admin login script

[lukerodham]

hi guys how you doing? i new here so take it easy on me .

 

basically just need some quick help and i thought this would be the best place to ask. ive been working on a admin login script but cant seem to get it right, i mean i can login in with random passwords :/ and also everytime i go to the index.php it shows the information i dont want it without  being logged in. ive got the script running live just incase anyone wants to see what i mean its at http://www.lukerodham.co.uk/admin

 

heres the code. Thanks in advance.

 

index.php

<?php 
require_once("login.php"); 

$adminuser = $_SESSION['user'];
?>

<html>
<head>
<title>hoonigans.co.uk</title>
</head>
<body>
<h3 align="center">Welcome to the admin page.</h3>
<span class="maintext"><br />
<p align="center">If you would like to post some news please <a href="news/post.php">click here</a>.<br />
To logout please <a href="logout.php">click here</a></p>
</body>
</html>

 

 

login.php

<?php

function loginpage($error){
    echo "
    <html>
    <body>
    <div align='center'>
    <form method='post' action='".$_SERVER['REQUEST_URI']."'>
    <label>username: 
    <input type='text' name='username' id='username'><br>
    <label>password: 
    <input type='password' name='password' id='password'><br>
    </label>
    <label>
    <input type='submit' name='submit' id='submit' value='submit'>
    </label>
    </form>
    </div>
    </body>
    </html>
    ";
}

$username = $_POST['username'];
$password = $_POST['password'];
$login = $_post['login'];

$host = *********;
$dbuser = *********;
$dbname = *********;
$dbpass = *********;

mysql_connect("$host","$dbuser","$dbpass");
mysql_select_db("$dbname");

session_start(); 
if($_SESSION['user'] != $username){
if(!$submit){
	loginpage(false);
}
    elseif($submit){
        $get = mysql_query("SELECT * FROM users WHERE username='$username'");
        while ($row = mysql_fetch_assoc($get)){
      
           $admin = $row['admin'];
           $passwordmatch = $row['password'];
           
           if ($passwordmatch==$password&&$admin==1){
            
            $_SESSION['user']="$username";
            echo "this worked";
           }
           else{
            die("Sorry wrong information.");
           }
        }
    }
}
?>

[ttocskcaj]

This is the normal way to handle logins.

$rows = mysql_num_rows(mysql_query("SELECT * FROM users WHERE username='$username'" AND password='$password'));
if($rows>0){
    //login was correct
    //set session
}
else {
    //login FAILED
    //show error
}

 

[monkeytooth]

$rows = mysql_num_rows(mysql_query("SELECT * FROM users WHERE username='$username'" AND password='$password'));

 

bare in mind this is user input client side.. so sanitize your queries

 

$rows = mysql_num_rows(mysql_query("SELECT * FROM users WHERE username='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($password."'));

[ttocskcaj]

True that. I was just thinking in terms of simplicity lol.

[monkeytooth]

I hear ya on simplicity. Got no problems with that.. But I can't just walk past a post that has no mention of something like sanitization and looks like that OP might not know better (yet), and not mention it, as its good practice to pick up right from the beginning

[lukerodham]

cheers guys i'll see what happens

 

thank you much love...

[lukerodham]

sorry to be a pain guys ive just edited the script with what you said , just one thing tho you can still see the admin stuff on index.php without login in is there a quick way around this?

[monkeytooth]

spoofing the session/cookie that your checking for would be one way around it. if thats what your asking.