[Guide] neoPhp hack for more security!
Quote from noyzen on June 26, 2024, 11:19 pmHi there
I finally found a way to make a secure system to use neoPhp for storing and reading data for multiple users!
This is top of my neofunctions.php:
<?php header("Access-Control-Allow-Origin: *"); //first remove previously saved id var $currentSessionUserId = -1; //Session management. session_start(); //now save session userid for later use in config.php queries. $currentSessionUserId = $_SESSION["userid"]; //Files configurationAs you can see I have added:
$currentSessionUserId = $_SESSION["userid"];
so, now in config.php and for queries I can use variable $currentSessionUserId which contains currently logged in user id serverside.Using that I can limit users to their own records if I want!
Look at this example query in config.php://Insert sample $sqlAlias[0]="db"; $sqlQuerys[0]="INSERT INTO notes (owner,note) VALUES ('$currentSessionUserId',?)"; $sqlMaxUserLevel[0]=1;User level for this INSERT action is 1, means user have to be logged in...
And record will be saved including currently logged-in user's id as owner, and it's serverside!
So I can use same variable to read "only records that belong to this user if he logged in"SELECT Example:
$sqlAlias[2]="db"; $sqlQuerys[2]="SELECT * FROM notes WHERE owner = '$currentSessionUserId'"; $sqlMaxUserLevel[2]=1;You got the idea? :)
Heh! now neoPhp is useful for me, in a reliable secure way.
@luishp if you found it useful and safe you can add that line to neofunctions.php in next versions also.
(is top good place to define the variable? or we should define it only after successful login or session start? should we clear previously saved one first?)
Hi there
I finally found a way to make a secure system to use neoPhp for storing and reading data for multiple users!
This is top of my neofunctions.php:
<?php
header("Access-Control-Allow-Origin: *");
//first remove previously saved id var
$currentSessionUserId = -1;
//Session management.
session_start();
//now save session userid for later use in config.php queries.
$currentSessionUserId = $_SESSION["userid"];
//Files configuration
As you can see I have added:
$currentSessionUserId = $_SESSION["userid"];
so, now in config.php and for queries I can use variable $currentSessionUserId which contains currently logged in user id serverside.
Using that I can limit users to their own records if I want!
Look at this example query in config.php:
//Insert sample
$sqlAlias[0]="db";
$sqlQuerys[0]="INSERT INTO notes (owner,note) VALUES ('$currentSessionUserId',?)";
$sqlMaxUserLevel[0]=1;
User level for this INSERT action is 1, means user have to be logged in...
And record will be saved including currently logged-in user's id as owner, and it's serverside!
So I can use same variable to read "only records that belong to this user if he logged in"
SELECT Example:
$sqlAlias[2]="db"; $sqlQuerys[2]="SELECT * FROM notes WHERE owner = '$currentSessionUserId'"; $sqlMaxUserLevel[2]=1;
You got the idea? :)
Heh! now neoPhp is useful for me, in a reliable secure way.
@luishp if you found it useful and safe you can add that line to neofunctions.php in next versions also.
(is top good place to define the variable? or we should define it only after successful login or session start? should we clear previously saved one first?)
Quote from luishp on June 29, 2024, 6:09 pm@noyzen, if the user logs out and logs in again, `$currentSessionUserId` will be updated to the new session ID, causing the user to lose access to their own data if it was tied to the previous session ID.
Alternative Solution:
Instead of relying on `$currentSessionUserId` directly for database operations, use a persistent unique identifier, such as the user's ID stored in the session, to manage user-specific data.config.php:
Modify the queries to use the persistent `$_SESSION["userid"]` directly in your SQL statements:$sqlAlias[0] = "db"; $sqlQuerys[0] = "INSERT INTO notes (owner, note) VALUES ('".$_SESSION["userid"]."', ?)"; $sqlMaxUserLevel[0] = 1; $sqlAlias[1] = "db"; $sqlQuerys[1] = "SELECT * FROM notes WHERE owner = '".$_SESSION["userid"]."'"; $sqlMaxUserLevel[1] = 1;This ensures that the user can consistently access their data across sessions, even after logging out and logging back in.
@noyzen, if the user logs out and logs in again, `$currentSessionUserId` will be updated to the new session ID, causing the user to lose access to their own data if it was tied to the previous session ID.
Alternative Solution:
Instead of relying on `$currentSessionUserId` directly for database operations, use a persistent unique identifier, such as the user's ID stored in the session, to manage user-specific data.
config.php:
Modify the queries to use the persistent `$_SESSION["userid"]` directly in your SQL statements:
$sqlAlias[0] = "db";
$sqlQuerys[0] = "INSERT INTO notes (owner, note) VALUES ('".$_SESSION["userid"]."', ?)";
$sqlMaxUserLevel[0] = 1;
$sqlAlias[1] = "db";
$sqlQuerys[1] = "SELECT * FROM notes WHERE owner = '".$_SESSION["userid"]."'";
$sqlMaxUserLevel[1] = 1;
This ensures that the user can consistently access their data across sessions, even after logging out and logging back in.
Quote from noyzen on June 29, 2024, 6:15 pmNah bro, you are wrong.
I'm not using session id, I know that is bad idea.
Variable containing user ID not session ID if you check it again :D
Nah bro, you are wrong.
I'm not using session id, I know that is bad idea.
Variable containing user ID not session ID if you check it again :D
Quote from luishp on June 29, 2024, 6:22 pm@noyzen sorry, it seems we are saying exactly the same LOL
Sorry for the confusion.
@noyzen sorry, it seems we are saying exactly the same LOL
Sorry for the confusion.