securing admin pages

  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

hey,

im using this script here...

PHP Code: [ Select ]
 
<?php
 
include('connect.php');
 
if ($_POST[user] && $_POST[pass]) {
 
 $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
 
 if ($user_data[id] > 0) {
 
  setcookie ("user", md5($user_data[username]));  
 
  setcookie ("pass", md5($user_data[password]));  
 
  header("Location: admin.php");
 
 } else { $login_error= true; }
 
}
 
 
 
// handle login event, both successful and erroneous, or show login screen
 
if ($login_error == true) { ?>
 
 <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td align=center bgcolor=#123dd4>LOGIN ERROR</td></tr>
 
  <tr><td align=center><b>Invalid Username and/or Password</b><br><br><a href=index.php>Back</a></td></tr>
 
</table>
 
<?
 
} elseif ($_COOKIE[user] == md5($username) && $_COOKIE[pass] == md5($password)) { ?>
 
 <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td align=center bgcolor=#123dd4>SECURE AREA</td></tr>
 
  <tr><td align=right><a href=admin.php?logout=true>Logout</a></td></tr>
 
  <tr><td>You have successfully logged in.<br><br>
 
   Encrypted Username: <b><?=  $_COOKIE[user] ?></b><br>
 
   Encrypted Password: <b><?= $_COOKIE[pass] ?></b><br>
 
  </td></tr>
 
</table>
 
<?
 
} else {  
 
?>
 
<form action=admin_login.php method=post>
 
<table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>
 
  <tr><td align=right>Username: </td><td><input type=text name=user size=15></td></tr>
 
  <tr><td align=right>Password: </td><td><input type=password name=pass size=15></td></tr>
 
  <tr><td align=center colspan=2><input type=submit value=Login></td></tr>
 
</table>
 
</form>
 
<?
 
}
 
?>
 
 
  1.  
  2. <?php
  3.  
  4. include('connect.php');
  5.  
  6. if ($_POST[user] && $_POST[pass]) {
  7.  
  8.  $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
  9.  
  10.  if ($user_data[id] > 0) {
  11.  
  12.   setcookie ("user", md5($user_data[username]));  
  13.  
  14.   setcookie ("pass", md5($user_data[password]));  
  15.  
  16.   header("Location: admin.php");
  17.  
  18.  } else { $login_error= true; }
  19.  
  20. }
  21.  
  22.  
  23.  
  24. // handle login event, both successful and erroneous, or show login screen
  25.  
  26. if ($login_error == true) { ?>
  27.  
  28.  <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  29.  
  30.   <tr><td align=center bgcolor=#123dd4>LOGIN ERROR</td></tr>
  31.  
  32.   <tr><td align=center><b>Invalid Username and/or Password</b><br><br><a href=index.php>Back</a></td></tr>
  33.  
  34. </table>
  35.  
  36. <?
  37.  
  38. } elseif ($_COOKIE[user] == md5($username) && $_COOKIE[pass] == md5($password)) { ?>
  39.  
  40.  <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  41.  
  42.   <tr><td align=center bgcolor=#123dd4>SECURE AREA</td></tr>
  43.  
  44.   <tr><td align=right><a href=admin.php?logout=true>Logout</a></td></tr>
  45.  
  46.   <tr><td>You have successfully logged in.<br><br>
  47.  
  48.    Encrypted Username: <b><?=  $_COOKIE[user] ?></b><br>
  49.  
  50.    Encrypted Password: <b><?= $_COOKIE[pass] ?></b><br>
  51.  
  52.   </td></tr>
  53.  
  54. </table>
  55.  
  56. <?
  57.  
  58. } else {  
  59.  
  60. ?>
  61.  
  62. <form action=admin_login.php method=post>
  63.  
  64. <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  65.  
  66.   <tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>
  67.  
  68.   <tr><td align=right>Username: </td><td><input type=text name=user size=15></td></tr>
  69.  
  70.   <tr><td align=right>Password: </td><td><input type=password name=pass size=15></td></tr>
  71.  
  72.   <tr><td align=center colspan=2><input type=submit value=Login></td></tr>
  73.  
  74. </table>
  75.  
  76. </form>
  77.  
  78. <?
  79.  
  80. }
  81.  
  82. ?>
  83.  
  84.  


