What's wrong with this login check?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Wldrumstcs
Forum Commoner
Posts: 98
Joined: Wed Nov 26, 2003 8:41 pm

What's wrong with this login check?

Post by Wldrumstcs »

I have this put at the top of the admin pages to check whether or not there are cookies named "id","username", and "password". Then it is supposed to check those values against values in a DB. When there are no cookies and I try and access the page, I am blocked like how I should. However, I made a dummy cookie w/ values that weren't in the DB, it still allowed me to view the page.

Code: Select all

<?

mysql_connect("localhost","$username","$password") or die ("Unable to connect to MySQL server."); 
$db = mysql_select_db("$database") or die ("Unable to select requested database.");

$admin = 0;
if($_COOKIE[id] != '' AND $_COOKIE[username] != '' and $_COOKIE[password] !='') {
  $result = mysql_query("SELECT count(username) FROM teachers WHERE username='$_COOKIE[username]' AND password='$_COOKIE[password]' AND id='$_COOKIE[id]'");
  if($result > 0){
    $admin = 1;
}}

if($admin == 1) { ?>

BLAH BLAH BLAH BLAH.........

<?
}else{ echo "
<meta http-equiv='refresh' content='3;URL=login.php'>
<html>
<body bgcolor='#000000'>

	<div align='center'>
		<table border='0' width='100%' height='100%' id='table1' bgcolor='#FF7800' cellspacing='0' cellpadding='0'>
			<tr>
				<td align='center'>
				<p align='center'><font size='5'><b>You must be logged in to view this page</b></font><br><font size='3'>You are being redirected...</font></p></td>
			</tr>
		</table>
	</div>

	</body>
</html>
";}
?>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Code: Select all

if(mysql_num_rows($result) &gt; 0)
  $admin = 1;
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

ur best off using sessions unless you want them to be auto logged in at all times then use cookies but be careful of cookie stealers
Wldrumstcs
Forum Commoner
Posts: 98
Joined: Wed Nov 26, 2003 8:41 pm

Post by Wldrumstcs »

I changed those two lines, yet it still is letting me through w/ the dummy cookie.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

firstly,

Code: Select all

$_COOKIE&#1111;username]
should be

Code: Select all

$_COOKIE&#1111;'username']
and so forth...secondly make sure your cookies have the proper values.
I would also encrypt the data using [php_man]md5[/php_man] to proect the values. And lastly if your checking with num rows remove the count in the query
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

post your new code, please.
Wldrumstcs
Forum Commoner
Posts: 98
Joined: Wed Nov 26, 2003 8:41 pm

Post by Wldrumstcs »

NM, it works now that I deleted the "(count)". For the record, I do use MD5 protection. TY for the help.
Post Reply