mazman13

I'm trying to password protect and admin area but an included script, but it's not working very well. I've used this script forever, but for some reason it pops up an alert that says "The URL is not valid and cannot be loaded," when the form is submitted. It's an old script from PHPBuddy. Here is the script: // password_protect.php <?php # Simple password protection # # (c) http://www.phpbuddy.com # Author: Ranjit Kumar # Feel free to use this script but keep this message intact! # # To protect a page include this file in your PHP pages! session_start(); $admin_user_name = "admin"; $admin_password = "admin"; //you can change the username and password by changing the above two strings if (!isset($HTTP_SESSION_VARS['user'])) { if(isset($HTTP_POST_VARS['u_name'])) $u_name = $HTTP_POST_VARS['u_name']; if(isset($HTTP_POST_VARS['u_password'])) $u_password = $HTTP_POST_VARS['u_password']; if(!isset($u_name)) { ?> <HTML> <HEAD> <TITLE><?php echo $HTTP_SERVER_VARS['HTTP_HOST']; ?> : Authentication Required</TITLE> </HEAD> <BODY bgcolor=#ffffff> <table border=0 cellspacing=0 cellpadding=0 width=100%> <TR><TD> <font face=verdana size=2><B>(Access Restricted to Authorized Personnel)</b> </font></td> </tr></table> <P></P> <font face=verdana size=2> <center> <?php $form_to = "http://$HTTP_SERVER_VARS[HTTP_HOST]$HTTP_SERVER_VARS[php_SELF]"; if(isset($HTTP_SERVER_VARS["QUERY_STRING"])) $form_to = $form_to ."?". $HTTP_SERVER_VARS["QUERY_STRING"]; ?> <form method=post action=<?php echo $form_to; ?>> <table border=0 width=350> <TR> <TD><font face=verdana size=2><B>User Name</B></font></TD> <TD><font face=verdana size=2><input type=text name=u_name size=20></font></TD></TR> <TR> <TD><font face=verdana size=2><B>Password</B></font></TD> <TD><font face=verdana size=2><input type=password name=u_password size=20></font></TD> </TR> </table> <input type=submit value=Login></form> </center> </font> </BODY> </HTML> <?php exit; } else { function login_error($host,$php_self) { echo "<HTML><HEAD> <TITLE>$host : Administration</TITLE> </HEAD><BODY bgcolor=#ffffff> <table border=0 cellspacing=0 cellpadding=0 width=100%> <TR><TD align=left> <font face=verdana size=2><B> You Need to log on to access this part of the site! </b> </font></td> </tr></table> <P></P> <font face=verdana size=2> <center>"; echo "Error: You are not authorized to access this part of the site! <B><a href=$php_self>Click here</a></b> to login again.<P> </center> </font> </BODY> </HTML>"; session_unregister("adb_password"); session_unregister("user"); exit; } $user_checked_passed = false; if(isset($HTTP_SESSION_VARS['adb_password'])) { $adb_session_password = $HTTP_SESSION_VARS['adb_password']; if($admin_password != $adb_session_password) login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); else { $user_checked_passed = true; } } if($user_checked_passed == false) { if(strlen($u_name)< 2) login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); if($admin_user_name != $u_name) //if username not correct login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); if(isset($admin_password)) { if($admin_password == $u_password) { session_register("adb_password"); session_register("user"); $adb_password = $admin_password; $user = $u_name; } else { //password in-correct login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); } } else { login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); } $page_location = $HTTP_SERVER_VARS['PHP_SELF']; if(isset($HTTP_SERVER_VARS["QUERY_STRING"])) $page_location = $page_location ."?". $HTTP_SERVER_VARS["QUERY_STRING"]; header ("Location: ". $page_location); } } } ?> And here is the file I'm trying to protect: //index.php <?php include('password_protect.php'); include("connection.php"); //Logout if($_REQUEST['action'] == "logout") { session_unset(); session_destroy(); header('Location:index.php'); } //Script Actions //Add Main Display if ($_REQUEST['action'] == "add_main_d") { //Upload Image $target_path = "main_display/"; $target_path = $target_path . basename( $_FILES['image']['name']); if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path)) { $msg1 = "<p>The image ". basename( $_FILES['image']['name']). " has been uploaded</p>"; } else { $msg1 = "<p>There was an error uploading the image, please try again!</p>"; } $image = $_FILES['image']['name']; //Add Info to Database $query = "INSERT INTO main_display (title,descrip,link,image) VALUES('$_REQUEST[title]','$_REQUEST[descrip]','$_REQUEST[link]','$image')"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $msg = "<p>" . $_REQUEST['title'] . " added to the main display.</p>"; } //Add Guest if ($_REQUEST['action'] == "add_guest") { //Upload Image $target_path = "guests/"; $target_path = $target_path . basename( $_FILES['image']['name']); if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path)) { $msg1 = "<p>The image ". basename( $_FILES['image']['name']). " has been uploaded</p>"; } else { $msg1 = "<p>There was an error uploading the image, please try again!</p>"; } $image = $_FILES['image']['name']; //Add Info to Database $query = "INSERT INTO guest (name,ep,link,image) VALUES('$_REQUEST[name]','$_REQUEST[ep]','$_REQUEST[link]','$image')"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $msg = "<p>" . $_REQUEST['name'] . " was added to the guest list.</p>"; } //Delete Item if($_REQUEST['action'] == "delete_item"){ $query = "SELECT * FROM main_display WHERE id = '$_REQUEST[item]'"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $row = mysql_fetch_array($result,MYSQL_ASSOC); $image = $row['image']; unlink("main_display/$image"); //Delete news $query = "DELETE FROM main_display WHERE id = '$_REQUEST[item]'"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $msg = "Display Meny Item erased."; } //Delete Guest if($_REQUEST['action'] == "delete_guest"){ $query = "SELECT * FROM guest WHERE id = '$_REQUEST[item]'"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $row = mysql_fetch_array($result,MYSQL_ASSOC); $image = $row['image']; unlink("guests/$image"); //Delete news $query = "DELETE FROM guest WHERE id = '$_REQUEST[item]'"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $msg = "Display Meny Item erased."; } ?> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <link rel="stylesheet" type="text/css" href="style.css" /> <title>Admin Window</title> <?php //Form Check - Javascript if($_REQUEST['view'] == "main_d") { include("add_main_d_check.php"); } if($_REQUEST['view'] == "guest_d") { include("add_guest_d_check.php"); } ?> </head> <body> <div id="wrapper"> <h1> Admin Window </h1> <div id="links"> <ul> <li><a href="index.php">Main</a></li> <li><a href="index.php?view=main_d">Main Display</a></li> <li><a href="index.php?view=guest_d">Guests</a></li> <li><a href=\"index.php?action=logout\">Logout</a></li> </ul> </div> <?php if (isset($msg1)) { echo $msg1 . "<br />"; } if (isset($msg)) { echo $msg; } //Page Controller switch($_REQUEST['view']) { case "main_d": include("main_d.php"); break; case "guest_d": include("guests.php"); break; default: if(!isset($_REQUEST['action'])){ echo "<p>Please select an action.</p>"; } break; } ?> </div> </body> </html> I will be grateful for any help on this. Thanks!