Now i got the dbase set up with the following:

username
password - md5
cookie
email

Why is it when i try to insert the username and password (correct) it returns as invalid?
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

At first glance this appears to be the problem:

I assume when you are creating the record, you are entering the MD5'd value:

My_Secure_Password -----> ^^&^%%DFGD£DG£FDBE$%V$

But then you try to find a record with the correct username and password
PHP Code: [ Select ]
 
<?php
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
 
 
  1.  
  2. <?php
  3.  
  4. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
  5.  
  6.  

You type in "me" and "My_Secure_Password"

it then compares the raw password entered ("My_Secure_Password") with the MD5'd hash in the database (^^&^%%DFGD£DG£FDBE$%V$) and finds they don't match. Therefore invalid password

You need to get the MD5 hash of the entered password to compare it with the MD5 hash in the database.

Let me know if this helps.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

but, i thought the md5 code is just a layer... once i enter a password from the php code it compares the original password and not the md5.

What can i do, to resolve this?
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

What do you mean by a layer?

Actually, I only skim read the code, I'm not at all sure what is going on. Sorry, my bad :?

is the password in the database an MD5 hash, or are you just using MD5 to save the cookie? Bear in mind that MD5 cannot be decrypted.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

Ok, what i mean by layer:

I had thought that the md5 code "djsioa92308aqjds" is just hiding the original password, so i can not and no one else can see the password.

I use the MD5 for the password and i used it to save the cookie.

I have now edited the code to look like this:

PHP Code: [ Select ]
 
<?php
 
include('connect.php');
 
if ($_POST[user] && $_POST[pass]) {
 
 $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
 
 
 
 if ($user_data[id] > 0) {
 
  setcookie ("user", ($user_data[username]));  
 
  setcookie ("pass", ($user_data[password]));  
 
  header("Location: admin.php");
 
 } else { $login_error = true; }
 
}
 
 
 
// handle login event, both successful and erroneous, or show login screen
 
if ($login_error == true) { ?>
 
 <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td align=center bgcolor=#123dd4>LOGIN ERROR</td></tr>
 
  <tr><td align=center><b>Invalid Username and/or Password</b><br><br><a href=index.php>Back</a></td></tr>
 
</table>
 
<?
 
} elseif ($_COOKIE[user] == ($username) && $_COOKIE[pass] == ($password)) { ?>
 
 
 
 <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td align=center bgcolor=#123dd4>SECURE AREA</td></tr>
 
  <tr><td align=right><a href=admin.php?logout=true>Logout</a></td></tr>
 
  <tr><td>You have successfully logged in.<br><br>
 
   Encrypted Username: <b><?=  $_COOKIE[user] ?></b><br>
 
   Encrypted Password: <b><?= $_COOKIE[pass] ?></b><br>
 
  </td></tr>
 
</table>
 
<?
 
} else {  
 
?>
 
<form action=admin_login.php method=post>
 
<table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
 
  <tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>
 
  <tr><td align=right>Username: </td><td><input type=text name=user size=15></td></tr>
 
  <tr><td align=right>Password: </td><td><input type=password name=pass size=15></td></tr>
 
  <tr><td align=center colspan=2><input type=submit value=Login></td></tr>
 
</table>
 
</form>
 
<?
 
