Jump to content


Photo

Admin cookie


  • Please log in to reply
3 replies to this topic

#1 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 27 July 2006 - 07:21 PM

I'm trying to get my login script to install an additional cookie if the person logging in is an administrator. Here is my login code:

<?php

include ('db.php');

if(isset($_COOKIE['ID_my_site']))

{ 
	$username = $_COOKIE['ID_my_site']; 
	$pass = $_COOKIE['Key_my_site'];
	
	$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());

	while($info = mysql_fetch_array( $check )) 	
		{

		if ($pass != $info['password']) 
			{
			
			}

		else
			{
			header("Location: index.php");

			}

		}

}


if (isset($_POST['submit'])) {


	if(!$_POST['username'] | !$_POST['pass']) {
		die('You did not fill in a required field.');
	}

	// checks it against the database

	if (!get_magic_quotes_gpc()) {
		$_POST['email'] = addslashes($_POST['email']);
	}

	$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or 

die(mysql_error());

$check2 = mysql_num_rows($check);
if ($check2 == 0) {
		die('That user does not exist in our database. <a href=registration.php>Click Here to 

Register</a>');
				}


while($info = mysql_fetch_array( $check )) 	
{

$_POST['pass'] = stripslashes($_POST['pass']);
	$info['password'] = stripslashes($info['password']);
	$_POST['pass'] = md5($_POST['pass']);


	if ($_POST['pass'] != $info['password']) {
		die('Incorrect password, please try again.');
	}

else
{
	
$_POST['username'] = stripslashes($_POST['username']);

$hour = time() + 2592000; 
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);


header("Location: admincheck.php");
}

}

} else {	

?>

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Username:</td><td>
<input type="text" name="username" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}


?>

Admincheck.php would be the code that checked to see if the ID_my_site cookie contained the name 'Treilad'. If it did, it would install the Admin_my_site cookie. If not, it would header to index.php. How can I get it to check if the cookie contains 'Treilad'?

I also tried this under the setcookies in the login code:

if($_POST['username'] = 'Treilad' && $_POST['pass'] = 'letmein'){
setcookie(Admin_my_site, $_POST['username'], $hour);
}

but it sets the cookie no matter who logs in, ignoring the conditional.

#2 xyph

xyph
  • Staff Alumni
  • Advanced Member
  • 3,712 posts
  • LocationSurrey, BC

Posted 27 July 2006 - 07:27 PM

That information is better retrieved from the db every pageview imo. Allowing admin status to be stored in a cookie without referencing to the database every time is asking for abuse.
Everything you need to know about storing user-names and passwords
http://www.openwall....Users-Passwords
Blank Page? Try forcing errors to display
ini_set('display_errors',1);
error_reporting(-1);

#3 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 27 July 2006 - 07:30 PM

=/ Yeah. It would seem so. Nvm. I've got another way around it. :)

#4 king arthur

king arthur
  • Members
  • PipPipPip
  • Advanced Member
  • 335 posts
  • LocationUK HQ

Posted 27 July 2006 - 09:21 PM

if($_POST['username'] = 'Treilad' && $_POST['pass'] = 'letmein'){
setcookie(Admin_my_site, $_POST['username'], $hour);
}

Classic mistake which everyone does I'm sure!

What you actually meant was

if($_POST['username'] == 'Treilad' && $_POST['pass'] == 'letmein'){
setcookie(Admin_my_site, $_POST['username'], $hour);
}

Note the double '=' signs!
Sir Isaac Newton said "If I have seen farther, it is by standing on the shoulders of giants". But it is not recorded as to whether he said it before or after he was hit on the head by a falling apple.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users