cainam29 Posted June 16, 2013 Share Posted June 16, 2013 how can i protect my PHP page such that when a user just types the entire link on a browser, they will be re-directed to the login page? here is my login.php code: <?php $host="*****"; // Host name $username="*****"; // Mysql username $password="*****"; // Mysql password $db_name="*****"; // Database name $tbl_name="*****"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // username and password sent from form $myusername = mysql_real_escape_string ($_POST['myusername']); $mypassword = mysql_real_escape_string ($_POST['mypassword']); $myusername = stripslashes ($_POST['myusername']); $mypassword = stripslashes ($_POST['mypassword']); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ session_start(); $_SESSION['login'] = "1"; header("location:admin/infratools.php"); } else { echo "Wrong Username or Password"; session_start(); $_SESSION['login'] = ''; } ?> here is my main page which has all the other links to all my php pages: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Infra Tool</title> <link rel="stylesheet" href="style.css" /> </head> <body class="oneColFixCtrHdr" onload="document.form1.myusername.focus();"> <div id="container"> <div id="header" style="background-color:#7BD12E"> <h1 align="Center" style="color:#FFF; font-family: Arial, Helvetica, sans-serif;">PROV InfraTools </h1> <!-- end #header --></div> <div id="mainContent"> <p> </p> <table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC"> <tr> <td colspan="2" align="center"> <form id="form1" name="form1" method="post" action="checklogin.php"> <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF"> <tr> <td> </td> </tr> <tr bgcolor="#FFFFFF"> <td align="center"><a href="tickettracker.php">Ticket Uploader</a></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center"><a href="raptool.php">RAP Tool</a></td> </tr> <tr bgcolor="#FFFFFF"> <td> </td> </tr> <tr bgcolor="#FFFFFF"> <td align="center"><a href="login/add_user.php">Add User</a></td> </tr> <tr bgcolor="#FFFFFF"> <td align="center"><a href="login/logout.php">Logout</a></td> </tr> </table> </form></td> </table> <p> </p> <!-- end #mainContent --> </div> <p align="center"> </p> <div id="footer" style="background-color:#7BD12E"> <p style="color:#FFF"></p> <!-- end #footer --></div> <!-- end #container --></div> </body> </html> Quote Link to comment Share on other sites More sharing options...
trq Posted June 16, 2013 Share Posted June 16, 2013 session_start(); if (!isset($_SESSION['login']) || !$_SESSION['login']) { header("http://somedomain.com/not-authorised.php"); } Quote Link to comment Share on other sites More sharing options...
cainam29 Posted June 16, 2013 Author Share Posted June 16, 2013 Hi trq, thanks for the response, should i be putting that to each php page that i want to be protected or just in the login.php? Quote Link to comment Share on other sites More sharing options...
ginerjm Posted June 16, 2013 Share Posted June 16, 2013 You would put the test and header in each page that you are afraid of people bypassing security by typing in the url directly to the page. BTW - what is this doing: // username and password sent from form $myusername = mysql_real_escape_string ($_POST['myusername']); $mypassword = mysql_real_escape_string ($_POST['mypassword']); $myusername = stripslashes ($_POST['myusername']); $mypassword = stripslashes ($_POST['mypassword']); You've protected yourself from injection with the first two lines, but then you are removing non-existent slashes in the last two lines. Basically you use the first two when using the fields in a query, and when storing in your db. You would use the last two lines when you take already "sanitized" data from your db and are showing it to the user again. Not both at the same time! Quote Link to comment Share on other sites More sharing options...
cainam29 Posted June 17, 2013 Author Share Posted June 17, 2013 thanks for confirming... Quote Link to comment Share on other sites More sharing options...
cainam29 Posted June 17, 2013 Author Share Posted June 17, 2013 i've marked it again as unresolved coz its not working on a page that is linked to my main page, for example, after i login i'll be redirected to main page, now under my main page i'll click on a link, lets say <tr bgcolor="#FFFFFF"> <td align="center"><a href="tickettracker.php">Ticket Uploader</a></td> </tr> now this tickettracker.php has other links inside it and in all those links i have put the code below to protect them, but every time i click on them i am now redirected to the login page again. <?PHP session_start(); session_destroy(); if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) { header ("Location: infralogin.php"); } ?> this code works perfectly that when i try to access the page directly im being routed to the login page but that is also whats happening when i click those links after i have already logged in. Quote Link to comment Share on other sites More sharing options...
Solution cainam29 Posted June 17, 2013 Author Solution Share Posted June 17, 2013 this is fixed now, i've edited code to this <?PHP session_start(); if (!isset($_SESSION['login']) || $_SESSION['login'] == '') { header ("Location: infralogin.php"); exit(); } ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.