}
 
?>
 
 
  1.  
  2. <?php
  3.  
  4. include('connect.php');
  5.  
  6. if ($_POST[user] && $_POST[pass]) {
  7.  
  8.  $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
  9.  
  10.  
  11.  
  12.  if ($user_data[id] > 0) {
  13.  
  14.   setcookie ("user", ($user_data[username]));  
  15.  
  16.   setcookie ("pass", ($user_data[password]));  
  17.  
  18.   header("Location: admin.php");
  19.  
  20.  } else { $login_error = true; }
  21.  
  22. }
  23.  
  24.  
  25.  
  26. // handle login event, both successful and erroneous, or show login screen
  27.  
  28. if ($login_error == true) { ?>
  29.  
  30.  <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  31.  
  32.   <tr><td align=center bgcolor=#123dd4>LOGIN ERROR</td></tr>
  33.  
  34.   <tr><td align=center><b>Invalid Username and/or Password</b><br><br><a href=index.php>Back</a></td></tr>
  35.  
  36. </table>
  37.  
  38. <?
  39.  
  40. } elseif ($_COOKIE[user] == ($username) && $_COOKIE[pass] == ($password)) { ?>
  41.  
  42.  
  43.  
  44.  <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  45.  
  46.   <tr><td align=center bgcolor=#123dd4>SECURE AREA</td></tr>
  47.  
  48.   <tr><td align=right><a href=admin.php?logout=true>Logout</a></td></tr>
  49.  
  50.   <tr><td>You have successfully logged in.<br><br>
  51.  
  52.    Encrypted Username: <b><?=  $_COOKIE[user] ?></b><br>
  53.  
  54.    Encrypted Password: <b><?= $_COOKIE[pass] ?></b><br>
  55.  
  56.   </td></tr>
  57.  
  58. </table>
  59.  
  60. <?
  61.  
  62. } else {  
  63.  
  64. ?>
  65.  
  66. <form action=admin_login.php method=post>
  67.  
  68. <table align=center style="font-family:arial; font-size:12; border:1 solid #000000;">
  69.  
  70.   <tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>
  71.  
  72.   <tr><td align=right>Username: </td><td><input type=text name=user size=15></td></tr>
  73.  
  74.   <tr><td align=right>Password: </td><td><input type=password name=pass size=15></td></tr>
  75.  
  76.   <tr><td align=center colspan=2><input type=submit value=Login></td></tr>
  77.  
  78. </table>
  79.  
  80. </form>
  81.  
  82. <?
  83.  
  84. }
  85.  
  86. ?>
  87.  
  88.  
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

is this correct?

http://www.69kilobytes.co.uk/lol.php
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

im getting this error:

Parse error: parse error in /home/virtual/site2/fst/var/www/html/cp/admin_login.php on line 15

and this is the code

PHP Code: [ Select ]
 
<?PHP
 
include('connect.php');
 
$password=md5($_POST["password"]);
 
$username=$_POST["username"];
 
$adminlogin=mysql_query("SELECT * FROM admin WHERE username='$username' AND password='$password' AND activate='1' AND access='1'")or die(mysql_error());
 
if (mysql_num_rows($adminlogin)>0) {
 
$obj=mysql_fetch_object($adminlogin);
 
$adminhash=md5(''.$obj->name.'-'.$obj->email.'-'.$obj->password.'-1865ac1c23es1s1c1o31de38700198');
 
setcookie("admin", "$username:$adminhash", time()+3600, "/");
 
$explodevars=explode(":",$_COOKIE["admin"]);
 
echo "Welcome '.$explodevars[0].' - You have Admin Access";
 
} else {
 
echo "You do not have permission to access this area, sorry";
 
?>
 
 
  1.  
  2. <?PHP
  3.  
  4. include('connect.php');
  5.  
  6. $password=md5($_POST["password"]);
  7.  
  8. $username=$_POST["username"];
  9.  
  10. $adminlogin=mysql_query("SELECT * FROM admin WHERE username='$username' AND password='$password' AND activate='1' AND access='1'")or die(mysql_error());
  11.  
  12. if (mysql_num_rows($adminlogin)>0) {
  13.  
  14. $obj=mysql_fetch_object($adminlogin);
  15.  
  16. $adminhash=md5(''.$obj->name.'-'.$obj->email.'-'.$obj->password.'-1865ac1c23es1s1c1o31de38700198');
  17.  
  18. setcookie("admin", "$username:$adminhash", time()+3600, "/");
  19.  
  20. $explodevars=explode(":",$_COOKIE["admin"]);
  21.  
  22. echo "Welcome '.$explodevars[0].' - You have Admin Access";
  23.  
  24. } else {
  25.  
  26. echo "You do not have permission to access this area, sorry";
  27.  
  28. ?>
  29.  
  30.  


this is the form im using

PHP Code: [ Select ]
 
<? include('http://www.69kilobytes.co.uk/header.php'); ?>
 
<form name="admin_login" method="post" action="admin_login.php">
 
<input type="text" name="username" id="$username">
 
<input type="text" name="password" id="$password">
 
  <input type="submit" value="submit" name="submit">
 
</form>
 
<? include('http://www.69kilobytes.co.uk/footer.php'); ?>
 
 
  1.  
  2. <? include('http://www.69kilobytes.co.uk/header.php'); ?>
  3.  
  4. <form name="admin_login" method="post" action="admin_login.php">
  5.  
  6. <input type="text" name="username" id="$username">
  7.  
  8. <input type="text" name="password" id="$password">
  9.  
  10.   <input type="submit" value="submit" name="submit">
  11.  
  12. </form>
  13.  
  14. <? include('http://www.69kilobytes.co.uk/footer.php'); ?>
  15.  
  16.  
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

when i delete that row, it says another parse error on the row before that and so on, a cycle...
  • Scorpius
  • Proficient
  • Proficient
  • User avatar
  • Posts: 401
  • Loc: Scorpion Hole

