Login System

[ivanthem]

This is probably a very primitive thing to ask in a place of PHP and XML, but does anyone know of a way to make a login system- automated (as in the new user can gain access instantly) through a really primitive way (not through Frontpage but rather something like CGI or javascript or just plain forms?

Thanks!

[aspak]

Not a really "primitive" way of doing this.

When user register with his/her email adress, check the database if the user is already registered. If not, the user is asked for a preferred password, wich is stored in the database with the username (email). Then the user gets an email with a notification that he/she is registered as a user, together with additional info.
When the user enter his username and correct password in the login form, and it's all valid, a session is started. This is important to avoid the user from entering url strings directly in the browser and get passed the login script.

It is also important to use objects/functions wich you call, to prevent unauthorized users from viewing files. Be sure to addslashes to everything that is sent to the database. Often this is not done, so that persons with bad intentions can simply comment the query and get passed the login.

well, quite a lot to consider when it comes to safety. I could email you some php files that describes how to do it in a better way.

[ivanthem]

Originally posted by aspak

well, quite a lot to consider when it comes to safety. I could email you some php files that describes how to do it in a better way.

I'd love that but my server doesn't do PHP or anything fancy

As for databases, I'm completely new to that and security is no big deal since my site probably won't get a lot of attention anyway but any script that is simple to manage will do just fine

[Musicman]

Hi,

if it does not do php. what kind of scripts do you have otherwise (could be one of perl (cgi) or asp)

Musicman

[ivanthem]

No- just found out it doesn't- it's just a good old free hosted HTML site (yawn)
BUT is there a HTML code or javascript or XML- I saw a Flash XML Login in Movies, but that means I have to create the login files- oh well, I'll probably end up using that! Thanks for your help anyway

[Musicman]

Hi,

when flash reads the login data base (which is about the only way on a html server) anyone can read that file and find out all the acceptable logins.
This is a situation where you should look for a one-way crypt function (DES, MD5, or like) to put into your movie, and another app to run on your desktop that encrypts user names

Musicman

[ivanthem]

Here's how the flash system works:
The SWF file acts like a form, and refers to XML files in the 'Users' folder. The XML files contain username, password and redirect to page, so I don't think you can hack it.
Now here comes the security bit- since I'm using a free host, they don't want people to use their services for storage- so if you link to one of my images, you'll be redirected to the host's homepage. In fact, you can only link to HTML pages, which is a pain since all my pages are HTMs. Same happens if you type in host.com/folder/ and the folder has no index.html file. Therefore, accessing the XML files would be pretty much impossible
Now the only questions are
- could anyone hack the SWF file (e.g. right click and click play or forward or something to get to the redirection part of the animation?)
- could you just put all the PHP files (files for the server to be able to run PHP scripts) on the subdomain? (Probably a very, very stupid question to ask, I'm just curious )

[Musicman]

Hi,

"hacking" the swf: you were talking about linking to the freeserve, so requests that arrive at the server usually come in with a referer (hi, I was referred to xy.html from www.somewhere.com/filez); this is where they put in the blocking code
Your movie is still able to open the xml file - it does not send a referer at all, or if it does, it comes from your index.html. Now if someone finds the name of the xml file and just types that into the browser, he has already won the game

"third-party server": there is a security restricting which allows a movie to talk only to scripts on the same server, and there is a way to bypass that. If you have another server, probably the easiest way would be for your main swf to load a login.swf from the other server that does scripting

Musicman

[aspak]

The best solution would probably be to just change isp/host

[ivanthem]

Originally posted by aspak
The best solution would probably be to just change isp/host

Yeah- I wish! Well, the host I got now is the best free one I could find!

[ivanthem]

Musicman- the person can know the name of the XML file, but unless I link it in through one of my pages, they can't get to it- it's there, but the host only lets you go to HTML files- no others. So my header can be host.com/header.gif, but if someone types it in, they get a 404 error with hideous colors

[Musicman]

Hi,

where would I find the login feature on your site ... to try it?

Musicman

[ivanthem]

OK- It should be up now- it's WAY too obvious- you probably can't hack it, but it shows the address that you got redirected to which stinks so I might just buy a domain name in the near future and get a host with PHP Okay- the link- just go to my site (see my signature), and there'll be a link to login. The username is: testuser and so is the password.

[ivanthem]

And.... great- it doesn't work It works on my PC but not on the server... Stuff it- not worth the trouble- when I get a proper host, THEN I'll ask for the proper stuff