessions either use cookies or embed themselves in the URL. That is to say, cookies are all you really have since session-ids-in-the-url are even more insecure. I'll cover a few things about using secure cookies when I get back.

crypt and MySQL's password() are both rather insecure, as is md5. Use PHP's SHA1 (or higher if you have the mcrypt/mhash extensions available). Make the MySQL row a varchar and add the hashed version of the password to the database. Then, when logging in, make sure that $pass_from_db == sha1($submitted_pass).

Well, I got one login in my database where I didn't encrypt the password for. That one's the one I've been using for these testings, and even that didn't work.

Echo the query to see if there are any errors in there. For instance, there are no quotes around the strings you're matching (e.g. login and password)., Afaik if you're doing queries with string literals you have to surround them with single quotes!

I tried that, too. Anyways, after our fearless leader made some time to explain a couple of misinterpretations (the way the results of mysql_query() are made up, for example), and it now works. Hurray :D

Got another question. This time, I've got these entries in my SQL database that I want to edit. Each entry consists out of 8 fields. I want to list all names of the entries and a checkbox to select them. Submitting the form goes to another page, where the input'll be processed.

This new page shows 7 out of the 8 fields (the 8th being the ID... well, technically the 1st, but you get what I mean). You should be able to alter all 7 fields of each entry. Pressing the Submit-button should process it, running an SQL-query to update the contents.

There's the tricky part. I've tried passing the checkbox array through the processing, so the page'd know which entries to alter, after the alterations've been given in. The problem with this, is that the checkbox array, as I have it now, still has the same look (var_dump gives this: array(3) {[0] => string(1) "1" [1] => string(1) "4" [2] => string(1) "7" }, which's right. It doesn't update the entries, though, nor does it show them again on the page. Pressing Submit a second time gives NULL for the checkbox array.

Anybody know why it's doing this, and how to fix it? I'm completely stumped. Been trying everything I could think of.

the advantage of md5 is that it's fast & relatively safe, however if you want to be sure to not have security issues, do not encrypt the password but encrypt a login key which you generated yourself .
your table then looks like:
user_id password login_key

your cookie and/or session just contain an md5'ed user_id & login_key

md5 info can be found here: http://www.faqs.org/rfcs/rfc1321

Originally posted by Reup@Feb 3 2006, 01:29 PM
You MUST put the session_start() as the first thing in your file. THis has to be sent before any headers. As soon as you leave a single empty line or a HTML tag in front of it, you'll get the 'headers already sent' error!

Edit: and you can use the supergloblal $_SESSION['varname'] to store and retreive stuff in your session variable!


I remember spending hours becauce a had jump a line before the <?php
I new about that, but I hadn't seen that stupid backspace :wall:

"Pressing Submit a second time gives NULL for the checkbox array."
-> normal. every is erased when you vadid , or refresh the page. Use the sessions if you want to keep it.