Post 3+ Months Ago

You need your closing '}' at the end of your page.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

ok problem fixed, thanks....

now, how do i make sure that what i typed in password box matches the md5 on the dbase?
  • Scorpius
  • Proficient
  • Proficient
  • User avatar
  • Posts: 401
  • Loc: Scorpion Hole

Post 3+ Months Ago

Well if your password in the database is also an md5 then typing the correct password in will show that they match.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

but what i typed is not md5... it is the actual password but the one in the dbase is md5...
  • Scorpius
  • Proficient
  • Proficient
  • User avatar
  • Posts: 401
  • Loc: Scorpion Hole

Post 3+ Months Ago

Then on the page that proccesses the login, before you do the MySQL query, you should md5 the password, and then do your MySQL query.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

whats wrong with this part of the code:

PHP Code: [ Select ]
 
if ($login_error = false;) {
 
echo "Welcome Admin - You have Admin Access"; }
 
} else {
 
 
  1.  
  2. if ($login_error = false;) {
  3.  
  4. echo "Welcome Admin - You have Admin Access"; }
  5.  
  6. } else {
  7.  
  8.  


there seems to be a parse error, its too do with the { and }, are they in right place?
  • Scorpius
  • Proficient
  • Proficient
  • User avatar
  • Posts: 401
  • Loc: Scorpion Hole

Post 3+ Months Ago

You should not put a ' } ' after the echo, you already have it before the else, you either need to do one or the other.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3243
  • Loc: South Africa

Post 3+ Months Ago

PHP Code: [ Select ]
 
if ($login_error == false) {   // you need to take more care when coding ;o)
 
echo "Welcome Admin - You have Admin Access";
 
} else {
 
 
  1.  
  2. if ($login_error == false) {   // you need to take more care when coding ;o)
  3.  
  4. echo "Welcome Admin - You have Admin Access";
  5.  
  6. } else {
  7.  
  8.  


The MD5 Hash is not a layer. It can't be undone.
This is more or less the way that I would deal with the login
PHP Code: [ Select ]
 
<?php
 
$uName   = (empty($_POST['user'])) ? "" : $_POST['user'];
 
$pass = (empty($_POST['pass'])) ? "" : $_POST['pass'];
 
if ($uName != "" && $pass != "") {
 
   $sql  = "SELECT username, password FROM admin WHERE username='$uName' and password=MD5('$pass')";
 
   $result  = mysql_query($sql);
 
   if ($row = mysql_fetch_array($result)){
 
      $user_data['user'] = $row['username'];
 
      $user_data['pass'] = $row['password'];
 
   }else{
 
      $error = 2;
 
   }
 
}else{
 
   $error = 1;
 
}
 
 
 
switch($error){
 
   case 1:
 
      $errMsg = "Please enter a username and password";
 
      break;
 
   case 2:
 
      $errMsg = "The username and password you entered is incorrect";
 
      break;
 
   default:
 
      $errMsg = "";
 
} // switch
 
?>
 
 
  1.  
  2. <?php
  3.  
  4. $uName   = (empty($_POST['user'])) ? "" : $_POST['user'];
  5.  
  6. $pass = (empty($_POST['pass'])) ? "" : $_POST['pass'];
  7.  
  8. if ($uName != "" && $pass != "") {
  9.  
  10.    $sql  = "SELECT username, password FROM admin WHERE username='$uName' and password=MD5('$pass')";
  11.  
  12.    $result  = mysql_query($sql);
  13.  
  14.    if ($row = mysql_fetch_array($result)){
  15.  
  16.       $user_data['user'] = $row['username'];
  17.  
  18.       $user_data['pass'] = $row['password'];
  19.  
  20.    }else{
  21.  
  22.       $error = 2;
  23.  
  24.    }
  25.  
  26. }else{
  27.  
  28.    $error = 1;
  29.  
  30. }
  31.  
  32.  
  33.  
  34. switch($error){
  35.  
  36.    case 1:
  37.  
  38.       $errMsg = "Please enter a username and password";
  39.  
  40.       break;
  41.  
  42.    case 2:
  43.  
  44.       $errMsg = "The username and password you entered is incorrect";
  45.  
  46.       break;
  47.  
  48.    default:
  49.  
  50.       $errMsg = "";
  51.  
  52. } // switch
  53.  
  54. ?>
  55.  
  56.  


