#129529 - khan - Wed May 23, 2007 3:45 pm
Hi all,
In my free time, I am trying to make a professional looking website on which I would like to display date with message i.e. good morning/afternoon/evening or night.
I have found a very basic php script however I would really appreciate if someone could expand it so it prints out message along side the side as mentioned above. (BTW I have tried google to no avail)
<?php // Displays in the format Saturday, November 22, 2003 11.38
echo date("l, F d, Y h:i" ,time());?>
Thanks
#129538 - kusma - Wed May 23, 2007 4:33 pm
Keep in mind that you need the time in the timezone of the user to make sense, not of the server. If not, you'll end up saying "Good night" in the morning etc to people in very different time-zones.
#129541 - gauauu - Wed May 23, 2007 5:30 pm
I'm not sure that displaying a "good morning" message is always very professional looking, but here goes. This is completely untested:
| Code: |
<?php // Displays in the format Saturday, November 22, 2003 11.38
$time = time();
$displayDate = date("l, F d, Y h:i" ,$time);
$hour = date("G", $time);
$message = "It's night time!";
if (($hour > 6) && ($hour < 12)) { $message = "Good Morning";}
if (($hour > 12) && ($hour < 17)) { $message = "Good Afternoon";}
if (($hour > 17) && ($hour < 22)) { $message = "Good Evening";}
echo "$time $message";
?>
|
#129544 - keldon - Wed May 23, 2007 5:47 pm
Yes, it is not something that is of any importance. Sounds like you may need to visit the following (just in case):
- http://www.webpagesthatsuck.com/
- http://www.useit.com/alertbox/991114.html
#131126 - khan - Mon Jun 11, 2007 10:59 am
Thank you all for your suggestions/help.
#143221 - khan - Thu Oct 18, 2007 1:53 pm
Sorry for bothering you guys again but I need help again.
What I am trying to do right now is to separate customer & admin login from the same login.php page.
As I understand, I can do the same thing by creating a separate admin table and login page but that is a bit simple and not something I would want.
| Quote: |
<?php
session_start(); // Shows we are using sessions
include('dbinfo.inc');
$user = $_POST['username']; // Gets the inputted username from the form
$pass = $_POST['password']; // Gets the inputted password from the form
$time = time(); // Gets the current server time
$check = $_POST['setcookie']; // Checks if the remember me button was ticked
$connection = mysql_connect($hostname, $username, $password) or die ("Unable to connect!"); //open connection
mysql_select_db($databaseName) or die ("Unable to select database!"); // check for connection errors
$query = "SELECT * FROM Customer WHERE UserName = '$user' AND Password = '$pass'";
$result = mysql_query($query, $connection);
if(mysql_num_rows($result)) { // If the username and password are correct do the following;
$_SESSION["authenticatedUser"] = 1; // Sets the session 'loggedin' to 1
$_SESSION['username'] = $user;
if($check) {
// Check to see if the 'setcookie' box was ticked to remember the user
setcookie("shop[username]", $user, $time + 3600); // Sets the cookie username
setcookie("shop[password]", $pass, $time + 3600); // Sets the cookie password
}
header("Location: logged_options.php?username=$user"); // Forwards the user to this URL
exit();
}
else // If login is unsuccessful forwards the user back to the index page with an error
{
header("Location: login_error.php");
exit();
}
?>
|
I want to send the user to either admin.php or logged_options.php depending upon which Status is set for them in the Customer table but using this same page.
Here's hoping that it was clear to understand
#143224 - jetboy - Thu Oct 18, 2007 2:07 pm
| khan wrote: |
| Sorry for bothering you guys again but I need help again. |
You would beter chose one of the below:
1. learn programming
2. pay someone who can program it for you
You just cant do any programming work done by taking diferent bits and sticking them together without understanding how they work.
edit: ah! and saving password in cookies is not a good idea.
edit2: to make things clear. I like helping people. But doing whole thing for someone is different thing.
_________________
Colors! gallery -> http://colors.collectingsmiles.com
Any questions? Try http://colors.collectingsmiles.com/faq.php first, or official forums http://forum.brombra.net
#143228 - Vich - Thu Oct 18, 2007 2:44 pm
| jetboy wrote: |
| khan wrote: | | Sorry for bothering you guys again but I need help again. |
You would beter chose one of the below:
1. learn programming
2. pay someone who can program it for you
You just cant do any programming work done by taking diferent bits and sticking them together without understanding how they work.
edit: ah! and saving password in cookies is not a good idea.
edit2: to make things clear. I like helping people. But doing whole thing for someone is different thing. |
I agree.
