securing admin pages

  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

hey,

im using this script here...

PHP Code: [ Select ]
 
<?php
 
include('connect.php');
 
if ($_POST[user] && $_POST[pass]) {
 
 $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
 
 if ($user_data[id] > 0) {
 
  setcookie ("user", md5($user_data[username]));  
 
  setcookie ("pass", md5($user_data[password]));  
 
  header("Location: admin.php");
 
 } else { $login_error= true; }
 
}
 
 
 
// handle login event, both successful and erroneous, or show login screen
 
if ($login_error == true) { ?>
 
 <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td align=center bgcolor=#123dd4>LOGIN ERROR</td></tr>
 
  <tr><td align=center><b>Invalid Username and/or Password</b><br><br><a href=index.php>Back</a></td></tr>
 
</table>
 
<?
 
} elseif ($_COOKIE[user] == md5($username) && $_COOKIE[pass] == md5($password)) { ?>
 
 <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td align=center bgcolor=#123dd4>SECURE AREA</td></tr>
 
  <tr><td align=right><a href=admin.php?logout=true>Logout</a></td></tr>
 
  <tr><td>You have successfully logged in.<br><br>
 
   Encrypted Username: <b><?=  $_COOKIE[user] ?></b><br>
 
   Encrypted Password: <b><?= $_COOKIE[pass] ?></b><br>
 
  </td></tr>
 
</table>
 
<?
 
} else {  
 
?>
 
<form action=admin_login.php method=post>
 
<table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>
 
  <tr><td align=right>Username: </td><td><input type=text name=user size=15></td></tr>
 
  <tr><td align=right>Password: </td><td><input type=password name=pass size=15></td></tr>
 
  <tr><td align=center colspan=2><input type=submit value=Login></td></tr>
 
</table>
 
</form>
 
<?
 
}
 
?>
 
 
  1.  
  2. <?php
  3.  
  4. include('connect.php');
  5.  
  6. if ($_POST[user] && $_POST[pass]) {
  7.  
  8.  $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
  9.  
  10.  if ($user_data[id] > 0) {
  11.  
  12.   setcookie ("user", md5($user_data[username]));  
  13.  
  14.   setcookie ("pass", md5($user_data[password]));  
  15.  
  16.   header("Location: admin.php");
  17.  
  18.  } else { $login_error= true; }
  19.  
  20. }
  21.  
  22.  
  23.  
  24. // handle login event, both successful and erroneous, or show login screen
  25.  
  26. if ($login_error == true) { ?>
  27.  
  28.  <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  29.  
  30.   <tr><td align=center bgcolor=#123dd4>LOGIN ERROR</td></tr>
  31.  
  32.   <tr><td align=center><b>Invalid Username and/or Password</b><br><br><a href=index.php>Back</a></td></tr>
  33.  
  34. </table>
  35.  
  36. <?
  37.  
  38. } elseif ($_COOKIE[user] == md5($username) && $_COOKIE[pass] == md5($password)) { ?>
  39.  
  40.  <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  41.  
  42.   <tr><td align=center bgcolor=#123dd4>SECURE AREA</td></tr>
  43.  
  44.   <tr><td align=right><a href=admin.php?logout=true>Logout</a></td></tr>
  45.  
  46.   <tr><td>You have successfully logged in.<br><br>
  47.  
  48.    Encrypted Username: <b><?=  $_COOKIE[user] ?></b><br>
  49.  
  50.    Encrypted Password: <b><?= $_COOKIE[pass] ?></b><br>
  51.  
  52.   </td></tr>
  53.  
  54. </table>
  55.  
  56. <?
  57.  
  58. } else {  
  59.  
  60. ?>
  61.  
  62. <form action=admin_login.php method=post>
  63.  
  64. <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  65.  
  66.   <tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>
  67.  
  68.   <tr><td align=right>Username: </td><td><input type=text name=user size=15></td></tr>
  69.  
  70.   <tr><td align=right>Password: </td><td><input type=password name=pass size=15></td></tr>
  71.  
  72.   <tr><td align=center colspan=2><input type=submit value=Login></td></tr>
  73.  
  74. </table>
  75.  
  76. </form>
  77.  
  78. <?
  79.  
  80. }
  81.  
  82. ?>
  83.  
  84.  