With the MD5 Hash conversion you are unable to retrieve the human readable password.

From here you can set cookies etc.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

PHP Code: [ Select ]
 
<?PHP
 
if ($_POST[user] && md5($_POST[pass])) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
 
 
 
if ($user_data[id] > 0) {
 
  setcookie ("user", ($user_data[username]));  
 
  setcookie ("pass", ($user_data[password]));  
 
  header("Location: admin.php");
 
} else { $login_error = true; }
 
}
 
if ($login_error = false;) {
 
echo "Welcome Admin - You have Admin Access";
 
} else {
 
echo "You do not have permission to access this area, sorry"; }
 
?>
 
 
  1.  
  2. <?PHP
  3.  
  4. if ($_POST[user] && md5($_POST[pass])) {
  5.  
  6. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and password='$_POST[pass]'"));
  7.  
  8.  
  9.  
  10. if ($user_data[id] > 0) {
  11.  
  12.   setcookie ("user", ($user_data[username]));  
  13.  
  14.   setcookie ("pass", ($user_data[password]));  
  15.  
  16.   header("Location: admin.php");
  17.  
  18. } else { $login_error = true; }
  19.  
  20. }
  21.  
  22. if ($login_error = false;) {
  23.  
  24. echo "Welcome Admin - You have Admin Access";
  25.  
  26. } else {
  27.  
  28. echo "You do not have permission to access this area, sorry"; }
  29.  
  30. ?>
  31.  
  32.  


here is the full code.... im still getting parse on line 11 which is

PHP Code: [ Select ]
 
if ($login_error = false;) {
 
 
  1.  
  2. if ($login_error = false;) {
  3.  
  4.  


are there any debuggers which can find out these little mishaps?
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3243
  • Loc: South Africa

Post 3+ Months Ago

PHP Code: [ Select ]
 
if ($login_error == false) {   // you need to take more care when coding ;o)
 
echo "Welcome Admin - You have Admin Access";
 
} else {
 
 //else code
 
}
 
 
  1.  
  2. if ($login_error == false) {   // you need to take more care when coding ;o)
  3.  
  4. echo "Welcome Admin - You have Admin Access";
  5.  
  6. } else {
  7.  
  8.  //else code
  9.  
  10. }
  11.  
  12.  


read above carefully and then look at your code and you will see what you are doing wrong
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

i really got to stop annoying you guys. im like a newb that just cant seem to get away?

Anyway, thanks Rabid Dog i realised i had to make brackets within IF statements.

When i submit my form to "admin_login.php" which is the above code...

It just says "your logged in" whether its right or wrong.. and then when i want to go to the admin pages it says "you need to log in" o_O

Why is this happening? Suggestions?

--- i fixed the above problem


BUT
Now i just cant seem to log in, it says "No permission.... blah blah" all the time :O

PHP Code: [ Select ]
 
if ($_POST[user] && md5($_POST[pass])) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and MD5('$_POST[pass]')"));
 
 
 
 
  1.  
  2. if ($_POST[user] && md5($_POST[pass])) {
  3.  
  4. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and MD5('$_POST[pass]')"));
  5.  
  6.  
  7.  
  8.  


The above is right, to make what is typed in md5 so it can compare it?
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

here is my form i use

Code: [ Select ]
<? include('http://www.69kilobytes.co.uk/header.php'); ?>
<form name="admin_login" method="post" action="admin_login.php">
<input type="text" name="username" id="$_POST[user]">
<input type="password" name="password" id="MD5('$_POST[pass]">
 <input type="submit" value="submit" name="submit">
</form>
<? include('http://www.69kilobytes.co.uk/footer.php'); ?>
  1. <? include('http://www.69kilobytes.co.uk/header.php'); ?>
  2. <form name="admin_login" method="post" action="admin_login.php">
  3. <input type="text" name="username" id="$_POST[user]">
  4. <input type="password" name="password" id="MD5('$_POST[pass]">
  5.  <input type="submit" value="submit" name="submit">
  6. </form>
  7. <? include('http://www.69kilobytes.co.uk/footer.php'); ?>
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3243
  • Loc: South Africa

