Page 1 of 1

Security of admin validator

Posted: Sat Jun 12, 2004 1:26 pm
by Leedsoft Solutions
Hey guys! I just created a function that validates whether a user is an administrator or just a regular. How secure do you think my code is? Are there any potential holes or problems that I should be worried about? Thank you for your input!

Code: Select all

<?php
function ValidateAdmin()
{
  $username = addslashes($_COOKIE['ls_username']);
  if (!isset($username)||empty($username)) return false;
  $password = addslashes($_COOKIE['ls_password']);
  if (!isset($password)||empty($password)) return false;
  $query = "SELECT * FROM users WHERE name='$username' AND password='$password' AND class='admin'";
  $db = new database($query);
  (!$db->FetchRow()) ? return false : return true;
  $db->FreeResult();
  $db->close();
  unset($db,$query);
}
?>

Posted: Sat Jun 12, 2004 1:45 pm
by feyd
pretty insecure... storing password in a cookie, seperate, no less from your other cookies..

Posted: Sat Jun 12, 2004 2:55 pm
by kettle_drum
Yeah, at least store an encrypted vesion of the password in both the database and cookie incase any body gets a hold of it. Plus why waste space in the database with the class field being at least char(5) when you could simply have tinyint(1) and true is admin, false is not admin.

Posted: Sat Jun 12, 2004 11:22 pm
by Leedsoft Solutions
feyd wrote:pretty insecure... storing password in a cookie, seperate, no less from your other cookies..
Well, actually that code is just a mock-up. I'm planning on using sessions to store everything.
kettle_drum wrote:Yeah, at least store an encrypted vesion of the password in both the database and cookie incase any body gets a hold of it. Plus why waste space in the database with the class field being at least char(5) when you could simply have tinyint(1) and true is admin, false is not admin.
As I mentioned above, this code isn't what I am really using. I have already taken what you suggested into consideration.

I'm sorry guys, I guess I should have posted my real code.