bossman Posted September 1, 2009 Share Posted September 1, 2009 I have successfully completed building my backend admin for my project management tool, It is complete with a login, which takes you to a view all page, and then from there you can add/edit/ or delete projects. But as of now, a user can easily bypass my login page and get right to the admin without logging in. Here's what I have done.... set up a database table with uid (user_id), uname(username), and upassword(user password).... manually entered user names and passwords to be used into the rows.... Here's my code for the login page itself.... <div style="margin-left:100px;"> <table width="200" align="left"> <form action="login_process.php" method="POST"> <label><strong>Username:</strong></label><br/><input type="text" name="formname"/><br/> <label><strong>Password:</strong></label><br/><input type="password" name="formpass"/><br/><br/> <input type="submit" value="enter"/> </form> <? if (isset($_GET['error'])){ print "<div class='error'>Please make sure you typed in the correct name and password</div>"; } ?> </br> </table> </div> and here's what i have for the login_process page... <? include("inc/db_connect.php"); //store the login form info into var's... $uname=$_POST['formname']; $upass=$_POST['formpass']; //connect to server... // Opens a connection to a MySQL server $connection=mysql_connect ($h, $u, $p); if (!$connection) { die('Not connected : ' . mysql_error()); } // Set the active MySQL database $db_selected = mysql_select_db($d, $connection); if (!$db_selected) { die ('Can\'t use db : ' . mysql_error()); } //construct a query... $query="SELECT * FROM user_table WHERE uname='$uname' AND upassword='$upass'"; //print $query; //run the query... $result=mysql_query($query); //print($result)?"Query OK":"Query failed."; //if there was a matching row in the db... if($row=mysql_fetch_array($result)){ //print "valid user"; //print session_id(); //store some info in sessionvariables so we can look at it page after page... $_SESSION['username']=$uname; $_SESSION['userID']=$row['uid']; //redirect to View All... header('Location:admin_index.php'); //otherwise the user must be illegal... }else{ //print "invalid user"; //close connections header('Location:index.php?error=yes'); } ?> so...ive gotten it set up so that the user must enter the correct username and password to enter, but the site is still not secure. Can anybody give me a push in the right direction as to the most simple and easiest solution to implement into what ive got already. What would be ideal, is to set it up so that if they TRY to bypass my login page, regardless of what page they try to get to, they will be redirected to the login page no matter what, unless they are already logged in. Is there an easy way to do this? Quote Link to comment Share on other sites More sharing options...
mayfair Posted September 1, 2009 Share Posted September 1, 2009 You need to include something on your login page to check if a valid user is logged in. If they aren't, throw an error and prompt/re-direct them to login. Also, you need to read up on PHP security. Don't construct your SQL query without sanitising and validating your POST data, you'll leave yourself wide open for SQL injection and other potential problems. As a start, have a function at the top of your page - someting like: function clean($variable) { $variable = mysql_real_escape_string(trim($variable)); return $variable; } and instead of $uname=$_POST['formname']; have $uname=clean($_POST['formname']; Quote Link to comment Share on other sites More sharing options...
bossman Posted September 1, 2009 Author Share Posted September 1, 2009 did u mean to put that on the login_process.php page? Quote Link to comment Share on other sites More sharing options...
bossman Posted September 1, 2009 Author Share Posted September 1, 2009 and for $variable, would i replace that with $uname or $upass? Quote Link to comment Share on other sites More sharing options...
mayfair Posted September 1, 2009 Share Posted September 1, 2009 Yes you should be validating the code on the same page that you are constructing your search query. Regarding the function, you do not need to change the name of $variable, it is only used by that function to tell it to expect a variable. You can then type clean($_POST['your_var']); instead of just $_POST['your_var']; and it will sanitise whatever variable is passed to it and return the result with any bad/malicious data neutralised. You should also perform some validation to make sure the data being passed onto your page is what you are expecting. All you are doing at the moment is re-directing people to admin_index.php if their record has been found in the db, you need to add some code to admin_index to make sure they are logged in, and re-direct them back to the login page if not. This will stop people from being able to directly access your 'member-only' pages. Quote Link to comment Share on other sites More sharing options...
bossman Posted September 1, 2009 Author Share Posted September 1, 2009 $_SESSION['username']=$uname; $_SESSION['userID']=$row['uid']; since i have that code right there, will i need to add a session_start(); anywhere? or is that code there already anitiating the session? im not new to php but new to the security aspect of it, but im pretty sure i know wuts going on, just a little confused thats all, not sure exactly what all needs done to implement this simple function, all yur help is appreciated Quote Link to comment Share on other sites More sharing options...
mayfair Posted September 1, 2009 Share Posted September 1, 2009 Yes you need to add session_start(); to the top of the page before any other code, and you will need to add it to every page you want to use or pass the session variables to or they will be lost. Quote Link to comment Share on other sites More sharing options...
bossman Posted September 1, 2009 Author Share Posted September 1, 2009 i think something is off, wont let me login now even with the correct username and password <? session_start(); include("inc/db_connect.php"); function clean($variable) { $variable = mysql_real_escape_string(trim($variable)); return $variable; } //store the login form info into var's... $uname=clean($_POST['formname']); $upass=clean($_POST['formpass']); //connect to server... // Opens a connection to a MySQL server $connection=mysql_connect ($h, $u, $p); if (!$connection) { die('Not connected : ' . mysql_error()); } // Set the active MySQL database $db_selected = mysql_select_db($d, $connection); if (!$db_selected) { die ('Can\'t use db : ' . mysql_error()); } //construct a query... $query="SELECT * FROM user_table WHERE uname='$uname' AND upassword='$upass' "; //print $query; //run the query... $result=mysql_query($query); //print($result)?"Query OK":"Query failed."; //if there was a matching row in the db... if($row=mysql_fetch_array($result)){ //print "valid user"; //print session_id(); //store some info in sessionvariables so we can look at it page after page... $_SESSION['username']=$uname; $_SESSION['userID']=$row['uid']; //redirect to View All... header('Location:admin_index.php'); //otherwise the user must be illegal... }else{ //print "invalid user"; //close connections header('Location:index.php?error=yes'); } ?> Quote Link to comment Share on other sites More sharing options...
