What's wrong with this login check?
Posted: Sat Jan 08, 2005 11:22 pm
I have this put at the top of the admin pages to check whether or not there are cookies named "id","username", and "password". Then it is supposed to check those values against values in a DB. When there are no cookies and I try and access the page, I am blocked like how I should. However, I made a dummy cookie w/ values that weren't in the DB, it still allowed me to view the page.
Code: Select all
<?
mysql_connect("localhost","$username","$password") or die ("Unable to connect to MySQL server.");
$db = mysql_select_db("$database") or die ("Unable to select requested database.");
$admin = 0;
if($_COOKIE[id] != '' AND $_COOKIE[username] != '' and $_COOKIE[password] !='') {
$result = mysql_query("SELECT count(username) FROM teachers WHERE username='$_COOKIE[username]' AND password='$_COOKIE[password]' AND id='$_COOKIE[id]'");
if($result > 0){
$admin = 1;
}}
if($admin == 1) { ?>
BLAH BLAH BLAH BLAH.........
<?
}else{ echo "
<meta http-equiv='refresh' content='3;URL=login.php'>
<html>
<body bgcolor='#000000'>
<div align='center'>
<table border='0' width='100%' height='100%' id='table1' bgcolor='#FF7800' cellspacing='0' cellpadding='0'>
<tr>
<td align='center'>
<p align='center'><font size='5'><b>You must be logged in to view this page</b></font><br><font size='3'>You are being redirected...</font></p></td>
</tr>
</table>
</div>
</body>
</html>
";}
?>