Is my control panel access control secure?

[mo]

I'll be brief. I have a site, the site has a admin login/control panel and a customer login/control panel. Admin area is root/admin and customer is at the root. I have all admin related PHP files under the admin dir. All admin pages have a include called accesscontrol.php, where I check the user info. The same include is used for the customer control panel and other customer/admin only area of the site.

 

In a nutshell, I just want to make sure that a customer cannot enter the admin control panel by typing a fake URL, etc. The customer control panel pulls data from MySQL based on the logged in customer, so I am not worried about a customer hacking and seeing another customers data. However the admin control panel just pulls site related data like orders, categories, etc. from the database and is not based on the logged in user.

 

Is my accesscontrol.php include enough? See below.

 

 

 

<?php require_once($_SERVER['DOCUMENT_ROOT'].'/config/global.php'); require_once($_SERVER['DOCUMENT_ROOT'].'/cartfunctions.php'); require_once($_SERVER['DOCUMENT_ROOT'].'/templates/main_tmpl.php');   //check cookie if ($_SESSION['logged_in'] != 1 && isset($_COOKIE['login_cookie'])) {     list($user, $pass) = explode('[]', $_COOKIE['login_cookie']);     $qu = mysql_query("SELECT `password` FROM `mr_members` WHERE `uname` = '".addslashes($user)."'") or die(mysql_error());     if (mysql_num_rows($qu) == 1) {         $passw = mysql_fetch_object($qu);         if ($passw->user_password == md5($pass)) {           $_SESSION['logged_in'] = 1;           $_SESSION['username'] = $user;             $_SESSION['password'] = $pass;         }     } }   if(!isset($_SESSION['username']) || !isset($_SESSION['password'])) {   $_SESSION['logged_in'] = 0;   $user = "Guest"; echo $html_head; echo $html_header_panel; echo "<div id=\"innerdiv-a\" align=\"center\">"; echo $html_stats; echo $html_a_panel_start; echo '<a href="login.php"> Login </a>'; echo $html_a_panel_end_r; echo "</div>"; echo $html_logo_menu; echo $html_main_content; echo "<div><br /><br /><br /><p>You are not logged in and do not have access to this area.<br />       Please register and login to access the site.</p></div>"; echo $html_footer;   exit; } else { $qstr = mysql_query("SELECT `uid`, `utype` FROM `mr_members` WHERE `uname` = '"                     .$_SESSION['username']."'") or die(mysql_error()); $q1 = mysql_fetch_object($qstr); $_SESSION['uid'] = $q1->uid; $_SESSION['user_type'] = $q1->utype;   if($_SESSION['user_type'] == "A") { $Url = $admin_home."/admincp.php?admin=".$_SESSION['username']; } else { $Url = $full_home."/usercp.php?user=".$_SESSION['username']; } check_user_page($Url); } ?>   Here is the check user page function code:     function check_user_page($url) {             //Check user name in URL matches logged in user $split = "="; $parsed = parse_url($url); $parsed = $parsed['query']; $pos = strpos($parsed,$split)+1; $len = strlen($parsed); $result_string = substr($parsed,$pos,$len); if ($_SESSION['username'] != $result_string) die($url); }