The KGB Oracle
Serving the online gaming community since 1997
Visit www.the-kgb.com
For additional information

Join KGB DISCORD: http://discord.gg/KGB
 
KGB Information
Untitled 1

Visit KGB HQ
www.the-kgb.com

Who's Online Now
0 members (), 4 guests, and 1 robot.
Key: Admin, Global Mod, Mod
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Today's Birthdays
GopherPD
Newest Members
Luckystrikes, Shingen, BillNyeCommieSpy, Lamp, AllenGlines
1,477 Registered Users
Forum Statistics
Forums53
Topics13,097
Posts116,365
Members1,477
Most Online319
Dec 12th, 2024
Top Likes Received (30 Days)
None yet
Top Posters(30 Days)
Popular Topics(Views)
2,199,371 Trump card
1,369,130 Picture Thread
497,822 Romney
Previous Thread
Next Thread
Print Thread
Rate Thread
Page 3 of 4 1 2 3 4
Joined: Oct 2006
Posts: 1,720
Band 7
**
Offline
Band 7
**
Joined: Oct 2006
Posts: 1,720
Originally Posted By: Arkh
Everytime you use mysql_* php function or use raw form input data, baby raptor Jesus kills a puppy.


LOL


Former KGB Member
Joined: Nov 2005
Posts: 586
KGB (F3) Vice-Chancellor
Crowfall Faction
*****
Offline
KGB (F3) Vice-Chancellor
Crowfall Faction
*****
Joined: Nov 2005
Posts: 586
Good post Zarad! I will typical set my website paswords to: ";DROP TABLE Users" just for some good clean fun ...


[Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com]
Joined: Sep 2008
Posts: 102
Ithkrul Offline OP
KGB Champion
*****
OP Offline
KGB Champion
*****
Joined: Sep 2008
Posts: 102
Quote:
Generally you don't pass user/pass in a querystring either ...instead use a submit form..the request should be the same regardless..and like he says..if you dont have a value when you check the request..then redirect the page back to the login..or error


Well as I have it set up now, it passes login info from a submit form to my admin.php. On the admin site before I generate any html it validates the username and password.

Should I be validating the login info on like another .php page then after that passes then going to the admin page.

IE

login.htm (submit form) -> validate.php -> admin.htm

I guess my question is trying to figure out to not let admin.htm appear to users at all unless the password is validated. Yeah my steps from login.htm to validate.php I can do. But I can still directly goto admin.htm and bypass the login process.

Id post my code but my schools servers are all down for maintenance.

Quote:

For the login ... you have to check for the password post form variable if it is not there ... meaning someone went directly to the process page ... you should redirect to an error page, or back to the login page & present the user with some message.


So you are saying that my actual admin.htm needs to have a check and if it fails take them away to another page?

Also zarad mentioned sql injection. Some guy in my class just did that to my professors website and we were able to just login with like admin access. How can you prevent that?


could I just add a redirect
Code:
<?php
header( 'Location: http://www.yoursite.com/new_page.html' ) ;
?>

in the code that validates the password and just take people away that dont have the password?

Last edited by Ithkrul; 06/26/09 07:48 AM.
Joined: Apr 2009
Posts: 68
KGB Champion
*****
Offline
KGB Champion
*****
Joined: Apr 2009
Posts: 68
you figure this out yet?

Joined: Apr 2009
Posts: 450
KGB Supreme Knight
*****
Offline
KGB Supreme Knight
*****
Joined: Apr 2009
Posts: 450
What I do it set a sessions when they log in and a session with thier security level. I can later test those values to decide what to display or if they should redirected away (like back to login page).

On login page I set 'validX' (tells me they logged in)
$_SESSION['validX'] = 'validX';

I also check a table for thier security level
$rs = $db->Execute("select * from user_table where name = '$user';");
while (!$rs->EOF) {
$level = $rs->fields[3];
$_SESSION['level'] = $level;
$rs->MoveNext();
}

Than on a html page I can check the value to decide to display it or redirect them. I use the same method for setting search terms as well.

// Authorization check
if (!isset($_SESSION['validX']))
{
$redirect_url = "index.php";
header("Location: $redirect_url");
}

// Security level check.
if ($_SESSION['level'] <> 14) {
$redirect_url = "index.php";
header("Location: $redirect_url");
}



http://us2.php.net/manual/en/book.session.php

Joined: Nov 2005
Posts: 586
KGB (F3) Vice-Chancellor
Crowfall Faction
*****
Offline
KGB (F3) Vice-Chancellor
Crowfall Faction
*****
Joined: Nov 2005
Posts: 586
Very solid approach!


[Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com]
Joined: Sep 2008
Posts: 102
Ithkrul Offline OP
KGB Champion
*****
OP Offline
KGB Champion
*****
Joined: Sep 2008
Posts: 102
Yeah got it all done. Was a moderately fun project. I would have done things totally different after finishing it, but hey that's good to know. Especially things involving organization with tables working with different keys and views how to integrate javascript with PHP/HTML a little differently than I am used to.

Thanks a ton for your help, It is due in 29 minutes. 11:59pm est.

Joined: Mar 2009
Posts: 487
Kay Offline
KGB Alumni
***
Offline
KGB Alumni
***
Joined: Mar 2009
Posts: 487
That authentication can be cookie spoofed easy as pie. Just fyi. smile




In Hoc Signo Vinces
Joined: Apr 2009
Posts: 450
KGB Supreme Knight
*****
Offline
KGB Supreme Knight
*****
Joined: Apr 2009
Posts: 450
Originally Posted By: Kay
That authentication can be cookie spoofed easy as pie. Just fyi. smile


Using what method? Neither Security , nor web programming are my areas of expertise, but the limited attempts I have tried failed.

Joined: Nov 2005
Posts: 586
KGB (F3) Vice-Chancellor
Crowfall Faction
*****
Offline
KGB (F3) Vice-Chancellor
Crowfall Faction
*****
Joined: Nov 2005
Posts: 586
You'd have to be pretty sophisticated to cookie spoof a session from the server ... for a class project, it should fly through with no problem.

Most of the teachers out there can't even tell you where a cookie is located on the file system ... if you really had to lock down a site, I'd definately use an alternative authentication method then PHP & MySQL


[Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com][Linked Image from w3.the-kgb.com]
Page 3 of 4 1 2 3 4

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.5