And don't forget the SQL injection security risk in that code!
_________________
[project website] [personal website]
#143907 - HyperHacker - Sat Oct 27, 2007 7:42 am
| khan wrote: |
$user = $_POST['username']; // Gets the inputted username from the form
$pass = $_POST['password']; // Gets the inputted password from the form
[...]
$query = "SELECT * FROM Customer WHERE UserName = '$user' AND Password = '$pass'";
$result = mysql_query($query, $connection); |
Now watch what happens when I enter silly things like this:
Username: ' OR 1=1; --
Password: anything
Username: [name of an admin account]
Password ' OR 1=1; --
And this one won't work in all systems, but:
Username: anything
Password: '; UPDATE Customer SET Password='foo' WHERE UserName='bar'; --
See the problem here? Try actually typing out what the resulting query string would be. (-- is a comment BTW.)
There's also the problem that by storing your passwords in plain text, anyone who can read the database can get them all.
_________________
I'm a PSP hacker now, but I still <3 DS.
#143929 - tepples - Sat Oct 27, 2007 2:28 pm
| khan wrote: |
| $query = "SELECT * FROM Customer WHERE UserName = '$user' AND Password = '$pass'"; |
To fix what HyperHacker is talking about, try this: Before passing any user-entered string to a MySQL query such as SELECT, sanitize it. Ordinarily, you do this by calling mysql_real_escape_string() on each string before passing it to mysql_query().
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#144412 - zzo38computer - Thu Nov 01, 2007 7:33 pm
To store login data in cookies, I often use this:
username . ":" . MD5( username . MD5(password) . client_ip . secret_code )
where username is the logged in username, password is the password entered in the form, client_ip is the client's IP address, secret_code is a secret code that only the owner of the server knows, and the period is the concatenation operator.
_________________
Important: Please send messages about FWNITRO to the public forum, not privately to me.
#144452 - kusma - Fri Nov 02, 2007 1:42 am
| zzo38computer wrote: |
| To store login data in cookies, I often use this:[bizarre shit] |
you are aware that security by obscurity doesn't work, right?
#144459 - tepples - Fri Nov 02, 2007 3:44 am
It works if obscurity lies only in the key, which in this case is secret_code.
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#144470 - kusma - Fri Nov 02, 2007 12:22 pm
I was mostly talking about the double-md5'ing and concatenation of totally unrelated stuff. ofcourse, if you store only the md5 of the password (as you should for politeness) the double md5-ing makes sense, but not as shown in that code-snippet.
#144498 - zzo38computer - Sat Nov 03, 2007 1:38 am
| kusma wrote: |
| I was mostly talking about the double-md5'ing and concatenation of totally unrelated stuff. ofcourse, if you store only the md5 of the password (as you should for politeness) the double md5-ing makes sense, but not as shown in that code-snippet. |
Of course I do store only the MD5 of the password (and I also make the file where the password hash is stored to be inaccessible using .htaccess). The code I wrote isn't the real code anyways, it is just a simplified example that you can use. The client IP address is stored so that even if someone can steal the cookie, then they still can't login.
_________________
Important: Please send messages about FWNITRO to the public forum, not privately to me.
#144535 - kusma - Sat Nov 03, 2007 3:48 pm
| zzo38computer wrote: |
| The client IP address is stored so that even if someone can steal the cookie, then they still can't login. |
I find it extremely annoying when a laptop move and change base-station or a router reboots and change public IP. There's better options to minimize the chance of cookie-theft IMO.
#144541 - HyperHacker - Sat Nov 03, 2007 5:28 pm
His method of throwing other info in with the password before hashing isn't too bad really. It helps ensure that just knowing the hash of someone's password won't do them much good, because the cookies use the hash of the password plus something else they may not know. If the "secret code" is hardcoded into the source, rather than stored in the database, then having full database access wouldn't be enough to generate a valid cookie.
_________________
I'm a PSP hacker now, but I still <3 DS.
#144547 - Mighty Max - Sat Nov 03, 2007 6:34 pm
| HyperHacker wrote: |
| His method of throwing other info in with the password before hashing isn't too bad really. It helps ensure that just knowing the hash of someone's password won't do them much good, because the cookies use the hash of the password plus something else they may not know. |
Salting is good. This however isn't.
Where is the security win? You are artificially limiting cookies to one connection only. In which case a cookie is void tbh (*). Rather use PHP's sessioning then instead.
(*) Because the hashed passwd..IP..salt will not match on another connection again, the user has to provide the password once again.
Usually the password is more often exposed by not using https on login forms, then by sniffing the hash.
_________________
GBAMP Multiboot