php q
- Started
- Last post
- 23 Responses
- moth0
Yes.. That code is about as secure as a garden gate.
- cosmo0
as jeff said that php code is indeed horrible.
- drgs0
thnx to the rest too, esp cosmo, of course=))
- drgs0
yea well, trying to learn myself
but thanks for the tip there on the password code there, jeff
- justjeff0
The PHP code on that website is horrible code - completely insecure and fundamentally broken.
The session variables aren't being set correctly because it never calls session_start() ( http://us2.php.net/session_start… ), and it doesn't escape the POST input to prevent against SQL injection (if you entered a password similar to "x' OR password='%'", you'd automatically be logged in becaue the ' isn't escaped, so the OR statement is executed as SQL, allowing any password to match, granting access.
Please, I know it costs money, but if you're making a website and need PHP, hire someone who knows what they're doing. You wouldn't encourage a developer to butcher a design, don't expect the other way around to be any different .
- drgs0
there was an error in the tutorial
- drgs0
how to turn global on?
- drgs0
php 4.3.11
- drgs0
no idea about global on/off
- acescence0
what version php?
is register globals on or off?
- drgs0
wait im trying
echo $_SESSION['myusername' ];
- cosmo0
hmmm...I would really need to look at the code and db structure.
- drgs0
i just cleared my cookies, logged in under de_movies and the session username is still de_costello
- drgs0
de_costello is actually the name of the db
- drgs0
for some reason all databases are prefixed with de, could it be a problem?
i mean i log in as costello, echo session shows de_costello....
- drgs0
i cant , just trying to help out someone =))
- drgs0
says the user is de_costello
- cosmo0
send me your code.
- bradpitt0
are you using the exact code from that site?
- drgs0
no it redirects back on purpose