Now i got the dbase set up with the following:

username
password - md5
cookie
email

Why is it when i try to insert the username and password (correct) it returns as invalid?
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

At first glance this appears to be the problem:

I assume when you are creating the record, you are entering the MD5'd value:

My_Secure_Password -----> ^^&^%%DFGD£DG£FDBE$%V$

But then you try to find a record with the correct username and password
PHP Code: [ Select ]
 
<?php
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
 
 
  1.  
  2. <?php
  3.  
  4. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
  5.  
  6.  

You type in "me" and "My_Secure_Password"

it then compares the raw password entered ("My_Secure_Password") with the MD5'd hash in the database (^^&^%%DFGD£DG£FDBE$%V$) and finds they don't match. Therefore invalid password

You need to get the MD5 hash of the entered password to compare it with the MD5 hash in the database.

Let me know if this helps.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

but, i thought the md5 code is just a layer... once i enter a password from the php code it compares the original password and not the md5.

What can i do, to resolve this?
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

What do you mean by a layer?

Actually, I only skim read the code, I'm not at all sure what is going on. Sorry, my bad :?

is the password in the database an MD5 hash, or are you just using MD5 to save the cookie? Bear in mind that MD5 cannot be decrypted.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

Ok, what i mean by layer:

I had thought that the md5 code "djsioa92308aqjds" is just hiding the original password, so i can not and no one else can see the password.

I use the MD5 for the password and i used it to save the cookie.

I have now edited the code to look like this:

PHP Code: [ Select ]
 
<?php
 
include('connect.php');
 
if ($_POST[user] && $_POST[pass]) {
 
 $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
 
 
 
 if ($user_data[id] > 0) {
 
  setcookie ("user", ($user_data[username]));  
 
  setcookie ("pass", ($user_data[password]));  
 
  header("Location: admin.php");
 
 } else { $login_error = true; }
 
}
 
 
 
// handle login event, both successful and erroneous, or show login screen
 
if ($login_error == true) { ?>
 
 <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td align=center bgcolor=#123dd4>LOGIN ERROR</td></tr>
 
  <tr><td align=center><b>Invalid Username and/or Password</b><br><br><a href=index.php>Back</a></td></tr>
 
</table>
 
<?
 
} elseif ($_COOKIE[user] == ($username) && $_COOKIE[pass] == ($password)) { ?>
 
 
 
 <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td align=center bgcolor=#123dd4>SECURE AREA</td></tr>
 
  <tr><td align=right><a href=admin.php?logout=true>Logout</a></td></tr>
 
  <tr><td>You have successfully logged in.<br><br>
 
   Encrypted Username: <b><?=  $_COOKIE[user] ?></b><br>
 
   Encrypted Password: <b><?= $_COOKIE[pass] ?></b><br>
 
  </td></tr>
 
</table>
 
<?
 
} else {  
 
?>
 
<form action=admin_login.php method=post>
 
<table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>
 
  <tr><td align=right>Username: </td><td><input type=text name=user size=15></td></tr>
 
  <tr><td align=right>Password: </td><td><input type=password name=pass size=15></td></tr>
 
  <tr><td align=center colspan=2><input type=submit value=Login></td></tr>
 
</table>
 
</form>
 
<?
 
