Jump to content


Photo

Problem of creating an admin account for my page


  • Please log in to reply
2 replies to this topic

#1 downbike

downbike
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 20 April 2006 - 12:51 AM

I'm just a newbie of creating dynamic web pages.

Im almost done but as u can see in the title... I can't creat my admin account for the site even when my code is right and my database is ok ....
but still i can't logon..

Below is my code of the index.php page:


<?php
if($_GET["logout"])
{
setcookie("autorized","");
setcookie("root","");
header("Location: index.php");
}

if($_POST["submit"])
{
    require("../PHP/config.inc.php");
    $ind=0;
    $SQL="SELECT * FROM users WHERE username='admin". $_POST["username"] ."' AND password='admin". $_POST["password"] ."'";
    $result = mysql_query($SQL) or die("Invalid query");
    $row = mysql_fetch_array($result);

  setcookie("autorized", $_POST['username']);
    if($row["root"]==1)
    {
        setcookie("root",$_POST['username']);
    }
    include "useradmin.php";
    exit;
        }

if($_COOKIE['autorized']){include "useradmin.php"; exit;}?>

And here is my other page which is linked to the index.php page above

<?
if(!$_COOKIE['autorized']){echo "Session Expired!"; exit;}?>

<?require("../PHP/config.inc.php");
if(!$_GET['limit']){$_GET['limit']=0;}


$result = mysql_query("select * from news where id = '".$_GET['id']."'") or die("Invalid query");
$row = mysql_fetch_array($result);?>



-----> When I login... The page automaticly said "Session Expired!"


Anyone help?

#2 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 20 April 2006 - 12:57 AM

You shouldn't use cookies to store this.
Cookies can be easily changed, so anyone could just change the cookies and impersonate the admin.
Instead, use SESSIONS; something like this:

<?php

session_start();
header("Cache-control: private"); // IE fix

if ($_SESSION['authorized'] = 'yes') {
  // outputs admin page
}

~ D Kuang

#3 downbike

downbike
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 21 April 2006 - 01:53 AM

[!--quoteo(post=366667:date=Apr 19 2006, 07:57 PM:name=poirot)--][div class=\'quotetop\']QUOTE(poirot @ Apr 19 2006, 07:57 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
You shouldn't use cookies to store this.
Cookies can be easily changed, so anyone could just change the cookies and impersonate the admin.
Instead, use SESSIONS; something like this:

<?php

session_start();
header("Cache-control: private"); // IE fix

if ($_SESSION['authorized'] = 'yes') {
  // outputs admin page
}
[/quote]

So I have to put that code in the index page and the code below to the other page right? :
if ($_SESSION['authorized'] = 'yes') {
  // outputs admin page
}

And by the way, when I try to put this code to my pages, I think there is a problem because I can even access to the pages whichout username and pass ^^ . ....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users