PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
SidewinderX
Forum Contributor
Posts: 407 Joined: Fri Jul 16, 2004 9:04 pm
Location: NY
Post
by SidewinderX » Mon Jul 31, 2006 12:21 am
Well ive managed to create a login authentication script that passes a session variable (the username) to the file admin.php, however im unsure what i need to do in admin.php to make it only viewable if you are loged in. Also since we are on the same subject, i was wondering if there any security issues with my authentication script?
Code: Select all
<?php
session_start();
require("config.php");
echo "<br><br><br><center>";
echo "<strong>Admin Login</strong><br><br>";
echo "<form method='post' action='index.php?action=check'>
<table>
<tr>
<td>Username:</td>
<td><input type='text' name='uname'></td>
</tr><tr>
<td>Password:</td>
<td><input type='password' name='pword'></td>
</tr><tr>
<td></td>
<td><input type='submit' value='login'></td>
</tr>
</table>
</form>";
echo "<center>";
if($_GET['action'] == 'check')
{
$username = $_POST['uname'];
$password = md5($_POST['pword']);
$q = "SELECT * FROM administrators WHERE username='$username' AND password='$password'";
$result = mysql_query($q) or die ('Something is wrong with query: ' . $q . '<br>'. mysql_error());
$row = mysql_fetch_assoc($result);
if(mysql_num_rows($result) > 0)
{
$_SESSION['username'] = $username;
Header("Location: admin.php");
}
else
{
echo "<b>Incorrect username or password.</b>";
}
}
else
{
}
?>
RobertGonzalez
Site Administrator
Posts: 14293 Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA
Post
by RobertGonzalez » Mon Jul 31, 2006 12:27 am
What you should do is pass whether the user is authenticated, or their userid so you can check it on each page. As for security, you may want to look at cleaning your posted values befre hitting the DB with them. Just a thought.
daedalus__
DevNet Resident
Posts: 1925 Joined: Thu Feb 09, 2006 4:52 pm
Post
by daedalus__ » Mon Jul 31, 2006 12:46 am
I don't think that this belongs in General Discussion.
RobertGonzalez
Site Administrator
Posts: 14293 Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA
Post
by RobertGonzalez » Mon Jul 31, 2006 12:49 am
Thanks Daed, hadn't seen that. Moved to PHP - Code.
SidewinderX
Forum Contributor
Posts: 407 Joined: Fri Jul 16, 2004 9:04 pm
Location: NY
Post
by SidewinderX » Mon Jul 31, 2006 1:03 am
woops, didnt notice i posted in general.
so basically what i did was
Code: Select all
<?php
session_start();
require("config.php");
if(session_is_registered("username"))
{
//code goes here
}
?>
and what is ment by cleaning up the post values?
RobertGonzalez
Site Administrator
Posts: 14293 Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA
Post
by RobertGonzalez » Mon Jul 31, 2006 1:11 am
I don't think you need the
session_is_registered() function. You can just use isset() with the $_SESSION['sessionvarname'] var.
As for cleaning, I would always suggest validating your inputs rather than just hand them over to the database. That is insecure and dangerous.
daedalus__
DevNet Resident
Posts: 1925 Joined: Thu Feb 09, 2006 4:52 pm
Post
by daedalus__ » Mon Jul 31, 2006 1:51 am
don't use session_is_registered() with superglobal arrays
also, search these boards for 'SQL injection'