}
 
?>
 
 
  1.  
  2. <?php
  3.  
  4. include('connect.php');
  5.  
  6. if ($_POST[user] && $_POST[pass]) {
  7.  
  8.  $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
  9.  
  10.  
  11.  
  12.  if ($user_data[id] > 0) {
  13.  
  14.   setcookie ("user", ($user_data[username]));  
  15.  
  16.   setcookie ("pass", ($user_data[password]));  
  17.  
  18.   header("Location: admin.php");
  19.  
  20.  } else { $login_error = true; }
  21.  
  22. }
  23.  
  24.  
  25.  
  26. // handle login event, both successful and erroneous, or show login screen
  27.  
  28. if ($login_error == true) { ?>
  29.  
  30.  <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  31.  
  32.   <tr><td align=center bgcolor=#123dd4>LOGIN ERROR</td></tr>
  33.  
  34.   <tr><td align=center><b>Invalid Username and/or Password</b><br><br><a href=index.php>Back</a></td></tr>
  35.  
  36. </table>
  37.  
  38. <?
  39.  
  40. } elseif ($_COOKIE[user] == ($username) && $_COOKIE[pass] == ($password)) { ?>
  41.  
  42.  
  43.  
  44.  <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  45.  
  46.   <tr><td align=center bgcolor=#123dd4>SECURE AREA</td></tr>
  47.  
  48.   <tr><td align=right><a href=admin.php?logout=true>Logout</a></td></tr>
  49.  
  50.   <tr><td>You have successfully logged in.<br><br>
  51.  
  52.    Encrypted Username: <b><?=  $_COOKIE[user] ?></b><br>
  53.  
  54.    Encrypted Password: <b><?= $_COOKIE[pass] ?></b><br>
  55.  
  56.   </td></tr>
  57.  
  58. </table>
  59.  
  60. <?
  61.  
  62. } else {  
  63.  
  64. ?>
  65.  
  66. <form action=admin_login.php method=post>
  67.  
  68. <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  69.  
  70.   <tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>
  71.  
  72.   <tr><td align=right>Username: </td><td><input type=text name=user size=15></td></tr>
  73.  
  74.   <tr><td align=right>Password: </td><td><input type=password name=pass size=15></td></tr>
  75.  
  76.   <tr><td align=center colspan=2><input type=submit value=Login></td></tr>
  77.  
  78. </table>
  79.  
  80. </form>
  81.  
  82. <?
  83.  
  84. }
  85.  
  86. ?>
  87.  
  88.  
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

is this correct?

http://www.69kilobytes.co.uk/lol.php
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

im getting this error:

Parse error: parse error in /home/virtual/site2/fst/var/www/html/cp/admin_login.php on line 15

and this is the code

PHP Code: [ Select ]
 
<?PHP
 
include('connect.php');
 
$password=md5($_POST["password"]);
 
$username=$_POST["username"];
 
$adminlogin=mysql_query("SELECT * FROM admin WHERE username='$username' AND password='$password' AND activate='1' AND access='1'")or die(mysql_error());
 
if (mysql_num_rows($adminlogin)>0) {
 
$obj=mysql_fetch_object($adminlogin);
 
$adminhash=md5(''.$obj->name.'-'.$obj->email.'-'.$obj->password.'-1865ac1c23es1s1c1o31de38700198');
 
setcookie("admin", "$username:$adminhash", time()+3600, "/");
 
$explodevars=explode(":",$_COOKIE["admin"]);
 
echo "Welcome '.$explodevars[0].' - You have Admin Access";
 
} else {
 
echo "You do not have permission to access this area, sorry";
 
?>
 
 
  1.  
  2. <?PHP
  3.  
  4. include('connect.php');
  5.  
  6. $password=md5($_POST["password"]);
  7.  
  8. $username=$_POST["username"];
  9.  
  10. $adminlogin=mysql_query("SELECT * FROM admin WHERE username='$username' AND password='$password' AND activate='1' AND access='1'")or die(mysql_error());
  11.  
  12. if (mysql_num_rows($adminlogin)>0) {
  13.  
  14. $obj=mysql_fetch_object($adminlogin);
  15.  
  16. $adminhash=md5(''.$obj->name.'-'.$obj->email.'-'.$obj->password.'-1865ac1c23es1s1c1o31de38700198');
  17.  
  18. setcookie("admin", "$username:$adminhash", time()+3600, "/");
  19.  
  20. $explodevars=explode(":",$_COOKIE["admin"]);
  21.  
  22. echo "Welcome '.$explodevars[0].' - You have Admin Access";
  23.  
  24. } else {
  25.  
  26. echo "You do not have permission to access this area, sorry";
  27.  
  28. ?>
  29.  
  30.  


this is the form im using

PHP Code: [ Select ]
 
