Jump to content

Couple of *basic* questions.


zythion

Recommended Posts

Ok, so I'm trying to develop/remake a web based browser game that I used to play back in 2006.

 

I've got a fair amount set up, considering I knew nothing about php/mysql about a week ago.

However, I've made a registration process, login system, and the game pages (member only).

However, I was talking to some people the other day, and I'm using MD5 to encrypt the passwords. The suggestion given to me was to use SHA2 with Salt. The problem that I'm facing is that no matter what I try, I can't seem to get the system working.. I've followed the advice originally recieved: no success. I've followed a tutorial online: no success. SO, I was wondering if someone from here could help me.

 

My database has the extra 'salt' field setup..

and here's my uneddited working MD5 code:

 

<?php
   //Start session
   session_start();
   
   //Include database connection details
   require_once('config.php');
   
   //Array to store validation errors
   $errmsg_arr = array();
   
   //Validation error flag
   $errflag = false;
   
   //Connect to mysql server
   $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
   if(!$link) {
      die('Failed to connect to server: ' . mysql_error());
   }
   
   //Select database
   $db = mysql_select_db(DB_DATABASE);
   if(!$db) {
      die("Unable to select database");
   }
   
   //Function to sanitize values received from the form. Prevents SQL injection
   function clean($str) {
      $str = @trim($str);
      if(get_magic_quotes_gpc()) {
         $str = stripslashes($str);
      }
      return mysql_real_escape_string($str);
   }
   
   //Sanitize the POST values
   $email = clean($_POST['email']);
   $login = clean($_POST['login']);
   $password = clean($_POST['password']);
   $cpassword = clean($_POST['cpassword']);
   $empire_name = clean($_POST['empire_name']);
   $race = clean($_POST['race']);
   $referrer = clean($_POST['referrer']);
   
   
   
   //Input Validations
   if($email == '') {
      $errmsg_arr[] = 'Email missing';
      $errflag = true;
   }
   if($login == '') {
      $errmsg_arr[] = 'Username missing';
      $errflag = true;
   }
   if($password == '') {
      $errmsg_arr[] = 'Password missing';
      $errflag = true;
   }
   if($cpassword == '') {
      $errmsg_arr[] = 'Confirm password missing';
      $errflag = true;
   }
   if( strcmp($password, $cpassword) != 0 ) {
      $errmsg_arr[] = 'Passwords do not match';
      $errflag = true;
   }
   if($empire_name == '') {
      $errmsg_arr[] = 'Empire Name missing';
      $errflag = true;
   }
   if($race == '') {
      $errmsg_arr[] = 'Race not selected';
      $errflag = true;
   }
   if(strlen($login) > 20) {
      $errmsg_arr[] = 'Username exceeds allowed charachter limit';
      $errflag = true;
   }
   if(strlen($empire_name) > 20) {
      $errmsg_arr[] = 'Empire Name exceeds allowed charachter limit';
      $errflag = true;
   }
   
     


   
   //Check for duplicate login ID
   if($login != '') {
      $qry = "SELECT * FROM members WHERE login='$login'";
      $result = mysql_query($qry); }
      if($result) {
         if(mysql_num_rows($result) > 0) {
            $errmsg_arr[] = 'Username already in use';
            $errflag = true;
         }
         @mysql_free_result($result);
      }
      else {
         die("Query failed");
      }
      
         //Check for duplicate Empire Name
   if($empire_name != '') {
      $qry = "SELECT * FROM members WHERE empire_name='$empire_name'";
      $result = mysql_query($qry); }
      if($result) {
         if(mysql_num_rows($result) > 0) {
            $errmsg_arr[] = 'Empire Name already in use';
            $errflag = true;
         }
         @mysql_free_result($result);
      }
      else {
         die("Query failed");
      }
   
   
   //If there are input validations, redirect back to the registration form
   if($errflag) {
      $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
      session_write_close();
      header("location:register-form.php");
      exit();
   }

   //Create INSERT query
$qry = "INSERT INTO members(email, login, passwd, empire_name, race, referrer) VALUES('$email','$login','".md5($_POST['password'])."','$empire_name','$race','$referrer')";
   $result = @mysql_query($qry);
   
   //Check whether the query was successful or not
   if($result) {
      header("location: register-success.php");
      exit();
   }else {
      die("Query failed");
   }
?>

 

 

My second question is:

I've got a set of permissions in my members database.. These are guest, player, mod and admin.

I'm currently running my updates page by calling the updates from the database... How would i go about adding a link to the first page you come to (after logging in) that can only be seen by members who are in the admin permission?