Post 3+ Months Ago

PHP Code: [ Select ]
 
if ($_POST[user] && $_POST[pass]) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and MD5('$_POST[pass]')"));
 
 
  1.  
  2. if ($_POST[user] && $_POST[pass]) {
  3.  
  4. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$_POST[user]' and MD5('$_POST[pass]')"));
  5.  
  6.  


md5 is an SQL function (as far as I know).

Above I am assuming that the user and pass index's are being checked so you don't call md5
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

Once i use the form action as "admin_login.php", why does a blank page so? Should it go to the main admin page?

Admin login page is the php function of the form
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

I am using your php code just for a try out above.
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

http://uk2.php.net/md5
it's also a php function, but that is neither here nor there Why I am really posting is to say this:

Nem, you aren't annoying people. If you were no-one would have replied ;) I got confused on this post and when I came back scorpius and RD seemed to be getting you on track. Anyway, I am more than happy to help you because I saw you write this on one of your first posts here:
Nem wrote:
im new to this language, and like learning it.

Would you be able to spare your time to explain what each change is doing and what has improved?

i dont want to copy n paste and end up not know whats going on.... i like to learn about web design :D

Far too many people want to be spoon fed, I find it nice to see someone who is really trying, even if they are struggling sometimes :D
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

:) thank you *sniff sniff* (grabs tissue box)

I started on this code "admin_login.php" which is an action of this form below:

Code: [ Select ]
<? include('http://www.69kilobytes.co.uk/header.php'); ?>
<form name="admin_login" method="post" action="admin_login.php">
<input type="text" name="username" id="$user">
<input type="password" name="password" id="MD5('$pass']">
 <input type="submit" value="submit" name="submit">
</form>
<? include('http://www.69kilobytes.co.uk/footer.php'); ?>
  1. <? include('http://www.69kilobytes.co.uk/header.php'); ?>
  2. <form name="admin_login" method="post" action="admin_login.php">
  3. <input type="text" name="username" id="$user">
  4. <input type="password" name="password" id="MD5('$pass']">
  5.  <input type="submit" value="submit" name="submit">
  6. </form>
  7. <? include('http://www.69kilobytes.co.uk/footer.php'); ?>


now on the admin_login.php

PHP Code: [ Select ]
 
<?PHP
 
if ($_POST[user] && md5($_POST[pass])) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));
 
 
 
if ($user_data[id] > 1) {
 
  setcookie ("user", ($user_data[username]));  
 
  setcookie ("pass", ($user_data[password]));  
 
  header("Location: admin.php");
 
} else { $login_error = false; }
 
}
 
if ($login_error == true) {
 
echo "Welcome Admin - You have Admin Access";
 
} else {
 
echo "You do not have permission to access this area, sorry";
 
}
 
?>
 
 
  1.  
  2. <?PHP
  3.  
  4. if ($_POST[user] && md5($_POST[pass])) {
  5.  
  6. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));
  7.  
  8.  
  9.  
  10. if ($user_data[id] > 1) {
  11.  
  12.   setcookie ("user", ($user_data[username]));  
  13.  
  14.   setcookie ("pass", ($user_data[password]));  
  15.  
  16.   header("Location: admin.php");
  17.  
  18. } else { $login_error = false; }
  19.  
  20. }
  21.  
  22. if ($login_error == true) {
  23.  
  24. echo "Welcome Admin - You have Admin Access";
  25.  
  26. } else {
  27.  
  28. echo "You do not have permission to access this area, sorry";
  29.  
  30. }
  31.  
  32. ?>
  33.  
  34.  


I seem to be a bit stuck. Where it says

userdata id > 1 im assuming this means... "if they match" then carry on?


When i insert the correct username and password it still says "you do not have permission blah blah".
This also happens with the wrong one.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3243
  • Loc: South Africa

Post 3+ Months Ago

Nem wrote:
Once i use the form action as "admin_login.php", why does a blank page so? Should it go to the main admin page?

Admin login page is the php function of the form


go to the main_admin_page. the page witht he admin_function just needs to be included

If I am understanding correctly.