<? include('http://www.69kilobytes.co.uk/header.php'); ?>
 
<form name="admin_login" method="post" action="admin_login.php">
 
<input type="text" name="username" id="$username">
 
<input type="text" name="password" id="$password">
 
  <input type="submit" value="submit" name="submit">
 
</form>
 
<? include('http://www.69kilobytes.co.uk/footer.php'); ?>
 
 
  1.  
  2. <? include('http://www.69kilobytes.co.uk/header.php'); ?>
  3.  
  4. <form name="admin_login" method="post" action="admin_login.php">
  5.  
  6. <input type="text" name="username" id="$username">
  7.  
  8. <input type="text" name="password" id="$password">
  9.  
  10.   <input type="submit" value="submit" name="submit">
  11.  
  12. </form>
  13.  
  14. <? include('http://www.69kilobytes.co.uk/footer.php'); ?>
  15.  
  16.  
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

when i delete that row, it says another parse error on the row before that and so on, a cycle...
  • Scorpius
  • Proficient
  • Proficient
  • User avatar
  • Posts: 401
  • Loc: Scorpion Hole

Post 3+ Months Ago

You need your closing '}' at the end of your page.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

ok problem fixed, thanks....

now, how do i make sure that what i typed in password box matches the md5 on the dbase?
  • Scorpius
  • Proficient
  • Proficient
  • User avatar
  • Posts: 401
  • Loc: Scorpion Hole

Post 3+ Months Ago

Well if your password in the database is also an md5 then typing the correct password in will show that they match.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

but what i typed is not md5... it is the actual password but the one in the dbase is md5...
  • Scorpius
  • Proficient
  • Proficient
  • User avatar
  • Posts: 401
  • Loc: Scorpion Hole

Post 3+ Months Ago

Then on the page that proccesses the login, before you do the MySQL query, you should md5 the password, and then do your MySQL query.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

whats wrong with this part of the code:

PHP Code: [ Select ]
 
if ($login_error = false;) {
 
echo "Welcome Admin - You have Admin Access"; }
 
} else {
 
 
  1.  
  2. if ($login_error = false;) {
  3.  
  4. echo "Welcome Admin - You have Admin Access"; }
  5.  
  6. } else {
  7.  
  8.  


there seems to be a parse error, its too do with the { and }, are they in right place?
  • Scorpius
  • Proficient
  • Proficient
  • User avatar
  • Posts: 401
  • Loc: Scorpion Hole

Post 3+ Months Ago

You should not put a ' } ' after the echo, you already have it before the else, you either need to do one or the other.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

PHP Code: [ Select ]
 
if ($login_error == false) {   // you need to take more care when coding ;o)
 
echo "Welcome Admin - You have Admin Access";
 
} else {
 
 
  1.  
  2. if ($login_error == false) {   // you need to take more care when coding ;o)
  3.  
  4. echo "Welcome Admin - You have Admin Access";
  5.  
  6. } else {
  7.  
  8.  


The MD5 Hash is not a layer. It can't be undone.
This is more or less the way that I would deal with the login
PHP Code: [ Select ]
 
<?php
 
$uName   = (empty($_POST['user'])) ? "" : $_POST['user'];
 
$pass = (empty($_POST['pass'])) ? "" : $_POST['pass'];
 
if ($uName != "" && $pass != "") {
 
   $sql  = "SELECT username, password FROM admin WHERE username='$uName' and password=MD5('$pass')";
 
   $result  = mysql_query($sql);
 
   if ($row = mysql_fetch_array($result)){
 
      $user_data['user'] = $row['username'];
 
      $user_data['pass'] = $row['password'];
 
   }else{
 
      $error = 2;
 
   }
 
}else{
 
   $error = 1;
 
}
 
 
 
switch($error){
 
   case 1:
 
      $errMsg = "Please enter a username and password";
 
      break;
 
   case 2:
 
      $errMsg = "The username and password you entered is incorrect";
 
      break;
 
   default:
 
      $errMsg = "";
 
