Hi group,
I need a login system for some 'private' pages.
Users should be pulled from a mysql DB.
Now, i've read a lot on login systems, and somehow there's _always_
the discussion with sessions (hijacking), dynamic IPs/Proxies.
One hand sessions on itself aren't secure (if in default tmp folder)
on the other hand, validating by IP would lock out a lot of users.
Now, what i wonder is, WHAT SHOULD I DO? I really don't know
where to start anymore because there are so much do's and dont's
on this ...
Frizzle.
8  1886 
In article <11**********************@y43g2000cwc.googlegroups .com>, ph********@gmail.com (frizzle) wrote: I need a login system for some 'private' pages.
Users should be pulled from a mysql DB.
Now, what i wonder is, WHAT SHOULD I DO? I really don't know
where to start anymore because there are so much do's and dont's
on this ...
First of all, google "SQL injection attack" and make certain that you
understand what this is and how to block it. This attack would not only
let anyone read all the passwords, it might (depending on your setup) let
them trash your database.
--
To reply email rafe, at the address cix co uk
Rafe Culpin wrote: In article <11**********************@y43g2000cwc.googlegroups .com>,
ph********@gmail.com (frizzle) wrote:
I need a login system for some 'private' pages.
Users should be pulled from a mysql DB.
Now, what i wonder is, WHAT SHOULD I DO? I really don't know
where to start anymore because there are so much do's and dont's
on this ...
First of all, google "SQL injection attack" and make certain that you
understand what this is and how to block it. This attack would not only
let anyone read all the passwords, it might (depending on your setup) let
them trash your database.
--
To reply email rafe, at the address cix co uk
AFAIK using mysql_real_escape_string deals with that in all cases
if i parse any input through that... Thanks for reminding though how
important that is!
What i mean, is *globally* what path to walk to get where i want, what
system
/structure to use, because as i said, there are so much do's and
dont's.
E.g. should i use and sessions, ip validating, cookies (remember me)
and
mysql table with logged users, or what?
Frizzle.
frizzle wrote: Rafe Culpin wrote: In article <11**********************@y43g2000cwc.googlegroups .com>,
ph********@gmail.com (frizzle) wrote:
<snip> AFAIK using mysql_real_escape_string deals with that in all cases
if i parse any input through that... Thanks for reminding though how
important that is!
<snip>
PHP saints are moving away from mysql_real_escape_string() to
prepared statements
<http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html>
FWIW, For login system
<news:11**********************@z14g2000cwz.googleg roups.com> ( http://groups.google.com/group/comp....fad0eef59415a? )
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
R. Rajesh Jeba Anbiah wrote: frizzle wrote:
Rafe Culpin wrote:
In article <11**********************@y43g2000cwc.googlegroups .com>,
ph********@gmail.com (frizzle) wrote:
<snip>
AFAIK using mysql_real_escape_string deals with that in all cases
if i parse any input through that... Thanks for reminding though how
important that is!
<snip>
PHP saints are moving away from mysql_real_escape_string() to
prepared statements
<http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html>
FWIW, For login system
<news:11**********************@z14g2000cwz.googleg roups.com> (
http://groups.google.com/group/comp....fad0eef59415a? )
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
Some are, some aren't. Just another way of doing things.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote: R. Rajesh Jeba Anbiah wrote: frizzle wrote:
Rafe Culpin wrote:
In article <11**********************@y43g2000cwc.googlegroups .com>,
ph********@gmail.com (frizzle) wrote:
<snip>
AFAIK using mysql_real_escape_string deals with that in all cases
if i parse any input through that... Thanks for reminding though how
important that is!
<snip>
PHP saints are moving away from mysql_real_escape_string() to
prepared statements
<http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html>
FWIW, For login system
<news:11**********************@z14g2000cwz.googleg roups.com> (
http://groups.google.com/group/comp....fad0eef59415a? )
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
Some are, some aren't. Just another way of doing things.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Wow, made my temperature rise there, but as i understand from the
comments, (in my case) mysql_real_escape_string is safe. Pfew.
AFAIK it wasn't some way of handling things as Jerry implies ...
I will look at your links later R. Rajesh Jeba Anbiah, thanks in
advance!
Frizzle.
frizzle wrote: Jerry Stuckle wrote:
R. Rajesh Jeba Anbiah wrote:
frizzle wrote:
Rafe Culpin wrote:
>In article <11**********************@y43g2000cwc.googlegroups .com>,
>ph********@gmail.com (frizzle) wrote:
<snip>
AFAIK using mysql_real_escape_string deals with that in all cases
if i parse any input through that... Thanks for reminding though how
important that is!