Just a question. Have you planned this project at all?
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

Rapid Dog, I got to be truthful to you and the answer is no. :$

But my friends clan needs to be up asap really as they got some gaming tournies.

And frankly, i never plan. :( ... I just learn as i go really.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3243
  • Loc: South Africa

Post 3+ Months Ago

PHP Code: [ Select ]
 
<?PHP
 
if ($_POST[user] && md5($_POST[pass])) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));
 
 
 
if ($user_data[id] > 1) {  // CHECKING TO SEE IF THE RETURNED RESULT ID IS GREATER THAN 1, if it is then the query on the DB was successfull which means the user is valid,
 
  setcookie ("user", ($user_data[username]));    
 
  setcookie ("pass", ($user_data[password]));    
 
  header("Location: admin.php");
 
} else { $login_error = false; }
 
}
 
if ($login_error == true) {
 
echo "Welcome Admin - You have Admin Access";
 
} else {
 
echo "You do not have permission to access this area, sorry";
 
}
 
?>
 
 
  1.  
  2. <?PHP
  3.  
  4. if ($_POST[user] && md5($_POST[pass])) {
  5.  
  6. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));
  7.  
  8.  
  9.  
  10. if ($user_data[id] > 1) {  // CHECKING TO SEE IF THE RETURNED RESULT ID IS GREATER THAN 1, if it is then the query on the DB was successfull which means the user is valid,
  11.  
  12.   setcookie ("user", ($user_data[username]));    
  13.  
  14.   setcookie ("pass", ($user_data[password]));    
  15.  
  16.   header("Location: admin.php");
  17.  
  18. } else { $login_error = false; }
  19.  
  20. }
  21.  
  22. if ($login_error == true) {
  23.  
  24. echo "Welcome Admin - You have Admin Access";
  25.  
  26. } else {
  27.  
  28. echo "You do not have permission to access this area, sorry";
  29.  
  30. }
  31.  
  32. ?>
  33.  
  34.  
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

Nem:

http://www.techtutorials.com/tutorials/ ... shtml#sdlc

I will point your attention to
Quote:
Phase 5 [test and debug] is a critical time but can be minimised if the previous steps are correct.


The previous steps being mostly planning.

Any corner cutting you do will cost you time and possibly saniy. No one likes to do the planning part, it's dull, but you will learn to appreciate just how important it is. I hate planning, but I would never dream of writing any code, other than the most simple funcitons, without getting my head around the problem first.
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

Rapid, on the other pages it looks for a cookie...

PHP Code: [ Select ]
 
if(isset($_COOKIE["admin"])) { echo 'welcome'; } elseif (isset($_COOKIE["user"])) { echo 'This is your normal user area';} else { echo 'You need to login to view this area of the site';}?>
 
 
  1.  
  2. if(isset($_COOKIE["admin"])) { echo 'welcome'; } elseif (isset($_COOKIE["user"])) { echo 'This is your normal user area';} else { echo 'You need to login to view this area of the site';}?>
  3.  
  4.  
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

what does the third one mean?

Image
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3243
  • Loc: South Africa

Post 3+ Months Ago

I'm just asking because if you plan a projecct properly development time is cut in half. I understand urgent deadlines, pain in the bum really but if you are learning at the moment then I would recommend that planning be one of the lessons. :wink:

That way you can map out your application nicely and not end up wanting a script to block proxies - :twisted:
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

True rapid, never in my life have i ever planned but im keen to take up your advice on that :)
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3243
  • Loc: South Africa

Post 3+ Months Ago

An algorithm is the heart of your application.

Your log on procedure that you are currently working on is an algorithm.

No 3 is the planning of the algorith probably using uml (unified modeling language - which you will learn about as you go on).

You don't have to sit and draw neat diagrams and stuff, just a pen, piece of paper and draw up flow diagrams that solve your specific problem.

Like the reference though :lol:
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

ah, i just use paint,, i got a small workstation :P
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

The site was the first thing I could find in the systems life cycle, that had the steps all written out.

I tend to use pencil and an a3 pad for drawing though :)

Think of it this way nem, planning may be dull, but at least it doesn't get stressful like debugging does. Avoid all the stress you can. I'll pick dull over pulling out my hair any day lol.