} // switch
 
?>
 
 
  1.  
  2. <?php
  3.  
  4. $uName   = (empty($_POST['user'])) ? "" : $_POST['user'];
  5.  
  6. $pass = (empty($_POST['pass'])) ? "" : $_POST['pass'];
  7.  
  8. if ($uName != "" && $pass != "") {
  9.  
  10.    $sql  = "SELECT username, password FROM admin WHERE username='$uName' and password=MD5('$pass')";
  11.  
  12.    $result  = mysql_query($sql);
  13.  
  14.    if ($row = mysql_fetch_array($result)){
  15.  
  16.       $user_data['user'] = $row['username'];
  17.  
  18.       $user_data['pass'] = $row['password'];
  19.  
  20.    }else{
  21.  
  22.       $error = 2;
  23.  
  24.    }
  25.  
  26. }else{
  27.  
  28.    $error = 1;
  29.  
  30. }
  31.  
  32.  
  33.  
  34. switch($error){
  35.  
  36.    case 1:
  37.  
  38.       $errMsg = "Please enter a username and password";
  39.  
  40.       break;
  41.  
  42.    case 2:
  43.  
  44.       $errMsg = "The username and password you entered is incorrect";
  45.  
  46.       break;
  47.  
  48.    default:
  49.  
  50.       $errMsg = "";
  51.  
  52. } // switch
  53.  
  54. ?>
  55.  
  56.  


With the MD5 Hash conversion you are unable to retrieve the human readable password.

From here you can set cookies etc.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

PHP Code: [ Select ]
 
<?PHP
 
if ($_POST[user] && md5($_POST[pass])) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
 
 
 
if ($user_data[id] > 0) {
 
  setcookie ("user", ($user_data[username]));  
 
  setcookie ("pass", ($user_data[password]));  
 
  header("Location: admin.php");
 
} else { $login_error = true; }
 
}
 
if ($login_error = false;) {
 
echo "Welcome Admin - You have Admin Access";
 
} else {
 
echo "You do not have permission to access this area, sorry"; }
 
?>
 
 
  1.  
  2. <?PHP
  3.  
  4. if ($_POST[user] && md5($_POST[pass])) {
  5.  
  6. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
  7.  
  8.  
  9.  
  10. if ($user_data[id] > 0) {
  11.  
  12.   setcookie ("user", ($user_data[username]));  
  13.  
  14.   setcookie ("pass", ($user_data[password]));  
  15.  
  16.   header("Location: admin.php");
  17.  
  18. } else { $login_error = true; }
  19.  
  20. }
  21.  
  22. if ($login_error = false;) {
  23.  
  24. echo "Welcome Admin - You have Admin Access";
  25.  
  26. } else {
  27.  
  28. echo "You do not have permission to access this area, sorry"; }
  29.  
  30. ?>
  31.  
  32.  


here is the full code.... im still getting parse on line 11 which is

PHP Code: [ Select ]
 
if ($login_error = false;) {
 
 
  1.  
  2. if ($login_error = false;) {
  3.  
  4.  


are there any debuggers which can find out these little mishaps?
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

PHP Code: [ Select ]
 
if ($login_error == false) {   // you need to take more care when coding ;o)
 
echo "Welcome Admin - You have Admin Access";
 
} else {
 
 //else code
 
}
 
 
  1.  
  2. if ($login_error == false) {   // you need to take more care when coding ;o)
  3.  
  4. echo "Welcome Admin - You have Admin Access";
  5.  
  6. } else {
  7.  
  8.  //else code
  9.  
  10. }
  11.  
  12.  


read above carefully and then look at your code and you will see what you are doing wrong
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

i really got to stop annoying you guys. im like a newb that just cant seem to get away?

Anyway, thanks Rabid Dog i realised i had to make brackets within IF statements.

When i submit my form to "admin_login.php" which is the above code...

It just says "your logged in" whether its right or wrong.. and then when i want to go to the admin pages it says "you need to log in" o_O

Why is this happening? Suggestions?

