A couple of questions

panosa73

Hi,
I am doing some coding (PHP/MySQL) for a small company. So far they've asked me to write a code that allows users to log in and out (session mngnt), with an admin control panel where users can be created, reset, updated and deleted. A user also has a level (i.e. Admin, Sales, etc) so, depending on the level, a user will, or, will not have access to a page and the link to that page will, or, will not be displayed.
There's also a My Profile page where users can change their email or password.
All you have to do is add 2 lines of code on top of every page you want to be session managed.
Now, my 1st question is this. I am not a guru or a professional PHP coder so I thought I'd charge them $15/hr.(BTW, this is my wife's job). I took me a lot of hours but I am only charging for 15, I am not charging them for the research part. Like I said, I don't write all code at the top of my head, some times I have to refer to PHP Manual or this site.
So, this thing will cost them $225. Is it too much, too little, just right? Any comments will be appreciated.

2nd. The person I am dealing with wants additional security, so this is what I did, as per his suggestion. There is a text file saved on the root dir with a single line of characters, a key. The script matches this key with a hard-coded key. If it matches, it continues to the rest of the session validation. But, he prefers that this key is a specific machine related code, like a serial number or anything pertained to the PC. Can PHP extract this kind of number or code?
Also, is this whole idea a good one, does it really add an extra step of validation, or can it be easily be bypassed?

Thanks in advance you guys.

Panos.

Roger_Ramjet

$15 per hour is way too little, unless you live in Asia, but 15 hours is way too long for this task so far, so it comes out OK. Thing is, you should realy being charging what the thing is WORTH to the client, not what it 'cost' you to make, so all-in-all $225 is not enough.

(I say that because my own income was crippled by the dot com explosion when evey man and his 12-year old nephew suddenly became a 'programmer'. Stupid sods started doing it for free cos 'they wanted to build their portfolio'. Forgot that one day they'd want to earn a living and then there would be some other jerk taking the bread out of their mouth cos he 'wanted to build his portfolio'.)

Now, your second question. It sounds like you mean a cookie. Yes of course php can deal with cookies.

Extracting a globally unique key from the user's pc? Well, intel don't build serial nos into their processors that you can read. MAC adresses are unique but I don't know how you would access that, and not everyone has a NIC anyway. Winders has guids from W2K onwards - and a right pain in the arse they are. Again, not a lot of use cos not everyone uses winders. You'd probably have to mess around in the registry to extract it anyway, not a pleasent thing to do if you're not sure of yourself.

So you can generate a unique key of any length and store it on the user's machine in a cookie. If they delete the cookie then they will have to apply for a new one, same as if they forgot their password.

Have fun, and charge like a rhino. 😃

panosa73

Roger Ramjet wrote:
Now, your second question. It sounds like you mean a cookie. Yes of course php can deal with cookies.

I don't mean a cookie. I mean a text file that is saved on the hard drive and is fopened to read the key and in turn compare that key to a hard coded one.

$handle = fopen("key.txt", "r");
$code = fread($handle, 100);//The key is 100 chars long.
fclose($handle);
if ($code != "hjklhiuyhiu6t4mp9ldkmnffHHgTghm663&%^6Z75vza777774589o08TWTrewsa673464ZYeru4eutflZt6g7895roiutyo78t") {
        $_SESSION['User_Logged_In'] = false;
        session_unset();
        session_destroy();
        header("Location: $login_page?action=logout");
}

But you did answer my questions. Thanks a million Roger. 🙂

Roger_Ramjet

All depends on your users does that.

You would not be able to read and write files on the hard drives on the network I run, thank you very much, not never no how.

I changed us over to Firefox last year cos of all the Trojans and spam bots that kept on infecting my systems - thanks to all the stupid users doing stupid things. No way would I let them agree to file reads and writes, and no systems admin in his right mind would allow that either.

So if it's corporate clients you are dealing with then forget it. Home users are another thing entirely and you might make it work with them.

thorpe

what are you talking about? you cannot write files on the client.

Roger_Ramjet

thorpe wrote:
what are you talking about? you cannot write files on the client.

Not true, thorpie my boy. ActiveX apps can, as could a java applet. That is the problem with ActiveX and java, too easy for hackers to mess with your system.

panosa73

Well, I didn't mean writing a file dynamicaly. See, the company has less than 10 PCs in the office, so, he wanted to manually create a text file containing the key and save it on the HD of each PC. All PHP will do is read the file, which is what I have done.

Another thing, just curious, how long would it take for an expert coder to write this thing? The whole thing I mean.

Roger_Ramjet

Ah well if it's just in-house then yes you can do stuff like that. I thought it was an internet thing.

That's one of those piece of string questions: impossible to estimate untill you have a lot more information.

justsomeone

Roger Ramjet wrote:
Ah well if it's just in-house then yes you can do stuff like that. I thought it was an internet thing.

Eh? Even on an intranet, how can PHP read a client-side file?

You could use javascript to read it and send the value to PHP.

This wouldn't be hugely secure though - anyone viewing the source of the page could see what file was being read and copy it to a new PC, which is what it appears you are trying to avoid...

thorpe

Not true, thorpie my boy. ActiveX apps can, as could a java applet

but up until this comment, no one had mentioned activeX.

Roger_Ramjet

thorpe wrote:
but up until this comment, no one had mentioned activeX.

But someone had mentioned browser based file reads/writes.

Noe, justsomeone, php can process files on network shares, given the right user permissions, see eg file exists , so it would work on a LAN where local drives are shared as eg C$ - winders syntax being \server\share eg \YourPC\C$.
fopen can also open a file from a URL/URI, again given the correct permissions.

panosa73

Roger Ramjet wrote:
Noe, justsomeone, php can process files on network shares, given the right user permissions, see eg file exists , so it would work on a LAN where local drives are shared as eg C$ - winders syntax being \server\share eg \YourPC\C$.
fopen can also open a file from a URL/URI, again given the correct permissions.

WOW, you guys are right! I am testing this on my machine, so I am both the client and the server and that's why it's working. When the code is installed on the company's server, it won't be reading the files on the clients but the file on the server. So if I go ahead with this I'll have to go with Roger and use PHP, or, justsomeone and use javascript. It's probably gonna be JS cause the PHP version looks too complicated.