i created a login with a user name. now once user is validated all is well they see the page, but if they copy and paste the link it bypasses the login how can i make it so it goes back to the popup or it displays some page?
heres the code im working with
<html>
<head>
<title>Referral History Look Up</title>
</head>
<body bgcolor="006666">
<?php
if ($_POST['Facid'] != "") $Facid = $_POST['Facid'];
if ($Facid != "") {
@ $db = mysql_pconnect('localhost', 'e', '9');
if (!$db) {
echo 'Error: Could not connect to database. Please try again later.';
exit;
}
$listing_query = "select * from ehpadmin.Facility where Facid = '".$Facid."'";
$listing_result = mysql_query($listing_query) or die("Error in return query<br>".mysql_error());
$num_rows = mysql_num_rows($listing_result);
if ($num_rows == 0) {
echo '<font color="white"><b>Please try again</b></font></br></br>';
print "Practice ID invalid.</br></br>";
echo '<a href ="poup.html"><font color="white">Back</font></a>';
} else {
?>
<script language="JavaScript">
window.location = "reports_1st_quarter.htm";
</script>
<?php
}
} else { ?>
<form method="POST">
<p align="left"><b><font color="#FFFFFF">Enter Practice Id</font></b></p>
<p align="left">
<input type="text" name="Facid" size="20">
<input type="submit" value="Go">
</p>
</form>
<?php } ?>
<p align="center"> </p>
</body>
</html>
Security problem with php
Moderator: General Moderators
I uses sessions for security. when you login, on the login script set a few session variables, then on all the pages you want protected, be sure to check the sessions and redirect if they arent there, or arent right.
i didnt show the use of the secure id in the script, so let me explain it here, i use the md5 of a timestamp (or microtime usually), and store that as the secure id. the $_SESSION[secure_id] should be checked against the database when you check security. the reason for this is that the secure id is unique (if its a microtime) and unknown to the user.
anywho, thats what i do. hope it helps
Code: Select all
// in the login script
if( ($username == $db_username) && ($password == $db_password) ){
// login success
$_SESSION[secure_id] = $db_secure_id;
$_SESSION[user_id] = $db_user_id;
$_SESSION[user_priv] = $db_user_priv;
} else {
// login failed
// show error
}
// something like this at the top of all the protected pages
if(!$_SESSION[user_id] || !$_SESSION[user_priv] || !$_SESSION[username]){
header("Location: login.php");
}anywho, thats what i do. hope it helps