Never really come across this idea before, so I presume it's because it's really insecure, but I can't see why. Basically, it gets an admin password from the user, and tried to log into the admin database user with it, if it works, then great, you're logged in, if it doesn't obviously you're not going to be logged in.
Code: Select all
<?php
session_start();
if (isset($_POST['submit'])) { //If the user is trying to login
//Escape their password submission
$password = stripslashes(trim($_POST['password']));
//Attempt admin connection
if($link = @mysql_connect('localhost', 'admin', $password)) {
//If successful
$_SESSION['logged'] = TRUE;
$success = TRUE;
mysql_close($link);
} else {
//If unsuccessful
$error = TRUE;
}
}
//Show the success message if there is one
if(isset($success)) echo '<p class="success">You are now logged in as admin.</p>';
if(!isset($_SESSION['logged'])) {
//Show the error message if there is one
if(isset($error)) echo '<p class="error">Password incorrect.</p>';
//Show the form
echo '<form action="#" method="post">
Password: <input type="password" name="password" size="20" maxlength="50" class="input" /> <input type="submit" name="submit" value="Submit" class="submit" />
</table>
</form>';
}
?>Two ways I've used in the past are:
Checking the entered password against the correct password (unencoded) in a .txt file on the server
With this one, the password is in plain text in the server, but CHMOD'd so Joe Bloggs can't guess the file location and see the password. If the password matches the user is logged in as admin, and then on the administration pages an admin database connect file is included which logs into the database as the admin (allowing SELECT/UPDATE/DELETE).
Checking the entered password against the correct password (hashed) in the database (logged in as the user)
This one is more common, but it defeats the object for me, because what's the point in having a database user for the administration purposes and a database user for the everyday uses (SELECT'ing) if the admin password is stored in the user's database user?
Anyway, obviously I'm missing something because this seems a no-brainer.
Inform me!