Because I'd like to make an admincp with a page to submit a form to the database that updates the updates page.. :P However, I'd rather the link to it only showed up for me and was invisible to other members..

 

Again, I'm only asking because I cant seem to find any information online at any tutorials or worksheets that I've come across.. And believe me, I've been searching quite a bit.. :/

 

Any help would be very much appreciated.. :)

Cheers,

/zythion/

Link to comment
Share on other sites

First Question

The problem that I'm facing is that no matter what I try, I can't seem to get the system working..

What exactly is the problem that you're facing, other than the system not "working"

Second Question

You have four groups

There's no telling how many permissions you have, but anyway.

 

The best way is to store their permissions in binary form.

Four groups means

0 = guest

1 = player

2 = mod

3 = admin

 

That requires TWO bits.  So alternatively, you could implement them like this

00 = guest

01 = player

10 = mod

11= admin

 

Though it can get way more secure than that, that is the basis of it.

Link to comment
Share on other sites

For the first question, md5 with salt is perfectly adequate for an online game.  Your time is better spent on other things than trying to use SHA2.

 

As for question 2, I'm not sure if I misunderstand you but it sounds like you can do something like this:

 

if ($permission == 'admin') {
  print "<a href="/link.html">I'm a secret link</a>";
}

 

PS Which game are you re-making?

Link to comment
Share on other sites

For the first question, md5 with salt is perfectly adequate for an online game.  Your time is better spent on other things than trying to use SHA2.

Oh is it? I still can't seem to get the salt working though.. :/

@Zanus: Whatever I would try, when I went to test the code and tried to register an account, nothing was entered into the database.. It just wouldn't work. Whereas my original code using MD5 does.

Also, I don't see the need of using binary, the 4 groups are all that I need.. Could you explain why I would need to put it all into binary?

 

@btherl: The code you presented has a syntax error in  print "<a href="/link.html">I'm a secret link</a>"; .. I Can't seem to find out what it would be.. :/

 

Thanks for the help though! :)

 

Oh and I'm recreating this: cftc at mysite: Reality Sleeps

Link to comment
Share on other sites

Ok, so I've fixed the syntax error by doing this (untested to see if it works) ;

<?php if ($permission == 'admin') {
  echo "<a href=\"/admin.php\">Admin</a>; }
   ?>

 

However, I've now got a syntax error on the table which is placed after:

 

<?php if ($permission == 'admin') {
  echo "<a href=\"/admin.php\">Admin</a>; }
   ?>
    
<!-- Main game Table -->
<table width="650" align="center" border="1" bgcolor="black" cellspacing="0">

 

The error is where <table ... > is.. :/ Any help?

Cheers

 

Edit: Someone's said it's because the code is just old.. And to use CSS. I guess I've sort of answered my own question!

Link to comment
Share on other sites

No, I'm still getting a syntax error when I'm trying to make the table.. Any help?

So basically;

<?php if ($permission == 'admin') {
  echo "<a href=\"/admin.php\">Admin</a> ; }
   ?>
    
<!-- Main game Table -->
<table width="650" align="center" border="1" bgcolor="black" cellspacing="0">

Removing the php script gets rid of the syntax error. Leaving it there and there's a syntax error on the <table .. etc>

 

Link to comment
Share on other sites

You're missing the end quote in the echo statement:

 

<?php
if ($permission == 'admin') {
     echo "<a href=\"/admin.php\">Admin</a>";
}
?>

 

 

Note that you could clean up the code by using single quotes...as long as you don't need variables inside the string:

 

<?php
if ($permission == 'admin') {
     echo '<a href="/admin.php">Admin</a>';
}
?>

Link to comment
Share on other sites

For this to actually work when a user logs in, I'd need to have the session created show what permission group they're in, right ? How would i add that? :/

 

 

Note that I haven't spent too much time looking through the original code. And to be honest, I don't have a lot of time to look now.  ;)

 

With that said, you shouldn't need to add the group permissions to the Session. You only need enough information in the session to connect to the database where the permissions are stored.

Link to comment
Share on other sites

How are you storing your permissions?  The "$permission == 'admin'" test in my code was just an example.  The exact test depends on how your permissions are stored.  I would expect to see a column in the members table called "permissions", with some value stored in there.

 

For a more complicated permission system you might have a whole new table with many types of permissions, but you probably just need something basic like "admin" and "user".

 

Do you know how to add a column to a table?  And how to read the contents of the column to use it in php?  And how to change the contents?  The reason I ask is so I know whether to focus on general concepts like "store the permissions in a table" or if we need to look at the details of how that storing happens.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.