PDA

View Full Version : $please = $advice + $security_check;


gavimobile
10-02-2008, 04:56 AM
hey folks,

I decided to spend my night on making a user status check for users to see if other users are online, me and php.net had a fun time together.
anyways i want to know if this script is secure, and also if there is something which i did in a wrong, please tell me what you would have done instead.

for one of the else statements, i was thinking about doing something like update all users if $last_session < $idle_time, because the sessions column in the database will get refreshed within seconds by users who are currently online. is this a safe idea?

code works fine, this is 100% handcoded by ME


<?php

//if there is a session (true)
if (isset($_SESSION['user'])){

$date = date("YmdHis"); // Year MONTH DAY HOUR Min SEC
$idle_time = $date-1500; //idle time, 1000 = 1 minute
$dtime = mysql_real_escape_string($date); //remove slashes from my date
$email = mysql_real_escape_string($_SESSION['user']); //remove slashes from email
mysql_query("UPDATE users SET datetime='$dtime' WHERE user_email='$email' "); //update timestamp

$results_status= mysql_query("SELECT datetime FROM users WHERE user_email='$email' "); //get the last stored session from db
$row_status = mysql_fetch_array($results_status);
$last_session = $row_status['datetime'];


// number gets printer like this in
// database eg. 20081002073229
// Year MONTH DAY HOUR Min SEC
// 2008 10 02 07 32 29
// if last session is greater by 1500 from current time, run code
if ($last_session > $idle_time) {

//echo $idle."<br />".$last_session;
echo "ONLINE";

}else{

echo "OFFLINE"; //this should never execute

}

}
//if there is not a session
else{

echo "User is offline <br />";
}
?>

gavimobile
10-03-2008, 03:11 AM
yupt, once again i couldnt help myself by staying up till 6 am working on my stupid little script (day 2) to help mysql gain expirence with php. This is all handcoded by me, however someone on irc gave me a better understanding of how i should program this script, the sql quesy was the hardest part, but i used common sence + the manual and this is what i got

this is to show logged in user that he is online (from session)

<?php

//if there is a session (true)
if (isset($_SESSION['user'])){

$email = mysql_real_escape_string($_SESSION['user']); //remove slashes from email

// SELECT ALL QUERYS FROM WITHIN THE LAST 15 MINUTES
$results_status= mysql_query("SELECT user_email, lastaccess FROM users WHERE lastaccess > DATE_ADD(NOW(), INTERVAL -15 MINUTE) AND user_email='$email' ");
$num_rows = mysql_num_rows($results_status);

// update timestamp into database
mysql_query("UPDATE users SET lastaccess=NOW() WHERE user_email='$email' ");

// if a row is found print (only one row should show because user_email='$email')
if ($num_rows > 0) {
// user is online
echo "<img src='img/greenled.png' />";
}

// this should never print, because user must have a session running to see this
if ($num_rows <= 0 ){
// user is offline
echo "<img src='img/redled.png' />";
}

}
?>

this is to show all users and users who arent loged in (with session) users who are connected and users who arent.


<?php
echo "<br /><br /><h3>Online Users</h3>";

// SELECT ALL QUERY FROM WITHIN THE LAST 15 MINUTES
$results_min = mysql_query("SELECT user_email, lastaccess FROM users WHERE lastaccess > DATE_ADD(NOW(), INTERVAL -15 MINUTE) ");
$row_min = mysql_fetch_array($results_min);
$num_rows_min = mysql_num_rows($results_min);

if ($num_rows_min > 0) {

//if one or more rows are found print
do {
echo "<img src='img/greenled.png' /> " . $row_min['user_email'] . " ";
} while ($row_min = mysql_fetch_array($results_min));
}



echo "<br /><br /><h3>Offline Users</h3>";

// SELECT ALL QUERY FROM WITHIN THE LAST YEAR TILL 15 MINUTES AGO
$results_year = mysql_query("SELECT user_email, lastaccess FROM users WHERE lastaccess BETWEEN DATE_ADD(NOW(), INTERVAL -1 Year) AND DATE_ADD(NOW(), INTERVAL -15 MINUTE) ");
$row_year = mysql_fetch_array($results_year);
$num_rows_year = mysql_num_rows($results_year);

if ($num_rows_year > 0) {

//if one or more rows are found print
do {
echo "<img src='img/redled.png' /> " . $row_year['user_email'] . " ";
} while ($row_year = mysql_fetch_array($results_year));
}


echo "<br /><br /><h3>Inactive Users</h3>";

// SELECT ALL QUERY FROM ONE YEAR OR MORE
$results_more = mysql_query("SELECT user_email, lastaccess FROM users WHERE lastaccess < DATE_ADD(NOW(), INTERVAL -1 Year) ");
$row_more = mysql_fetch_array($results_more);
$num_rows_more = mysql_num_rows($results_more);

if ($num_rows_more > 0) {

//if one or more rows are found print
do {
echo "<img src='img/ledorange.png' /> " . $row_more['user_email'] . " ";
} while ($row_more = mysql_fetch_array($results_more));
}

?>
waiting eagerly for responses, what could i have done to make this even better!

thanks in advance
gavimobile