lukerodham Posted April 6, 2011 Share Posted April 6, 2011 hi guys how you doing? i new here so take it easy on me . basically just need some quick help and i thought this would be the best place to ask. ive been working on a admin login script but cant seem to get it right, i mean i can login in with random passwords :/ and also everytime i go to the index.php it shows the information i dont want it without being logged in. ive got the script running live just incase anyone wants to see what i mean its at http://www.lukerodham.co.uk/admin heres the code. Thanks in advance. index.php <?php require_once("login.php"); $adminuser = $_SESSION['user']; ?> <html> <head> <title>hoonigans.co.uk</title> </head> <body> <h3 align="center">Welcome to the admin page.</h3> <span class="maintext"><br /> <p align="center">If you would like to post some news please <a href="news/post.php">click here</a>.<br /> To logout please <a href="logout.php">click here</a></p> </body> </html> login.php <?php function loginpage($error){ echo " <html> <body> <div align='center'> <form method='post' action='".$_SERVER['REQUEST_URI']."'> <label>username: <input type='text' name='username' id='username'><br> <label>password: <input type='password' name='password' id='password'><br> </label> <label> <input type='submit' name='submit' id='submit' value='submit'> </label> </form> </div> </body> </html> "; } $username = $_POST['username']; $password = $_POST['password']; $login = $_post['login']; $host = *********; $dbuser = *********; $dbname = *********; $dbpass = *********; mysql_connect("$host","$dbuser","$dbpass"); mysql_select_db("$dbname"); session_start(); if($_SESSION['user'] != $username){ if(!$submit){ loginpage(false); } elseif($submit){ $get = mysql_query("SELECT * FROM users WHERE username='$username'"); while ($row = mysql_fetch_assoc($get)){ $admin = $row['admin']; $passwordmatch = $row['password']; if ($passwordmatch==$password&&$admin==1){ $_SESSION['user']="$username"; echo "this worked"; } else{ die("Sorry wrong information."); } } } } ?> Quote Link to comment Share on other sites More sharing options...
ttocskcaj Posted April 6, 2011 Share Posted April 6, 2011 This is the normal way to handle logins. $rows = mysql_num_rows(mysql_query("SELECT * FROM users WHERE username='$username'" AND password='$password')); if($rows>0){ //login was correct //set session } else { //login FAILED //show error } Quote Link to comment Share on other sites More sharing options...
monkeytooth Posted April 6, 2011 Share Posted April 6, 2011 $rows = mysql_num_rows(mysql_query("SELECT * FROM users WHERE username='$username'" AND password='$password')); bare in mind this is user input client side.. so sanitize your queries $rows = mysql_num_rows(mysql_query("SELECT * FROM users WHERE username='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($password."')); Quote Link to comment Share on other sites More sharing options...
ttocskcaj Posted April 6, 2011 Share Posted April 6, 2011 True that. I was just thinking in terms of simplicity lol. Quote Link to comment Share on other sites More sharing options...
monkeytooth Posted April 6, 2011 Share Posted April 6, 2011 I hear ya on simplicity. Got no problems with that.. But I can't just walk past a post that has no mention of something like sanitization and looks like that OP might not know better (yet), and not mention it, as its good practice to pick up right from the beginning Quote Link to comment Share on other sites More sharing options...
lukerodham Posted April 6, 2011 Author Share Posted April 6, 2011 cheers guys i'll see what happens thank you much love... Quote Link to comment Share on other sites More sharing options...
lukerodham Posted April 6, 2011 Author Share Posted April 6, 2011 sorry to be a pain guys ive just edited the script with what you said , just one thing tho you can still see the admin stuff on index.php without login in is there a quick way around this? Quote Link to comment Share on other sites More sharing options...
monkeytooth Posted April 6, 2011 Share Posted April 6, 2011 spoofing the session/cookie that your checking for would be one way around it. if thats what your asking. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.