Page 1 of 1

My Turnkey Career SiteAdmin is not logging on...PLEASE HELP

Posted: Mon Oct 22, 2007 5:50 pm
by mkkay
Everah | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]




here is the code for my career site siteadmin login

Code: Select all

<?php

session_start();

require_once "../adminmain.php";

if(!isset($aid)) {
  ?>
  <html>
  <head>
  <title> Admin Login  </title>
  </head>
  <body><center>
  <h1><font size="4" face="Arial, Helvetica, sans-serif">Job Site Admin</font></h1>

  <p><form method="post" action="<?=$PHP_SELF?>">
    <table>
      <tr> 
        <td><font size="2" face="Arial, Helvetica, sans-serif">Username:</font></td>
        <td> <input type="text" name="aid" size="8"></td>
      </tr>
      <tr> 
        <td><font size="2" face="Arial, Helvetica, sans-serif">Password:</font></td>
        <td><input type="password" name="apass" SIZE="8"></td>
      </tr>
      <tr> 
        <td colspan=2 align=right><input type="submit" value=" Login "></td>
      </tr>
      <tr> 
        <td colspan=2 align=center> <a class=TN href=forgot.php> <font size="2" face="Arial, Helvetica, sans-serif">Forgot 
          your password?</font> </a></td>
      </tr>
    </table>
  </form></p>
  </center>
  </body>
  </html>
  <?php
  exit;
}



session_register("aid");
session_register("apass");


$sql = "SELECT * FROM job_admin_login WHERE
        aid = '$aid' AND apass = '$apass'";
$result = mysql_query($sql);
if (!$result)
{
  echo "A database error occurred while checking your login details. <br>If this error persists, please contact crash@traffic-jam.ca";
}

elseif (mysql_num_rows($result) == 0) {
  session_unregister("aid");
  session_unregister("apass");
  ?>
  <html>
  <head>
  <title> Access Denied </title>
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$PHP_SELF?>">here</a>. </p>
  </body>
  </html>
  <?php
  exit;
}

?>



Everah | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Mon Oct 22, 2007 6:15 pm
by RobertGonzalez
Since you didn't really ask a question I am not really going to give you an answer. But I would suspect it might have something to do with register_globals.

Posted: Mon Oct 22, 2007 7:10 pm
by Christopher
Ahhhhh PHP3 .... those were the days!!! ;)

Posted: Mon Oct 22, 2007 9:50 pm
by toasty2
arborint wrote:Ahhhhh PHP3 .... those were the days!!! ;)
were? 8O Gosh you mean there's a newer version than 3.0.18? :lol:

PHP code for site admin

Posted: Tue Oct 23, 2007 5:02 am
by mkkay
Sorry about that my question is how do i get the log in to work because whenever i go to the site admin and put in the password and username it just kind of refreshes the page it doesnt go into the administrator control panel.....HELP!!!!

Posted: Tue Oct 23, 2007 5:36 am
by patrikG
update your code, allow cookies in your browser, check, as Everah has suggested, whether your code depends on register_globals being on (most hosts disable that by default). If you code depends on it, start looking for an update - it's most likely a highly insecure web-application you're running.

Posted: Tue Oct 23, 2007 7:21 am
by mkkay
i dont understand, im sorry but im alittle bit new to this, what do you mean about the reigster globals?

Posted: Tue Oct 23, 2007 7:39 am
by patrikG
http://php.net/register_globals

The manual is your friend.

Posted: Tue Oct 23, 2007 10:20 am
by RobertGonzalez
register_globals, in a nutshell, is essentially the superglobal arrays ($_GET, $_POST, $_COOKIE, etc) extracted into their corresponding key/value pairs without the need to call the superglobal itself.

It is like an assumption that a form field named 'user_password' will automatically be in the variable $user_password, when in reality it is not, it is in the superglobal $_POST['user_password'].

Posted: Tue Oct 23, 2007 4:58 pm
by mkkay
so what changes do i make to the register so that it can read the password and username from the sql database?

Posted: Tue Oct 23, 2007 5:01 pm
by patrikG
mkkay wrote:so what changes do i make to the register so that it can read the password and username from the sql database?
Read the link I've provided above or, alternatively, find a PHP developer in your area to help you with this.

Posted: Wed Oct 24, 2007 9:41 am
by onion2k
Just looking at the code you've posted so far I really think you should take a step back and rethink your approach. The code in the first post is horrendously insecure. There are no considerations for security in it at all. If you can get it working by modifying your PHP configuration (and likely making it even less secure) your site would be pretty much an open door to a malicious hacker.

What makes this worse is that you mention it's a "career site". I assume that means it's a site where people advertise jobs, post CVs, etc. Monster.com is just such a site and was hacked not too long ago, they lost thousands of CVs and resumes to a hacker. I believe there are several people suing them over it at the moment. You don't want that to happen to you.

Posted: Thu Oct 25, 2007 2:51 pm
by mkkay
thanks alot, i guess thats the end of my career site.

Posted: Thu Oct 25, 2007 4:00 pm
by onion2k
If you have so little enthusiasm for it that you give up at the first problem then it wouldn't have succeeded anyway.