php: n00b on php so i need stuff. ;)

Forum for anything hard- or software related.

Moderator: Moderators

Post Reply
Hazard
plummets to its death
Posts: 54
Joined: Mon Sep 15, 2003 6:40 pm
Location: fi
Contact:

php: n00b on php so i need stuff. ;)

Post by Hazard »

ok so i am just started to learn php and i see that there is people who really can do it well. *krhm*den*krhm* ;) so i need to know how do i do that admin part on my clan sites so i can put match results easily there. i would be very thankfull if somebody helped me whit this.
Image
Den
something dur dur
Posts: 2616
Joined: Fri Jul 25, 2003 8:56 am
Location: nl
Contact:

Post by Den »

Its all basic stuff so isnt that hard :) ill help ya when im home
There's a chopper coming in 3 days and there's a katana on top of the cafe and that's all you need to know
Image
Hazard
plummets to its death
Posts: 54
Joined: Mon Sep 15, 2003 6:40 pm
Location: fi
Contact:

Post by Hazard »

w0h00. thnx. i thought that its quite basic but im so noob on this now. :P
Image
Den
something dur dur
Posts: 2616
Joined: Fri Jul 25, 2003 8:56 am
Location: nl
Contact:

Post by Den »

There's a chopper coming in 3 days and there's a katana on top of the cafe and that's all you need to know
Image
Hazard
plummets to its death
Posts: 54
Joined: Mon Sep 15, 2003 6:40 pm
Location: fi
Contact:

Post by Hazard »

:P yep i'v readed what i need and now im working and really bored and i think this way i get it easier. ;) because its sooooo booring to try find the right thing and then try to do it youself.. i should learn basics good and this would be easier i think. :)
Image
Den
something dur dur
Posts: 2616
Joined: Fri Jul 25, 2003 8:56 am
Location: nl
Contact:

Post by Den »

Ok here goes:



Im not gonna code every thing for you, so its better to learn the basics of php and mysql. You can ask me / others for questions tho :)



http://www.php.net and http://www.mysql.org for documentation



Tutorials:

http://www.zend.com/zend/tut/

http://hotwired.lycos.com/webmonkey/programming/php/

http://tut.php-q.net/



or just google



To add the games on your website - there was allready a thread about it - look below its a working script. The only thing u have to do is create a table



http://alcoholics.dk/aq2world/phpBB2/vi ... .php?t=495



Ok now for a login thing:

Also here create a table



login

[php]<?php

$db = mysql_connect("*****", "*****", "*****"); // DB ip, user en pw

mysql_select_db("*****",$db); // DB name

$table = "******";



if (isset($submit)) {

$query = "select * from $table where username='$username' and password='$password'";

$result = mysql_query($query) ;

$isAuth = false; //set to false originally

while($row = mysql_fetch_array($result)) {

if($row['username'] === $username) {

$isAuth = true;

session_start();

session_register('username');

}

}

if($isAuth) {

print "Logged in successfully<br>";

print "<A href='pagewhereyouwannago.php'>Go to the pagewhereyouwannago</a>";

}

else {

print "Wrong username or password";

}

}

else {

echo "<form method='POST' action='$PHP_SELF'>

Username: <input type='text' name='username' size='15'><br><br>

Password: <input type='password' name='password' size='15'><br><br>

<input type='submit' value='Login' name='submit'>

</form>";

}

?>[/php]



Ok u got the login with sessions. Below you got a script that checks if the sessions key is correct.





pagewhereyouwannago.php

[php]<?php

session_start(); //this must be at the top of every page

if (isset($_SESSION['username'])) {

echo "weeee it works!"; // put your stuff here

}

else {

print "Not logged in";

}

?>[/php]
Last edited by Den on Sun Mar 14, 2004 5:07 am, edited 1 time in total.
There's a chopper coming in 3 days and there's a katana on top of the cafe and that's all you need to know
Image
Hazard
plummets to its death
Posts: 54
Joined: Mon Sep 15, 2003 6:40 pm
Location: fi
Contact:

Post by Hazard »

oh. thnx alot. den=one of my gods.

;)
Image
Sulfate
sank like a rock
Posts: 105
Joined: Sun Aug 10, 2003 3:41 am
Location: nl
Contact:

Post by Sulfate »

Den...



{

echo "weeee it works!"; // put your stuff here





isnt that?





