Page 1 of 1

Login Script

Posted: Mon Jul 31, 2006 12:21 am
by SidewinderX
Well ive managed to create a login authentication script that passes a session variable (the username) to the file admin.php, however im unsure what i need to do in admin.php to make it only viewable if you are loged in. Also since we are on the same subject, i was wondering if there any security issues with my authentication script?

Code: Select all

<?php
session_start();
require("config.php");
echo "<br><br><br><center>";
echo "<strong>Admin Login</strong><br><br>";
echo "<form method='post' action='index.php?action=check'>
		<table>
			<tr>
				<td>Username:</td>
				<td><input type='text' name='uname'></td>
			</tr><tr>
				<td>Password:</td>
				<td><input type='password' name='pword'></td>
			</tr><tr>
				<td></td>
				<td><input type='submit' value='login'></td>
			</tr>
		</table>
	</form>";
echo "<center>";

if($_GET['action'] == 'check')
	{
		$username = $_POST['uname'];
		$password = md5($_POST['pword']);
		$q = "SELECT * FROM administrators WHERE username='$username' AND password='$password'";
		$result = mysql_query($q) or die ('Something is wrong with query: ' . $q . '<br>'. mysql_error());
		$row = mysql_fetch_assoc($result);
	if(mysql_num_rows($result) > 0)
		{
		$_SESSION['username'] = $username;
		Header("Location: admin.php");
		}
	else 
		{
		echo "<b>Incorrect username or password.</b>";
		}
	}
else 
	{

	}
?>

Posted: Mon Jul 31, 2006 12:27 am
by RobertGonzalez
What you should do is pass whether the user is authenticated, or their userid so you can check it on each page. As for security, you may want to look at cleaning your posted values befre hitting the DB with them. Just a thought.

Posted: Mon Jul 31, 2006 12:46 am
by daedalus__
I don't think that this belongs in General Discussion.

Posted: Mon Jul 31, 2006 12:49 am
by RobertGonzalez
Thanks Daed, hadn't seen that. Moved to PHP - Code.

Posted: Mon Jul 31, 2006 1:03 am
by SidewinderX
woops, didnt notice i posted in general.

so basically what i did was

Code: Select all

<?php
session_start();
require("config.php");

if(session_is_registered("username"))
{ 
//code goes here
}

?>
and what is ment by cleaning up the post values?

Posted: Mon Jul 31, 2006 1:11 am
by RobertGonzalez
I don't think you need the session_is_registered() function. You can just use isset() with the $_SESSION['sessionvarname'] var.

As for cleaning, I would always suggest validating your inputs rather than just hand them over to the database. That is insecure and dangerous.

Posted: Mon Jul 31, 2006 1:51 am
by daedalus__
don't use session_is_registered() with superglobal arrays

also, search these boards for 'SQL injection'