Security of admin validator

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Leedsoft Solutions
Forum Newbie
Posts: 11
Joined: Sat Jun 12, 2004 1:17 pm

Security of admin validator

Post by Leedsoft Solutions »

Hey guys! I just created a function that validates whether a user is an administrator or just a regular. How secure do you think my code is? Are there any potential holes or problems that I should be worried about? Thank you for your input!

Code: Select all

<?php
function ValidateAdmin()
{
  $username = addslashes($_COOKIE['ls_username']);
  if (!isset($username)||empty($username)) return false;
  $password = addslashes($_COOKIE['ls_password']);
  if (!isset($password)||empty($password)) return false;
  $query = "SELECT * FROM users WHERE name='$username' AND password='$password' AND class='admin'";
  $db = new database($query);
  (!$db->FetchRow()) ? return false : return true;
  $db->FreeResult();
  $db->close();
  unset($db,$query);
}
?>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

pretty insecure... storing password in a cookie, seperate, no less from your other cookies..
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

Yeah, at least store an encrypted vesion of the password in both the database and cookie incase any body gets a hold of it. Plus why waste space in the database with the class field being at least char(5) when you could simply have tinyint(1) and true is admin, false is not admin.
Leedsoft Solutions
Forum Newbie
Posts: 11
Joined: Sat Jun 12, 2004 1:17 pm

Post by Leedsoft Solutions »

feyd wrote:pretty insecure... storing password in a cookie, seperate, no less from your other cookies..
Well, actually that code is just a mock-up. I'm planning on using sessions to store everything.
kettle_drum wrote:Yeah, at least store an encrypted vesion of the password in both the database and cookie incase any body gets a hold of it. Plus why waste space in the database with the class field being at least char(5) when you could simply have tinyint(1) and true is admin, false is not admin.
As I mentioned above, this code isn't what I am really using. I have already taken what you suggested into consideration.

I'm sorry guys, I guess I should have posted my real code.
Post Reply