A complex question!

zingbats

Please realise that this is hard for me to expain...

I have dowloads sytem that only shows HTML if the user has over 5 points.

It works well. Except for when I am changing download category.

To change category, you select the category, then hit a button. To save the login details. The form posts to

"downloads.php?username=$username&password=$password"

The only trouble is..The Query gets the password from the form and encypts it using md5...

$query = "SELECT * FROM phpbb_users WHERE username = '$username' AND user_password = md5('$password')";

This means that the URL that you get posted to is:

downloads.php?username=whatever&password=your_unencrypted_password

Thus revealing your password.

Have you ANY idea to either prevent &username=whatever coming up in the first place by using sesssions or cookies? So it can change category that way....

OR... do something like make another query that uses the md5 password itself....

?username=whatever&password=fhJFHJWHGJGRHJRHJRHJRHhh

NB: I have tried changing the password form name to "form_password" then added:

<?
$password == md5('$form_password');
?>

Then removed the md5 bit from the query, this doesn't want to work though. It doesn't seem to match the actual two together.

Please help. Thankx
Alex

ir4z0r

first: sensitive data should be passed with a form using method=post
not "get"

if you have to do it that way, take a look on base64_encode()
and base64_decode() (php.net)

or even better, use sessions, examples and tutorials everywhere in the net

zingbats

first: sensitive data should be passed with a form using method=post
not "get

Please explain

Also, how would I do sessions?

Thanks
Alex

ir4z0r

I assume, you have a HTML-form

the password would be saved in the form. this way it's still editable (user downloads html, edits and presses submit),
hence you still have to check if user and pw fit together

you can retrieve them afterwards through $_POST['user'] ...

anyway, sessions are the better way to handle passwords, since
the user can't read it in any way (afaik)
please refer to a tutorial or the man at php.net, where you'll find
examples and descriptions

Weedpacket

But to start off with sessions the approach is:

On each page where you'll be wanting to use or store stuff in a session, put

session_start();

At the top of the script (put it at the top, more precisely, before any output is sent to the browser).

Then, you'll have an array called $SESSION[], which you can use more or less like any other array; e.g.,

$_SESSION['password'] = md5($_POST['password']);

$query="something involving ".$_SESSION['password'];

And anything that goes into the $_SESSION[] array on one page will be available on subsequent pages.

But see the manual for the full answer, 'cos I am doing a little bit of handwaving here.