Link to home
Start Free TrialLog in
Avatar of AHMED SAMY
AHMED SAMYFlag for Egypt

asked on

i need urgent help to print $_SESSION['username'] beside the photo on top right of the page

i need to call session name in all pages

please if you can improve this code to be secure help!!!!!

please correct cookie code it is not working

note: my hosting godaddy , php 5.6

i am using check.php to check login and redirect to index.php again
<?php

session_start();

class mysql{
	
	private $localhost="localhost";
	private $db_users="****";
	private $db_password="*****";
	private $db_name="*****";

	function __construct(){
		
	mysql_connect($this->localhost,$this->db_users,$this->db_password);
	mysql_select_db($this->db_name);
		}
	
	function sql(){
		
		$username=$_POST['username'];
		$password=$_POST['password'];
		
		$sql="SELECT * FROM users WHERE username='$username' AND password='$password'";
		
		mysql_query("set character_set_server='utf8'");
		mysql_query("set names 'utf8'");

		$query=mysql_query($sql);
		$num=mysql_num_rows($query);
		
		if($num==1){
			$_SESSION['username']="username";
			$_SESSION['password']="password";
			
			//remember me
			@$remember_me=$_POST['rememberme'];
			if($remember_me==1){
			$cook_name="acpauth";
			$time=time()+3600*24*1000 ;//1000 days
			setcookie($cook_name,'usr='.$username.'&hash='.$password,$time);
			}
			
		header("location:packages.php");
		
			}
			else{
				echo "wrong password or username !!!";
			}
			
	}
}
$use=new mysql;
$use->sql();

Open in new window

?>
Avatar of Julian Hansen
Julian Hansen
Flag of South Africa image

Ok before we go any further get off MySQL - this library is deprecated and removed from later versions of PHP. Convert to MySQLi - which is close enough to MySQL that the changes are not extensive.

Next - don't use your POST variables directly in your query - you are just asking for trouble.

1. Don't assume they exist
$username = isset($_POST['username']) ? $_POST['username'] : false;

2. Sanitize your variables before putting them in a query. This means, preferably, use a prepared statement and an escape string function to neutralise any unwanted malicious code in the variable.

A logon script is a prime target for a hacking attack so it is important you get this right.

3. It appears you are storing your password's in plain text - this is not a good idea - you should salt and hash your passwords password_hash() and password_verify() should be the default goto's here

4. This is not a good idea
setcookie($cook_name,'usr='.$username.'&hash='.$password,$time)

Open in new window

Consider using token based security - don't store the username and password in the cookie - store an unguessable token and use this to do your auto logins.

A token is a value that cannot be guessed and is unique (think UUID / GUID) that is associated with a user account and optionally a time period. The token is exchanged (in a cookie or a header) with each interaction with the server. The token is checked by the server to see it is valid (exists and has not expired) before any data is sent back to the client.

5. Then these lines had me scratching my head a bit
$_SESSION['username']="username";
$_SESSION['password']="password";

Open in new window

You are setting your session variables to the constant strings 'username' and 'password' - are you not meaning to save the values in the variables (which you will have verified and sanitized) $username and $password?
Avatar of AHMED SAMY

ASKER

can you tell me how to protect username and password texts

i know my fault i changed

$_SESSION['username']="username";
$_SESSION['password']="password";

to

$_SESSION['username']="$username";
$_SESSION['password']="$password";
and how to save cookie for username and cookie for password two cookie

sorry for disturbing you
ASKER CERTIFIED SOLUTION
Avatar of Julian Hansen
Julian Hansen
Flag of South Africa image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks
You are welcome.