mayfair Posted September 1, 2009 Share Posted September 1, 2009 Try echoing $uname and $upass. What's being output? Quote Link to comment Share on other sites More sharing options...
bossman Posted September 1, 2009 Author Share Posted September 1, 2009 i echoed $uname and $upass on the process page and it didnt echo anything. I just tried getting rid of all the edits you recommended, and its working again now...so im gonna try adding in each part one by one and try to determine what is causing it to not work.... Quote Link to comment Share on other sites More sharing options...
mayfair Posted September 1, 2009 Share Posted September 1, 2009 Try getting rid of the function and just going straight for mysql_real_escape_string($_POST['your_var']); and see if anything is output. Quote Link to comment Share on other sites More sharing options...
mayfair Posted September 1, 2009 Share Posted September 1, 2009 I suspect your problem is related to your DB connection. mysql_real_escape_string required a valid connection because it is part of the mysql group of functions. Why don't you move your entire DB connect statement (including the mysql_db_select bit) into db_connect.php and make sure it is above the mysql_real_escape_string function. Quote Link to comment Share on other sites More sharing options...
bossman Posted September 1, 2009 Author Share Posted September 1, 2009 ok i will try that. Before i read your last two posts, i had determined that the error was here... $uname=clean($_POST['formname']); $upass=clean($_POST['formpass']); after i added the 'clean' in there, it stopped working, the function clean($variable) {..... didnt screw anything up, and neither did the session_start(); Quote Link to comment Share on other sites More sharing options...
mayfair Posted September 1, 2009 Share Posted September 1, 2009 That's because the clean() part was calling the function at the top of the page. Try moving all of your db connection info as suggested and see if you have better luck. Quote Link to comment Share on other sites More sharing options...
bossman Posted September 1, 2009 Author Share Posted September 1, 2009 ok, your suggestion worked, although i didnt move the code to a new page, i just put it in a different spot, like here... <? session_start(); include("inc/db_connect.php"); //connect to server... // Opens a connection to a MySQL server $connection=mysql_connect ($h, $u, $p); if (!$connection) { die('Not connected : ' . mysql_error()); } // Set the active MySQL database $db_selected = mysql_select_db($d, $connection); if (!$db_selected) { die ('Can\'t use db : ' . mysql_error()); } function clean($variable) { $variable = mysql_real_escape_string(trim($variable)); return $variable; } //store the login form info into var's... $uname=clean($_POST['formname']); $upass=clean($_POST['formpass']); //construct a query... $query="SELECT * FROM user_table WHERE uname='$uname' AND upassword='$upass'"; //print $query; //run the query... $result=mysql_query($query); //print($result)?"Query OK":"Query failed."; //if there was a matching row in the db... if($row=mysql_fetch_array($result)){ //print "valid user"; //print session_id(); //store some info in sessionvariables so we can look at it page after page... $_SESSION['username']=$uname; $_SESSION['userID']=$row['uid']; //redirect to View All... header('Location:admin_index.php'); //otherwise the user must be illegal... }else{ //print "invalid user"; //close connections header('Location:index.php?error=yes'); } ?> so now its logging in no errors....where do i go from here? Quote Link to comment Share on other sites More sharing options...
mayfair Posted September 1, 2009 Share Posted September 1, 2009 Well there are a few ways you can go. You could handle your entire login using sessions or you could construct and use a cookie to store login information. Im guessing you'll want to stick with sessions, so you now need to check that a user is logged in before they can acces a members-only page. You still really need to read up on the security and validation side of things, but basically you'll want something at the top of your admin page similar to session_start(); if (!isset($_SESSION['userID'])) { *redirect user to login screen or prompt to login* } That will at least check to see if a UID is set, but it is by no means a complete working solution. Hopefully you get the idea anyway Quote Link to comment Share on other sites More sharing options...
bossman Posted September 1, 2009 Author Share Posted September 1, 2009 definately, would i put this on every page that i dont want them to access without logging in? Quote Link to comment Share on other sites More sharing options...
mayfair Posted September 1, 2009 Share Posted September 1, 2009 Yes, otherwise somebody would be able to enter the direct URL of whatever page they want to see and will be able to access it without having to login. Its a very basic start, but checking for the existance of a UID before allowing access to the page would work. Your login script now has 3 distinct parts: 1. Take the username & password entered and check the database for that particular member 2. If the memeber exists, assign a session variable called userID and re-direct them to admin_index.php 3. On admin_index.php, check that userID is set and re-direc if not Quote Link to comment Share on other sites More sharing options...
bossman Posted September 1, 2009 Author Share Posted September 1, 2009 ok, did exactly as you suggested, and its working. Although only a small framework that i plan to make more secure this is the start that i needed, i appreciate your time on that one. Quote Link to comment Share on other sites More sharing options...
bossman Posted September 1, 2009 Author Share Posted September 1, 2009 how do i mark this one as [solved] on the forum page so ppl know its solved Quote Link to comment Share on other sites More sharing options...
mayfair Posted September 1, 2009 Share Posted September 1, 2009 ok, did exactly as you suggested, and its working. Although only a small framework that i plan to make more secure this is the start that i needed, i appreciate your time on that one. You're welcome, glad you've got something to start on. Click 'Resolved' in the bottom left corner of the thread to mark it as solved Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.