In the past when I have not planned properly, I have got halfway through (about a month's work) and realised the other half would never work unless I re-wrote everything. I shall not be making that mistake again :roll:

//Good call on the proxies btw
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

I suppose, you never know will help on a project im planning on doing soon.

May save me from getting hacked too!
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

im back to my code now.

I changed the cookie code, is this correct at all?

PHP Code: [ Select ]
 
if ($user_data[id] > 1) {
 
Setcookie("admin", $userid, Time()+3600);
 
header("Location: admin.php");
 
 
  1.  
  2. if ($user_data[id] > 1) {
  3.  
  4. Setcookie("admin", $userid, Time()+3600);
  5.  
  6. header("Location: admin.php");
  7.  
  8.  

now on the other pages

PHP Code: [ Select ]
if(isset($_COOKIE["admin"])) { echo 'welcome'; } else { echo 'You need to login to view this area of the site';}?>
  • Nem
  • Guru
  • Guru
  • Nem
  • Posts: 1243
  • Loc: UK

Post 3+ Months Ago

what have i done? :O

PHP Code: [ Select ]
<?PHP
 
include('connect.php');
 
if ($_POST[user] && md5($_POST[pass])) {
 
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));
 
//If they match add a cookie and go to admin page
 
if ($user_data[id] > 0) {
 
Setcookie("admin", $userid, Time()+3600);
 
//Otherwise
 
} else { $login_error = false; }
 
}
 
//If its right show this message
 
if ($login_error == true) {
 
echo "Welcome Admin - You have Admin Access <a href=admin.php>click here to continue</a>";
 
//If not then show this
 
} else {
 
echo "You do not have permission to access this area, sorry <a href=login.php>click here to go back</a>";
 
}
 
?>
 
 
  1. <?PHP
  2.  
  3. include('connect.php');
  4.  
  5. if ($_POST[user] && md5($_POST[pass])) {
  6.  
  7. $user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));
  8.  
  9. //If they match add a cookie and go to admin page
  10.  
  11. if ($user_data[id] > 0) {
  12.  
  13. Setcookie("admin", $userid, Time()+3600);
  14.  
  15. //Otherwise
  16.  
  17. } else { $login_error = false; }
  18.  
  19. }
  20.  
  21. //If its right show this message
  22.  
  23. if ($login_error == true) {
  24.  
  25. echo "Welcome Admin - You have Admin Access <a href=admin.php>click here to continue</a>";
  26.  
  27. //If not then show this
  28.  
  29. } else {
  30.  
  31. echo "You do not have permission to access this area, sorry <a href=login.php>click here to go back</a>";
  32.  
  33. }
  34.  
  35. ?>
  36.  
  37.  


Ok the first line...

PHP Code: [ Select ]
if ($_POST[user] && md5($_POST[pass])) {

Here i am saying "If.. the username and the password" - right?

Then on the second line:
PHP Code: [ Select ]
$user_data = mysql_fetch_array(mysql_query("SELECT username, password FROM admin WHERE username='$user' and password='MD5('$pass')'"));

Im asking for specific data and then making then arrays? (i think thats what they are called)

-From here how will i make them match, through the form?
The form elements are right, yes?
Code: [ Select ]
<form name="admin_login" method="post" action="admin_login.php">
<input type="text" name="username" id="$user">
<input type="password" name="password" id="MD5('$pass']">
 <input type="submit" value="submit" name="submit">
</form>
  1. <form name="admin_login" method="post" action="admin_login.php">
  2. <input type="text" name="username" id="$user">
  3. <input type="password" name="password" id="MD5('$pass']">
  4.  <input type="submit" value="submit" name="submit">
  5. </form>


But, on the third line and below
PHP Code: [ Select ]
 
if ($user_data[id] > 0) {
 
Setcookie("admin", $userid, Time()+3600);
 
//Otherwise
 
} else { $login_error = false; }
  1.  
  2. if ($user_data[id] > 0) {
  3.  
  4. Setcookie("admin", $userid, Time()+3600);
  5.  
  6. //Otherwise
  7.  
  8. } else { $login_error = false; }

When i i say user data '0' does this mean if its true or false?


I read it again and now im :shock: :x :roll:

Post Information

  • Total Posts in this topic: 39 posts
  • Users browsing this forum: No registered users and 45 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2016. Ozzu® is a registered trademark of Unmelted, LLC.