--- i fixed the above problem


BUT
Now i just cant seem to log in, it says "No permission.... blah blah" all the time :O

PHP Code: [ Select ]
 
if ($_POST[user] && md5($_POST[pass])) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and MD5('$_POST[pass]')"));
 
 
 
 
  1.  
  2. if ($_POST[user] && md5($_POST[pass])) {
  3.  
  4. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and MD5('$_POST[pass]')"));
  5.  
  6.  
  7.  
  8.  


The above is right, to make what is typed in md5 so it can compare it?
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

here is my form i use

Code: [ Select ]
<? include('http://www.69kilobytes.co.uk/header.php'); ?>
<form name="admin_login" method="post" action="admin_login.php">
<input type="text" name="username" id="$_POST[user]">
<input type="password" name="password" id="MD5('$_POST[pass]">
 <input type="submit" value="submit" name="submit">
</form>
<? include('http://www.69kilobytes.co.uk/footer.php'); ?>
  1. <? include('http://www.69kilobytes.co.uk/header.php'); ?>
  2. <form name="admin_login" method="post" action="admin_login.php">
  3. <input type="text" name="username" id="$_POST[user]">
  4. <input type="password" name="password" id="MD5('$_POST[pass]">
  5.  <input type="submit" value="submit" name="submit">
  6. </form>
  7. <? include('http://www.69kilobytes.co.uk/footer.php'); ?>
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

PHP Code: [ Select ]
 
if ($_POST[user] && $_POST[pass]) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and MD5('$_POST[pass]')"));
 
 
  1.  
  2. if ($_POST[user] && $_POST[pass]) {
  3.  
  4. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and MD5('$_POST[pass]')"));
  5.  
  6.  


md5 is an SQL function (as far as I know).

Above I am assuming that the user and pass index's are being checked so you don't call md5
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

Once i use the form action as "admin_login.php", why does a blank page so? Should it go to the main admin page?

Admin login page is the php function of the form
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

I am using your php code just for a try out above.
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

http://uk2.php.net/md5
it's also a php function, but that is neither here nor there Why I am really posting is to say this:

Nem, you aren't annoying people. If you were no-one would have replied ;) I got confused on this post and when I came back scorpius and RD seemed to be getting you on track. Anyway, I am more than happy to help you because I saw you write this on one of your first posts here:
Nem wrote:
im new to this language, and like learning it.

Would you be able to spare your time to explain what each change is doing and what has improved?

i dont want to copy n paste and end up not know whats going on.... i like to learn about web design :D

Far too many people want to be spoon fed, I find it nice to see someone who is really trying, even if they are struggling sometimes :D
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

:) thank you *sniff sniff* (grabs tissue box)

I started on this code "admin_login.php" which is an action of this form below:

Code: [ Select ]
<? include('http://www.69kilobytes.co.uk/header.php'); ?>
<form name="admin_login" method="post" action="admin_login.php">
<input type="text" name="username" id="$user">
<input type="password" name="password" id="MD5('$pass']">
 <input type="submit" value="submit" name="submit">
</form>
<? include('http://www.69kilobytes.co.uk/footer.php'); ?>
  1. <? include('http://www.69kilobytes.co.uk/header.php'); ?>
  2. <form name="admin_login" method="post" action="admin_login.php">
  3. <input type="text" name="username" id="$user">
  4. <input type="password" name="password" id="MD5('$pass']">
  5.  <input type="submit" value="submit" name="submit">
  6. </form>
  7. <? include('http://www.69kilobytes.co.uk/footer.php'); ?>


now on the admin_login.php

PHP Code: [ Select ]
 
<?PHP
 
if ($_POST[user] && md5($_POST[pass])) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));
 
 
 
if ($user_data[id] > 1) {
 
  setcookie ("user", ($user_data[username]));  
 
  setcookie ("pass", ($user_data[password]));  
 
  header("Location: admin.php");
 
} else { $login_error = false; }
 
}
 
if ($login_error == true) {
 
echo "Welcome Admin - You have Admin Access";
 
} else {
 
echo "You do not have permission to access this area, sorry";
 
}
 
?>
 
 
  1.  
  2. <?PHP
  3.  
  4. if ($_POST[user] && md5($_POST[pass])) {
  5.  
  6. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));
  7.  
  8.  
  9.  
  10. if ($user_data[id] > 1) {
  11.  
  12.   setcookie ("user", ($user_data[username]));  
  13.  
  14.   setcookie ("pass", ($user_data[password]));  
  15.  
  16.   header("Location: admin.php");
  17.  
  18. } else { $login_error = false; }
  19.  
  20. }
  21.  
  22. if ($login_error == true) {
  23.  
  24. echo "Welcome Admin - You have Admin Access";
  25.  
  26. } else {
  27.  
  28. echo "You do not have permission to access this area, sorry";
  29.  
  30. }
  31.  
  32. ?>
  33.  
  34.  


