Login Script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
SidewinderX
Forum Contributor
Posts: 407
Joined: Fri Jul 16, 2004 9:04 pm
Location: NY

Login Script

Post by SidewinderX »

Well ive managed to create a login authentication script that passes a session variable (the username) to the file admin.php, however im unsure what i need to do in admin.php to make it only viewable if you are loged in. Also since we are on the same subject, i was wondering if there any security issues with my authentication script?

Code: Select all

<?php
session_start();
require("config.php");
echo "<br><br><br><center>";
echo "<strong>Admin Login</strong><br><br>";
echo "<form method='post' action='index.php?action=check'>
		<table>
			<tr>
				<td>Username:</td>
				<td><input type='text' name='uname'></td>
			</tr><tr>
				<td>Password:</td>
				<td><input type='password' name='pword'></td>
			</tr><tr>
				<td></td>
				<td><input type='submit' value='login'></td>
			</tr>
		</table>
	</form>";
echo "<center>";

if($_GET['action'] == 'check')
	{
		$username = $_POST['uname'];
		$password = md5($_POST['pword']);
		$q = "SELECT * FROM administrators WHERE username='$username' AND password='$password'";
		$result = mysql_query($q) or die ('Something is wrong with query: ' . $q . '<br>'. mysql_error());
		$row = mysql_fetch_assoc($result);
	if(mysql_num_rows($result) > 0)
		{
		$_SESSION['username'] = $username;
		Header("Location: admin.php");
		}
	else 
		{
		echo "<b>Incorrect username or password.</b>";
		}
	}
else 
	{

	}
?>
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

What you should do is pass whether the user is authenticated, or their userid so you can check it on each page. As for security, you may want to look at cleaning your posted values befre hitting the DB with them. Just a thought.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

I don't think that this belongs in General Discussion.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Thanks Daed, hadn't seen that. Moved to PHP - Code.
SidewinderX
Forum Contributor
Posts: 407
Joined: Fri Jul 16, 2004 9:04 pm
Location: NY

Post by SidewinderX »

woops, didnt notice i posted in general.

so basically what i did was

Code: Select all

<?php
session_start();
require("config.php");

if(session_is_registered("username"))
{ 
//code goes here
}

?>
and what is ment by cleaning up the post values?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I don't think you need the session_is_registered() function. You can just use isset() with the $_SESSION['sessionvarname'] var.

As for cleaning, I would always suggest validating your inputs rather than just hand them over to the database. That is insecure and dangerous.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

don't use session_is_registered() with superglobal arrays

also, search these boards for 'SQL injection'
Post Reply