{

echo "weeee it works!"; } // put your stuff here



cuz of a pharse error?



iam totally n00b in php... but i tested the script and saw this fault...

maybe its only me ... but najs script! :D



my login script fucked up :S think i gonna use this one! :hop:
Nobody Likes Us We Dont Care!
Den
something dur dur
Posts: 2616
Joined: Fri Jul 25, 2003 8:56 am
Location: nl
Contact:

Post by Den »

oops yeh :) sorry



forgot to check
There's a chopper coming in 3 days and there's a katana on top of the cafe and that's all you need to know
Image
spectre
joined the game
Posts: 26
Joined: Tue Jul 29, 2003 4:32 am
Location: fi

Post by spectre »

...

if (isset($submit)) { -> if (isset($_POST['submit'])) {



...

echo "<form method='POST' action='$PHP_SELF'> -> echo "<form method='POST' action='".$_SERVER['PHP_SELF']."'>



...

Code: Select all

$username = mysql_escape_string($_POST['username']);

$password = mysql_escape_string($_POST['password']);


$query = "select * from $table where username='$username' and password='$password'";



as everybody already knows register_globals should be turned off from php.ini as it is a considerable security risk. just as you should NOT mysql_query anything straight from user input, for example this login script is VERY easily cracked. try inserting following string to password-box:

Code: Select all

a' OR 1>0


better to learn to code secure scripts from the beginning ;)
Rallu
hit the ground hard, real hard
Posts: 93
Joined: Thu Jul 31, 2003 11:36 pm
Location: fi
Contact:

Post by Rallu »

And here's some functions you need to secure your site.



http://fi.php.net/manual/en/function.strip-tags.php

strip_tags removes all html tags (like <br>, <b>, ...) except <scr<script>ipt> attack



http://fi.php.net/manual/en/function.ht ... lchars.php

changes all characters so that it can be seen excatly how its written (good for security)



http://fi.php.net/manual/en/function.addslashes.php

addslashes does same as mysql_espace_string, just that it adds slashes to "-character also.



http://fi.php.net/manual/en/function.stripslashes.php

and stripslashes removes those slashes if you like to print something.





There's something usefull for you N00BSS!!!!!1111 ;D





ps. Den, whats the point of password in your script? It isn't checked in any way. Now if you just guess username you will be authed.


Code: Select all


if ($row['username'] === $_POST['username'] && $row['password'] === md5($_POST['password'])) 

{

     echo 'auhted blaa blaa blaa';

}





md5 helps to secure a bit peoples passwords... its not nice to admin know everything you know. If you use md5 on checking you need to add people to your database with this line:

Code: Select all


INSERT INTO userstable SET username='rallu', password=md5('mypass');



Okay... I have had enough of my babling -> Back to studies



Rallu

Software Application Engineering Project Manager

(eg. PHP-coder)
Den
something dur dur
Posts: 2616
Joined: Fri Jul 25, 2003 8:56 am
Location: nl
Contact:

Post by Den »

:)



hey im still learning :P
There's a chopper coming in 3 days and there's a katana on top of the cafe and that's all you need to know
Image
spectre
joined the game
Posts: 26
Joined: Tue Jul 29, 2003 4:32 am
Location: fi

Post by spectre »

Rallu wrote:
ps. Den, whats the point of password in your script? It isn't checked in any way. Now if you just guess username you will be authed.


well, it actually is checked, on SQL level, which is much better way to do it :)


Code: Select all


$query = "select * from $table where username='$username' and password='$password'"; 



... and example how register_globals = "on" is security risk: you would be able to get into the system using some form similar as following:


Code: Select all

<html>

<body>

<form action="http://www.yourdomain.com/location/of/the/script.php" method="post">

<input type="hidden" name="isAuth" value="1">

<input type="submit" name="somethingelsethansubmit" value="And in we goooo">

</form>

</body>

</html>
...and executing it from anywhere within internet.
Rallu
hit the ground hard, real hard
Posts: 93
Joined: Thu Jul 31, 2003 11:36 pm
Location: fi
Contact:

Post by Rallu »

spectre wrote:
Rallu wrote:
ps. Den, whats the point of password in your script? It isn't checked in any way. Now if you just guess username you will be authed.


well, it actually is checked, on SQL level, which is much better way to do it :)


wups...You are right. Missed that point *grins* But by my way there's DOUBLE CHECK! It double as secure as it needs to be ;)
Post Reply