I seem to be a bit stuck. Where it says

userdata id > 1 im assuming this means... "if they match" then carry on?


When i insert the correct username and password it still says "you do not have permission blah blah".
This also happens with the wrong one.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

Nem wrote:
Once i use the form action as "admin_login.php", why does a blank page so? Should it go to the main admin page?

Admin login page is the php function of the form


go to the main_admin_page. the page witht he admin_function just needs to be included

If I am understanding correctly.

Just a question. Have you planned this project at all?
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

Rapid Dog, I got to be truthful to you and the answer is no. :$

But my friends clan needs to be up asap really as they got some gaming tournies.

And frankly, i never plan. :( ... I just learn as i go really.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

PHP Code: [ Select ]
 
<?PHP
 
if ($_POST[user] && md5($_POST[pass])) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));
 
 
 
if ($user_data[id] > 1) {  // CHECKING TO SEE IF THE RETURNED RESULT ID IS GREATER THAN 1, if it is then the query on the DB was successfull which means the user is valid,
 
  setcookie ("user", ($user_data[username]));    
 
  setcookie ("pass", ($user_data[password]));    
 
  header("Location: admin.php");
 
} else { $login_error = false; }
 
}
 
if ($login_error == true) {
 
echo "Welcome Admin - You have Admin Access";
 
} else {
 
echo "You do not have permission to access this area, sorry";
 
}
 
?>
 
 
  1.  
  2. <?PHP
  3.  
  4. if ($_POST[user] && md5($_POST[pass])) {
  5.  
  6. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));
  7.  
  8.  
  9.  
  10. if ($user_data[id] > 1) {  // CHECKING TO SEE IF THE RETURNED RESULT ID IS GREATER THAN 1, if it is then the query on the DB was successfull which means the user is valid,
  11.  
  12.   setcookie ("user", ($user_data[username]));    
  13.  
  14.   setcookie ("pass", ($user_data[password]));    
  15.  
  16.   header("Location: admin.php");
  17.  
  18. } else { $login_error = false; }
  19.  
  20. }
  21.  
  22. if ($login_error == true) {
  23.  
  24. echo "Welcome Admin - You have Admin Access";
  25.  
  26. } else {
  27.  
  28. echo "You do not have permission to access this area, sorry";
  29.  
  30. }
  31.  
  32. ?>
  33.  
  34.  
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

Nem:

http://www.techtutorials.com/tutorials/ ... shtml#sdlc

I will point your attention to
Quote:
Phase 5 [test and debug] is a critical time but can be minimised if the previous steps are correct.


The previous steps being mostly planning.

Any corner cutting you do will cost you time and possibly saniy. No one likes to do the planning part, it's dull, but you will learn to appreciate just how important it is. I hate planning, but I would never dream of writing any code, other than the most simple funcitons, without getting my head around the problem first.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

Rapid, on the other pages it looks for a cookie...

PHP Code: [ Select ]
 
if(isset($_COOKIE["admin"])) { echo 'welcome'; } elseif (isset($_COOKIE["user"])) { echo 'This is your normal user area';} else { echo 'You need to login to view this area of the site';}?>
 
 
  1.  
  2. if(isset($_COOKIE["admin"])) { echo 'welcome'; } elseif (isset($_COOKIE["user"])) { echo 'This is your normal user area';} else { echo 'You need to login to view this area of the site';}?>
  3.  
  4.  

Post Information

  • Total Posts in this topic: 39 posts
  • Users browsing this forum: No registered users and 103 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.