<snip>
PHP saints are moving away from mysql_real_escape_string() to
prepared statements
<http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html>
FWIW, For login system
<news:11**********************@z14g2000cwz.goog legroups.com> (
http://groups.google.com/group/comp....fad0eef59415a? )
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
Some are, some aren't. Just another way of doing things.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Wow, made my temperature rise there, but as i understand from the
comments, (in my case) mysql_real_escape_string is safe. Pfew.
AFAIK it wasn't some way of handling things as Jerry implies ...
I will look at your links later R. Rajesh Jeba Anbiah, thanks in
advance!
Frizzle.
Frizzle,
I didn't mean to make your temperature rise. My comment was strictly related to
Rajesh's comment that "PHP Saints" are moving towards prepared statements.
He indicates that all so-called "PHP Saints" think prepared statements are the
way to go. My only response is that the most experienced PHP people think
prepared statements are ONE way to go. Not necessarily the ONLY way.
Just like almost everything else, there are advantages and disadvantages to
using them.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote: frizzle wrote: Jerry Stuckle wrote:
R. Rajesh Jeba Anbiah wrote:
frizzle wrote:
>Rafe Culpin wrote:
>
>
>>In article <11**********************@y43g2000cwc.googlegroups .com>,
>>ph********@gmail.com (frizzle) wrote:
<snip>
>AFAIK using mysql_real_escape_string deals with that in all cases
>if i parse any input through that... Thanks for reminding though how
>important that is!
<snip>
PHP saints are moving away from mysql_real_escape_string() to
prepared statements
<http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html>
FWIW, For login system
<news:11**********************@z14g2000cwz.goog legroups.com> (
http://groups.google.com/group/comp....fad0eef59415a? )
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
Some are, some aren't. Just another way of doing things.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Wow, made my temperature rise there, but as i understand from the
comments, (in my case) mysql_real_escape_string is safe. Pfew.
AFAIK it wasn't some way of handling things as Jerry implies ...
I will look at your links later R. Rajesh Jeba Anbiah, thanks in
advance!
Frizzle.
Frizzle,
I didn't mean to make your temperature rise. My comment was strictly related to
Rajesh's comment that "PHP Saints" are moving towards prepared statements.
He indicates that all so-called "PHP Saints" think prepared statements are the
way to go. My only response is that the most experienced PHP people think
prepared statements are ONE way to go. Not necessarily the ONLY way.
Just like almost everything else, there are advantages and disadvantages to
using them.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Sorry, i messed up the reply. Rajesh made it rise.
You (and some background info) cooled it down again ;)
Frizzle.
Jerry Stuckle wrote: He indicates that all so-called "PHP Saints" think prepared statements are the
way to go. My only response is that the most experienced PHP people think
prepared statements are ONE way to go. Not necessarily the ONLY way.
I'm afraid the PHP Jihadis don't undersand pluralism very well. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: ojorus |
last post by:
Hello!
I want to make a login system as secure as possible on a website I develop.
* The user shall log on using a Username and a password (which is stored in
a mySQL database)
*The server...
|
by: Sarah Tanembaum |
last post by:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc)...
|
by: |
last post by:
Please help.
After a number of wrong turns and experiments I need advice on login
management system to secure our web pages without inconveniencing our
visitors or our internal staff.
What I...
|
by: Billy Jacobs |
last post by:
I have a website which has both secure and non-secure
pages. I want to uses forms authentication. How do I
accomplish this?
Originally I had my web.config file in the root with Forms...
|
by: Holly |
last post by:
I copied this code that works to connect into Unix. I am looking for a
way to get it to work with a secure Unix box. Anyone have any insights
on how to do this? I am trying to build an sftp...
|
by: sintacks |
last post by:
Does anyone have the source, class, or link for a secure login using
sessions? Preferably with MySQL. Any help would be greatly appreciated.
Thank you very much.
|
by: UJ |
last post by:
I have a web site that is secure by forms authentication. I've put in
changes to allow a virtual directory to be accessed by everyone but it
doesn't seem to have taken. I always end up being pushed...
|
by: knal |
last post by:
Hi there,
I'm looking for a secure login script for a sort-of-community site...
(PHP, MySQL, sessions, or maybe something else ... )
I know there are a lot of scripts out there, but none of them...
|
by: raknin |
last post by:
Hi,
I am looking for a close package of secure login and registeration written in PHP.The package that I am looking for should have the following functionality
I believe this is standard...
|
by: Harris Kosmidhs |
last post by:
Hello,
while I'm developing sites for some time I never coded a login form with
security in mind.
I was wondering what guidelines there are.
For my point of view I'm thinking of using md5...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
| |
