baberlicious
-
Posts
4 -
Joined
-
Last visited
Never
baberlicious's Achievements
Newbie (1/5)
0
Reputation
-
I know i need something to guard against injection, but am unsure of what to use... also are there any other holes in this script that you see??? for a page that you want to protect, you simply add these lines to the beginning of the page.... <?php include "functions.php"; // secure(x) where x is the intended security level secure(5); ?> login.php <?php require "functions.php"; if(!empty($_SESSION["loginerror"])) $err = $_SESSION["loginerror"]; else $err = ""; unset($_SESSION["loginerror"]); if(isset($_POST['username'])) { include("database.php"); $username = $_POST['username']; $password = $_POST['password']; $result = mysql_query("SELECT * FROM employee WHERE login = '$username' AND password = '$password'") or die("Unable to verify user because : " . mysql_error()); if(mysql_num_rows($result) == 1) { $_SESSION['phplogin'] = "logged"; $row = mysql_fetch_assoc ( $result ); mysql_query("UPDATE employee SET lastlogin=now() WHERE id=".$row['id']) or die(mysql_error()); $_SESSION['id'] = $row['id']; $_SESSION['name'] = $row['first_name']." ".$row['last_name']; $_SESSION['user'] = $row['login']; $_SESSION['seclev'] = $row['security_level']; $topage="/system"; if(isset($_SESSION['referrer'])) { $topage = $_SESSION['referrer']; unset($_SESSION['referrer']); } header('Location: '.$topage.''); } else { $err = '<font color="red">Incorrect username / password.</font>' ; } } ?> functions.php <?php session_start(); if($_SERVER["PHP_SELF"] != "/system/login.php") { $_SESSION["referrer"] = $_SERVER["PHP_SELF"]; if(!empty($_GET)) $_SESSION["referrer"] .= "?".gets($_GET); } $reqseclev = 0; function secure($level) { $reqseclev = $level; if (!isset($_SESSION['phplogin']) || $_SESSION['phplogin'] !== "logged") { header('Location: /system/login.php'); exit; } if($_SESSION["seclev"] < $reqseclev) { $_SESSION["loginerror"] = "<font color=\"red\">The current user does not have permission to view this page.</font>"; header('Location: /system/login.php'); exit; } } function gets($in) { $tmp = ""; foreach($in as $key => $value) $tmp .= "$key=$value&"; $tmp = substr($tmp, 0, strlen($tmp)-1); return $tmp; } ?>
-
I noticed that on some of the pages, the bullets in the nav arent showing up right... they show up as ?'s.... firefox 3 btw..
-
When you click to add a new post, you should add a layer behind the window, but in front of the rest of the calendar. This way you can't click on anything else until you deal with the prompt. my $0.05