Article Discussion: Security and Sessions in PHP

If you have any questions or comments on this article then please post them here.

This forum post relates to this article

I'm going to state the obvious here....

Why confuse readers about the use of sessions? More to the point, why emulate PHP sessions to begin with?

Nothing wrong with the attempt, but it's seems odd that you would write an article that "reinvents the wheel" ;-)

Also, in your code...

$sQuery = "
Select ...";

$hResult = mysql_query($sQuery, $hDB);
if(mysql_affected_rows($hDB)) {
...
}

From the PHP manual...

mysql_affected_rows() does not work with SELECT statements; only on statements which modify records. To retrieve the number of rows returned by a SELECT, use mysql_num_rows().

Thanks,
Max.

Max:

Thanks for your feedback. I always appreciate the "obvious" points of view because it is usually that which drives me to write such scripts (Oh yeah, thanks for pointing out the typos and such, I think I wrote this from memory)

The original rationale for writing this was to avoid using PHP's built in sessions? Why? Several reasons:

(1) I was "raised" programming in ASP and I despised ASP session handling so naturally I have a distrust of all built-in session handling.

(2) Because I was lazy when I compiled PHP and left out sessions (that was a long time ago and I have yet to recompile). This is a stupid reason, I admit.

(3) Simply as a excersise of an alternative means to handle your own sessions. You have complete control at this point and do not depend on the O/S or PHP engine for the sessions. For example, PHP sessions have to put your data somewhere and that somewhere is on the filesystem (usually in a temp dir like /tmp). I, personally, like to have mroe control than that. My reasons may be unfounded (PHP sessions work quite well, actually) but I am nuts like that.

Again, thanks for the correction on the mysql_affected_rows().

Jason

>>(1) I was "raised" programming in ASP and I despised ASP session handling so naturally I have a distrust of all built-in session handling.<<

Ah...a converted ASP coder! All is forgiven ;-)

Thanks,
Max

I am forced into "ASP" labor by the corporate giant. My heart belongs to all things Unix(like), C and PHP.

I understand completely. I still occasionally dabble with VB/VBA projects at work because I have to (MS Office you know...), but nothing anymore for production work. Sadly, traditional VB is now dead as far as I can tell.

Nothing wrong with ASP per se, I almost took that plunge myself when *we* were converting at work from PC-based to Web-based programs.

Alas, I was fortunate enough to steer my company away from being assimiliated into the Borg (.Net), and am now pretty much a PHP/MySQL freak. ;-)

Thanks,
Max

Just as a final clarification of the typo Max found. You should change :

mysql_affected_rows($hDB)

to

mysql_num_rows($hResult)


Thanks for understanding

Is the comment allready fixed in the article?

I think you should also check if the connection with the database is working, if not display this.

Cya
Bjorn

Thanks for the reply. I do not have the ability to fix the article itself so I'll leave that up to the site operators (I do not think it is already changed).

There are many improvements to this script and one of them is better error checking. I leave most of the "un-fun" stuff up as an "exercise" to the reader so that the point I am making with the article is clearer. Of course, that means I am spreading evil coding practices to those that do not take the time to improve the script.

I'd like to see lots of suggestions for this exercise so that would be readers can see all the different things one can do.

I am a newbie......unfortunately.....

I liked this article..........in fact...I have read over and over for dozens of times.......

but I still could figure out the problem with the script I modified...

Everything seems to work fine. When an unauthorized entry is inputted it refers back to login.php, However, when an authorized user logs in, it doesn't refer to the page I want it to....
Did I miss something?..... Can u lend me an eye to see what seems to be the block?

the LoginAction.php:

