Jump to content

validating an admin user

dansk

By dansk
in PHP Coding Help

 Share

Recommended Posts

dansk Member

dansk

Posted
Posted
i have this code, and everytime i log in with username and passwords, the login_action.php outputs 1.
[code]
<?php

$user_name = $_POSTuser_name;
$pass_word = $_POSTpass_word;
$frm = $_POSTfrm;


$connect = mysql_connect("localhost", "user","pass") or die(mysql_error());


//i Can echo anything before the next line, but after the next line i can't output anything

mysql_select_db($Announ) or die('mysql_select '||mysql_error());
$result = mysql_query("SELECT * FROM Announ.login WHERE user_name = '" . $user_name . "' and pass_word = '" . $pass_word . "'");

$row = mysql_fetch_array($result);

if ($row[user_name] == $user_name) {

# valid username and password entered
$id = "a" . rand(100,100000);
$sql = "UPDATE Announ.login SET session_id = '" . $id . "' WHERE user_name = '" . $user_name . "'";
$query_result = @mysql_query($sql,$connect) or die('Error :' . mysql_error());
setcookie("id",$id, time()+14000);

if ($user_name == "admin") {
# logged in as admin user

header("Location: admin.php");
} else {
# logged in as other user
header("Location: some_other_page.php");
}
?>
[/code]
this is my admin.php
[code]
<?php

$connect = mysql_connect("localhost", "user","pass") or die(mysql_error());
mysql_select_db($announ) or die('mysql_select '||mysql_error());
$result = mysql_query("SELECT * from Announ.login WHERE session_id = '" . $_COOKIE[id] . "'");

$row = mysql_fetch_array($result);

if ($row[session_id] == $_COOKIE[id] && $row[user_name] == "admin") {
# if you get here you have logged in

} else {
# invalid so re-direct to a login page
header("Location: login.php");
}

?>
} else {

setcookie("id","IT FAILED", time()+14000);
header("Location: login.php");

}

?>
[/code]

login.php
[code]
<form action=login_action.php method=POST>
<h2><center> Welcome To ISL Admin Page </h2></center>
<center><br /> <b> Please Login </b><br />
User Name: <br /><input type=Text name=user_name maxlength=8><Br /> Password: <br /><input type=Password name=pass_word maxlength=8><br />
<input type=submit value="Login" name=\"action\"></center>
</form>
[/code]
Link to comment
Share on other sites
matto Newbie

matto

Posted
Posted
First of all that code is really bad....

Firstly...

[code]
$user_name = $_POSTuser_name;
$pass_word = $_POSTpass_word;
$frm = $_POSTfrm;
[/code]

probably should be :

[code]
$user_name = $_POST['user_name'];
$pass_word = $_POST['pass_word'];
$frm = $_POST['frm'];
[/code]

Link to comment
Share on other sites
craygo Member

craygo

Posted
Posted
One thing i did notice is this

[code]if ($user_name == "admin") {[/code]

I do not think anyones username would be admin. I thing it should be the user type or group or however you have it setup. Unless you have just one admin login in which everyone uses to admin.

Just a thought but I find it easier to deal with sessions rather than cookies. Even though you are generating a random number, cookies are still stored on the user machine, easily edited, where sessions are stored on the server.

Ray
Link to comment
Share on other sites
SharkBait Advanced Member

SharkBait

Posted
Posted
Also a good thing to practice is striping things from $_POST variables if they are going into a query string.

[code]
<?php
$user_name = mysql_real_escape_string(trim($_POST['user_name']));
?>
[/code]
That will strip things that might interfer with your MySQL queries that can be harmful to your database. It will also trim any excess white-space as well.
Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
Sorry, but ide suggest you find a good tutorial on the subject. You have allot of redundant code. For instance, in your first script your query the database based on the name a user supplies.

[code]
"SELECT * FROM Announ.login WHERE user_name = '" . $user_name . "' and pass_word = '" . $pass_word . "'"
[/code]

The very next thing you do is make sure the row returned has the same username the user supplied.

[code=php:0]
if ($row[user_name] == $user_name) {
[/code]

Does that make sense? No. If a result is returned then the user name for that row MUST equal the user name supplied.

In admin.php you go on to do this again this time using the session_id filed and a cookie.

[quote]I am unable to move on with my website without getting this done.[/quote]

Im sorry, but if this is anything to go by then your site is doomed anyways. [url=http://hudzilla.org/phpwiki/index.php?title=Main_Page]This[/url] is a great resource for a beginning. I suggest you start at the beginning and read till the end.
Link to comment
Share on other sites
dansk Member

dansk

Posted
  • Author
Posted
Hi thorpe,

Thank you for your reply. I do have some basic knowledge about php, but this is the first time I deal with cookies and sessions.

