last problem, I promise

[trevor]

PHP Code:

<?
include("connect.php");

session_start();
session_register(username,password);

$result=mysql_query("select * from users where username='$username' and password='$password'");
$num=mysql_num_rows($result);
if($num < 1){
  header("location: failed2.php");
}
?>

It always sends you to failed2.php. login.php likes my password but main.php doesn't. What I dont get is how the $username and $password variable can be passed from one .php file to another.

but anyway that code it straight from sde so it should work.

thanks again,

Trevor

the best way (well I suck at PHP but the best way I know ) is to put it in the URL like

main.php?username="f"&password="g"

[Ilya020]

Quote:

Originally posted by Vlad902
the best way (well I suck at PHP but the best way I know ) is to put it in the URL like

main.php?username="f"&password="g"

huh? dont get the last line...


Ilya

[trevor]

isn't that a bit of a security hole?

so like

header("location: main.php?username=$username&password=$password");
into login.php

[Ilya020]

Quote:

Originally posted by ilya020


huh? dont get the last line...


Ilya

I am an IDIOT...get it now

Ilya

Quote:

Originally posted by trevor
isn't that a bit of a security hole?

True, not if you use encryption though. But truly I don't know any other way

Quote:

Originally posted by trevor
isn't that a bit of a security hole?

so like

header("location: main.php?username=$username&password=$password");
into login.php

You could use one of the many default encryption functions that comes with PHP, or you could just find another way, but truly I don't know how to do it another way :o

[sde]

haah .. yes, you don't use the 'GET' method with passwords.

your php server must support sessions. i think i made a mistake by registering 2 variables in 1 line of session_register.

replacing the 2 session_lines with this:

PHP Code:

session_start(); 
session_register(username);
session_register(password); 


if you have weird trouble, like it fails everytime, .. close the browser and re-open it. the first time you login it should be ok no matter what. then if sessions are working, you will be able to navigate through your site with the code you have above on every page.

sde, damn, guess no more exploiting his site . But alot of sites do it (Yahoo!, MSN) and they use encryption and they can get away with it...

[trevor]

hey, whatever works.

I'll deal with the encryption stuff some other time.

thanks again,

Trevor

[trevor]

Quote:

Originally posted by sde
haah .. yes, you don't use the 'GET' method with passwords.

your php server must support sessions. i think i made a mistake by registering 2 variables in 1 line of session_register.

replacing the 2 session_lines with this:

PHP Code:

session_start(); 
session_register(username);
session_register(password); 


if you have weird trouble, like it fails everytime, .. close the browser and re-open it. the first time you login it should be ok no matter what. then if sessions are working, you will be able to navigate through your site with the code you have above on every page.

woah wait. Its working. what do you mean by not using the GET method with passwords?

[sde]

passwords defined in the url isn't really a security problem within the site itself. it is poor construction purely because someone looking over your shoulder can see your password. and most likely this website isn't the only site you use that password.

also, if you do it that way, you must use the url encode function within php to assure your password ( including special characters ) is able to be interprited within the browser.

Quote:

Originally posted by trevor


woah wait. Its working. what do you mean by not using the GET method with passwords?

He means it's not safe because you can see the password if it is unencrypted in the URL...

[sde]

passing variables through the url is using the 'GET' method. if you make a form like this: <form method=GET action=login.php> , you will notice that all the variables in your form will show up in the url.

when you use the GET method, your variables are limited to something like 255 characters. if you use the POST method, it is whatever is defined by the server. ( usually several MB )

sde, only probably I have is whenever I use post and enter something lets say I have a textbox called blah and I do echo $blah, it doesn't return anything, so is it me, or Apache? (I am asking this so I can give trevor some code to use ) I am sure I just have to do something but to give trevor some working code I need to know how


EDIT: Although sde can probably give alot better code than me....