PHP and DOM

[fomalhaut]

Hello.

I set a user value throught a form (that's ok).

And I want this user to be visible in the "input form" during his whole session.

here's the form:

<form action="index.php" method="post">
Identifiant  :<br /><input type="text" name="utilisateur" id="utilisateur"  /><br />
Mot de Passe :<br /><input type="password" name="upass" /><br />
<input type="submit" name="submit" /><br />
<input type="submit" name="dcnx" value="d&eacute;connexion" id="dcnx" />
</form>

I try to set the

document.getElementById('utilisateur').value

but the value I want to set is a Php variable! How can I do ?


There is the beginning of the Php code:

<?php
if (isset($_POST['dcnx'])) {
  $oldUtil = $_SESSION['util'];
  unset($_SESSION['util']);
  unset($_SESSION['service']);
  ?><script type="text/javascript">
  document.getElementById('dcnx').style.visibility = 'hidden';
  </script><?php
  echo '<center>' .  $oldUtil . ', ton identifiant est maintenant d&eacute;connect&eacute;</center>';
}
$con = mysql_connect("localhost", "jyc_testeur", "a1b2c3d4e5f6");
$db  = "jyc_ayantdroit";
if (!$con) {die('Connection impossible : ' . mysql_error());}
mysql_select_db($db, $con);
if (isset($_SESSION['util'])) {
  $ut = $_SESSION['util'];
  $service = $_SESSION['service'];
  $sql2 = "SELECT * FROM menu_droit WHERE service <= '" . $service . "'";
  include ('menu.php');
}
else {
  $ut = $_POST['utilisateur'];
  $pa = $_POST['upass'];
  $sql = "SELECT * FROM ayant_droit WHERE utilisateur = '" . $ut . "'";
  $result = mysql_query($sql);
  if (mysql_num_rows($result) > 0) {  // l'utilisateur existe dans la base
    while($row = mysql_fetch_array($result)) {
      if ($row['upass'] == $pa) {     // password valide, on charge le menu correspondant au niveau de service
        $_SESSION['util']=$ut;
        $motdepaserrone = ' ';
        $service = $row['service'];
        $_SESSION['service']=$service;
        ?><script type="text/javascript">
        document.getElementById('dcnx').style.visibility = 'visible';

Here I'would like to have something like this:

[B]document.getElementById('utilisateur').value = $ut;[/B]

That's the following Php code:

        </script><?php
        $sql2 = "SELECT * FROM menu_droit WHERE service <= '" . $service . "'";                           
      }  
      else {                      // password invalide
        $motdepaserrone = "<div class='flot'><br /><br /><br /><br /><br /><br /><center class='rouge'>Mot de passe erroné</center></div>";
        $sql2 = "SELECT * FROM menu_droit WHERE service= '000'";
      }
       include ('menu.php'); 
    }
  }
  else {                             /* l'utilisateur n'existe pas dans la base
                                        on charge le menu par défaut */
    ?><script type="text/javascript">
    document.getElementById('dcnx').style.visibility = 'hidden';
    </script><?php                                        
    $sql2 = "SELECT * FROM menu_droit WHERE service= '000'";
    include ('menu.php');
  }
}    
?>

Thank you for help me.

 

[descalzo]

You don't need javascript/DOM
Make sure $ut is either blank or the valid value and then...

<form action="index.php" method="post">
Identifiant  :<br />
 
 
 
<input type="text" name="utilisateur" id="utilisateur"  
      value="<?php echo $ut ?>" /><br />
 
 
 
 
Mot de Passe :<br /><input type="password" name="upass" /><br />
<input type="submit" name="submit" /><br />
<input type="submit" name="dcnx" value="d&eacute;connexion" id="dcnx" />
</form>

 

[xav0989]

This is usually not a problem, but since I don't know if the code you presented is the complete page, make sure that session_start(); is the first thing that appears in your php page. Each page that uses the session information should start by :

<?php
session_start();
?>

 

[misson]

  $ut = $_POST['utilisateur'];
  $pa = $_POST['upass'];
  $sql = "SELECT * FROM ayant_droit WHERE utilisateur = '" . $ut . "'";

This is susceptible to SQL Injection via $_POST['utilisateur'] (and thus $ut and $_SESSION['util']). Either sanitize the user input or (better yet) use prepared statements. In the code you posted, $service should be safe because it's not user input. Of course, should a user find a way to set the `service` field in a row...

    while($row = mysql_fetch_array($result)) {
      if ($row['upass'] == $pa) {     // password valide, on charge le menu correspondant au niveau de service

Never store plaintext passwords. If someone cracks the server, they have all your users' passwords. Since most people use the same password with every account they have, you've just compromised other sites. At a minimum, hash a random value + the username + the password (in that order; don't put the password first) using whirlpool or sha512; store both the hashed password and the random value. Since you're using the random value for just one thing, it's also called a "nonce". The random value + username is called "salt". When a user attempts to log in, hash the purported password before comparing to the stored hashed password. Read "Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes" for an introduction to the issues and "Password Hashing" for info on implementing a password storage scheme.

 

[fomalhaut]

Thanks for your comments and help.

Misson, that's very sympathic showing me this password problem. I've read the links you gave me, and I'll try to rewrite my password's access using that.

In the code you posted, $service should be safe because it's not user input

Does that mean I MUST do the same with $service, or does it mean it's not necessary ? (Scuse me, beeing french, I don't understand already all the english sentences !)

 

[misson]

In the code you posted, $service should be safe because it's not user input.

Does that mean I MUST do the same with $service, or does it mean it's not necessary ?

Sanitizing $service isn't necessary, but better safe than sorry, as we say (looks like there's something similar in French: "prudence est mère de sûreté").

Injection attacks can only happen when a user has control over data. If only site administrators and developers can set the value of the "service" field in the database, then it's fairly trustworthy, though there's always the chance of betrayal. If you're the only one with write access to the database, then it's almost completely trustworthy. There's still the chance someone will find a security hole that lets them put data in the security field, which can result in an injection vulnerability. One exploit leads to another.

The safest approach is to sanitize all values used in queries. If you use prepared queries instead of putting values directly in the query, then your queries are automatically protected. The security of prepared queries is the main reason I always recommend using them.

(Scuse me, beeing french, I don't understand already all the english sentences !)

No apology necessary. I'll try not to use too many idioms or unusual grammar.

 

[drf1229]

Ok to post PHP code in javascript is simple. All you have to do is surround it by PHP tags and the "print" function. Here is an example:

document.getelementbyid("object").value=<? print "$var";?>;

Its as simple as that!