Someone gave me this admin validation code and said that it works, and when i read it. It seemed fine, I was not actually able to understand what you meant by redundunt code.

I have one user and it's an Admin - I created a table just in case I need to add more users in the future- and table has the name and the password for the admin.

Once the user logs in, I will try to challenge what he entered with the data in the table and I guess the code does that right. Is there any security holes in there when you meant that the website will be doomed  :o or is it poor programming style.

Is there a specfic tutorial about cookies and sessions - beside the one you provided.
Thank you

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
What I meant by redundant code is just that you have allot of unnescascary code. The queries themselves only look for the users you specify so checking it again is redundant. Less is best, and makes code much less error prone.

As for the rest of your site being 'doomed', I dont meen anything specificaly, but really, a decent understanding of the underlying principles of what your code is doing helps.
Link to comment
Share on other sites
dansk Member

dansk

Posted
  • Author
Posted
Thank you very much Thorpe, I will put that in mind.

My problem is that I decided to go with php by looking at used code, and modiy it to my needs. I try to learn it by trail and error and I guess it's not the best way.

For my code, I do agree that I have some redundent code. But I was able to fix that problem by removing this line

mysql_select_db($Announ) or die('mysql_select '||mysql_error());

now I get this warning,

Warning: Cannot modify header information - headers already sent by (output started at C:\Program Files\xampp\htdocs\login_action.php:9) in C:\Program Files\xampp\htdocs\login_action.php on line 42

but dont' worry thrope, I will try to find an answer for it and this is how I will learn. But It would be really good if you can throw in some tips about this error :D

Thanks ;D ;D
Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
You cannot remove that line or you will not have a database, however there is an error in it.

[code=php:0]
mysql_select_db($Announ) or die(mysql_error());
[/code]

The header error is caused by output going to the browser before a call to the header() function. You cannot have ANY output before a call to this function. That meens no whitespace, no html and no echo().
Link to comment
Share on other sites
dansk Member

dansk

Posted
  • Author
Posted
You are right

but after I added your correction, it says that No DB is selected!! ??? ???

[code]<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Login Action</title>
</head>
<body>
<?php
$user_name = $_POST['user_name'];
$pass_word = $_POST['pass_word'];
$frm = $_POST['frm'];

$connect = mysql_connect("localhost", "root","pass") or die(mysql_error());

mysql_select_db($announ) or die(mysql_error());
$result = mysql_query("SELECT * FROM Announ.login WHERE user_name = '" . $user_name . "' and pass_word = '" . $pass_word . "'")or die(mysql_error());

$row = mysql_fetch_array($result);

if ($row[user_name] == $user_name) {

# valid username and password entered
$id = "a" . rand(100,100000);
$sql = "UPDATE Announ.login SET session_id = '" . $id . "' WHERE user_name = '" . $user_name . "'";
$query_result = @mysql_query($sql,$connect) or die('Error :' . mysql_error());
setcookie("id",$id, time()+14000);

if ($user_name == "admin") {
# logged in as admin user

header("Location:admin.php");
} else {
# logged in as other user
header("Location:some_other_page.php");

}

} else {

setcookie("id","IT FAILED", time()+14000);
header("Location: login.php");

}

?>

</body>
</html>[/code]


I will modify the code and remove redundent stuff, but I need it to work first
Link to comment
Share on other sites
dansk Member

dansk

Posted
  • Author
Posted
It's my DB. For some strange reason, it works fine when I take that line offf

mysql_select_db($announ) or die(mysql_error());

i even tried to do query on other items in the table and did

echo $row[pass_word];

and it actually printed it which means that it connected to the DB and selected the row? or is it just some crazy late night nightmares i am having
Link to comment
Share on other sites
dansk Member

dansk

Posted
  • Author
Posted
thank you very much thorpe. It's working now

What i did is basically remove this line

mysql_select_db($announ) or die(mysql_error());

and then I used

ob_start(); and ob_end_flush(); to get around the "can't modify header warning" and it seems to work now

I need to do more testing now to double check

You have been a great help and very patient with me  8)
Link to comment
Share on other sites
craygo Member

craygo

Posted
Posted
I would suggest having a file called config.inc.php or connect.inc.php or something to that effect that you can use to connect to your database.
Let's say I have this file
connect.inc.php
[code]<?php
$dbhost = 'localhost'; // database server
$dbuser = 'username';      // db username
$dbpass = 'password';    // db password
$dbname = 'dbname';  // db name
$mysql_conn = @mysql_connect($dbhost, $dbuser, $dbpass) or die("Could not connect to Mysql, Please check settings and try again");
@mysql_select_db($dbname, $mysql_conn) or die("DataBase does not exist");
?>[/code]

Now in ANY of my scripts I can just include or require this file and my connection will be done. No more typing your connection string every time you need it.
[code]<?php
require('connect.inc.php');
?>[/code]

Ray
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.