<?php
// Check if the information has been filled in
if($psEmail == '' || $psPassword == '') {
// No login information
header('Location: URL'.urlencode($psRefer));
} else {
// Authenticate user
$hDB = mysql_connect('localhost', 'XXXX', 'XXXXXXXX');
mysql_select_db('abna_ca', $hDB);
$sQuery = "
Select iUser, MD5(UNIX_TIMESTAMP() + iUser + RAND(UNIX_TIMESTAMP())) sGUID
From tblUsers
Where sEmail = '$psEmail'
And sPassword = password('$psPassword')";
$hResult = mysql_query($sQuery, $hDB);
if(mysql_num_rows($hResult)) {
$aResult = mysql_fetch_row($hResult);
// Update the user record
$sQuery = "
Update tblUsers
Set sGUID = '$aResult[1]'
Where iUser = $aResult[0]";
mysql_query($sQuery, $hDB);
// Set the cookie and redirect
setcookie("session_id", $aResult[1]);
if(!$psRefer) $psRefer = 'http://www.abna/moreinfo/contact.html';
header('Location: URL'.$psRefer);
} else {
// Not authenticated
header('Location: login.php?refer='.urlencode($psRefer));
}
}
?>

Obviously the database is connected cuz it can tell from wether a user is authorzied or not, just can't seem to get the page refered to afterwards.....

Just a quick once through (I just got back from vacation, I'll give it a better look later). It looks as if some of the URLs are invalid (missing the .ca). Let me know if that has anything to do with it.

Jason

Hello,

Like icetea above, Im also a newbie and Im also having trouble getting this to work. I really liked the article and it suits a particular need I have, perfectly - so I'd really love to make it work.

I did a couple of minor changes, including calling the table for tblAdmins and the field iUser is called iAdmins.

My problem is that I get nowhere... after clicking the submit button, it just takes me to the admlogin.php page even though the entry exists in the table. This is my code - ANY help greatly appreciated as I have spent hours on trying to figure out the problem:

<?php
// Check if the information has been filled in
if($psEmail == '' || $psPassword == '') {
// No login information
header('Location: adminlogin.php?refer='.urlencode($psRefer));
} else {
// Authenticate user
$hDB = mysql_connect('mysql.plainhost.com', 'userxxxxx', 'pwdxxxxxxx');
mysql_select_db('dbxxxx', $hDB);
$sQuery = "
Select iAdmins, MD5(UNIX_TIMESTAMP() + iAdmins + RAND(UNIX_TIMESTAMP())) sGUID
From tblAdmins
Where sEmail = '$psEmail'
And sPassword = password('$psPassword')";
$hResult = mysql_query($sQuery, $hDB);
if(mysql_num_rows($hResult)) {
$aResult = mysql_fetch_row($hResult);
// Update the user record
$sQuery = "
Update tblAdmins
Set sGUID = '$aResult[1]'
Where iAdmins = $aResult[0]";
mysql_query($sQuery, $hDB);
// Set the cookie and redirect
setcookie("session_id", $aResult[1]);
if(!$psRefer) $psRefer = 'index.htm';
header('Location: index.htm'.$psRefer);
} else {
// Not authenticated
header('Location: adminlogin.php?refer='.urlencode($psRefer));
}
}
?>


Thanks a whole lot for any pointers.


Ken

Why didn't you use the session functions in PHP, like session_start() or session_register()?

Is there a difference in what you present in the article, and session functions in PHP?

Thanks. Good article.

Ken:

Double check the following line:


Check the database record to see if it is actually getting set to the GUID or if it is something else. If the GUID isn't getting set, construct the SQL string the hard way: ... Set sGUID = '".$aResult[1]."' etc...

Also, make sure the query which checks the password is indeed returning something. Try putting echo() statments or printr() statements at each place a variable could change to see what it's value is at any given time.

If this still doesn't work, zip up all your scripts and attach them to a message here. I'll take a look that way.

The original purpose of this article was an exercise in NOT using PHP's built in Session handling. This concept can also be applied to other programming languages. For example, ASP's session handling is very inefficient so I implemented somthing very similar. Call it a distrust for built-in session handling in general. I like total control of my apps.

icetea: Any luck? Take a look at my response to Ken to see if that helps. Same goes for you, if you are still having problems, zip up all your scripts (perhaps with some SQL to build the database table the way you have it) and post it to this board. I'll be happy to help.

J