Comments for Dodona gives you answers

Comment on P.U.L.S. by PR

PR — Wed, 11 Nov 2009 20:22:21 +0000

Please take my critiques as a helpful venue. But I have found a major problem with your whole software, which makes it obsolete for any level of DB access – it does not contain “mysql escape string.” Major problem that WILL BE a hacker’s paradise also called a – MYSQL injection. Please make a note of it.

Comment on P.U.L.S. by lutsen

lutsen — Mon, 02 Nov 2009 08:19:11 +0000

@PR: I agree it’s most safe to only store the password in the DB. But to use the remeber-me feature something has to be stored localy. It’s a choice between more security or a better user experience I guess. And its up to the developer to choose the method most appropriate for his/her website.

Comment on P.U.L.S. by PR

PR — Thu, 29 Oct 2009 21:22:51 +0000

Lutsen – thanks for your reply. However, I must disagree with you on that comment about encrypted password being stored in the cookie – it should not be stored anywhere but the DB with MD5 and HASH and SSL – if information stored is sensitive: i.e. personal info, addresses, card #’s, etc.

Comment on P.U.L.S. by lutsen

lutsen — Thu, 29 Oct 2009 07:33:54 +0000

@PR: Thanx for the comments. I’ll have a look at your first comment in the next version of the code. About your second comment; only an encrypted version of the password is stored in the cookie, not the password itself. And the key with which the password is encrypted changes every session. Maybe I’ll add an option in the config file to disable the remember-me feature for people who think it’s a risk, but I think it’s pretty secure this way.

Comment on P.U.L.S. by PR

PR — Wed, 28 Oct 2009 22:30:55 +0000

Also, I forgot to mention. It is a HUGE security issue when storing passwords in the session cookie. Why would one want to do so? This code is unusable for some web sites where sensitive information might be used to hack. This needs to be modified.

Comment on P.U.L.S. by PR

PR — Wed, 28 Oct 2009 22:18:40 +0000

Great code thanks.
However, some possible security issues exist. I am not trying to impose or anything close to it in that matter.
When INSERT (ing) into DB in both forgot.php and register.php files one should never use name of the database explicitly in the code, but rather use a variable and preferably $_GET['value']. So instead of using “thisDB” use $thisDB and hide the variable value in the non-accessible hidden file.

Comment on How do I clear my color swatches in Photoshop CS3? by gab

gab — Tue, 27 Oct 2009 17:14:50 +0000

Thank you!!!

Comment on How do I truncate an HTML string without breaking the HTML code? by lutsen

lutsen — Thu, 17 Sep 2009 19:20:36 +0000

@deerawan I guess the function doesn’t provide for that right now. But you are free to modify it.

Comment on How do I truncate an HTML string without breaking the HTML code? by deerawan

deerawan — Thu, 17 Sep 2009 09:15:30 +0000

how to get the rest string?

Comment on P.U.L.S. by lutsen

lutsen — Wed, 19 Aug 2009 13:03:55 +0000

Hi Jason,
You solution is probably the same as Pauls as well. The login.php does not check if your login is correct. It only registers the session variables, and redirects you to a protected page. On this page you are redirected to (and other protected pages) it is checked if you are actually a regitered user. If not, you are redirected back to the login.php page. This is how it should be set up (copied from the included readme file):

You can leave the P.U.L.S files in the puls directory and protect any php page on your server with it.
Copy this code to the top of every PHP page:

// ### check login start ###
session_start();
session_regenerate_id(true); // Generate new session id and delete old (PHP >= 5 only)
include_once(“includes/check.php”); // Change this to the right path
// ### check login end ###

“index.php” in the puls directory is an example of this.

NOTE: Make sure to change the path to the check.php file to the right path, depending on the location of the page you want to protect.
For example, if the page you want to protect is in the directory “pages” and the P.U.L.S. files are in the puls directory (and both the pages and puls directory are in the www root), the right path would be: include_once(“../puls/includes/check.php”);

So check.php is the file that actually checks if you entered the right username and password. That’s why it should be included in every page you want to protect.