Simple Administrator Control Panel

Code is a bit messy but it does work, and it has security and encryption.

1. Create a new database.
2. Add a table name "users" without the quotes.
3. Add the following 4 fields to the table.

Field Name: id
Type: smallint
Length: 6
Default: 0
Extra: Auto Increment

Field Name: username
Type: varchar
Length: 30
Default: (blank)

Field Name: password
Type: varchar
Length: 32
Default: (blank)

Field Name: email
Type: varchar
Length: 100
Default: (blank)
____________________________________________________________

Now copy each of the codes below into different files, name the files what it says directly above the codes.


registeracc.php
<?php

mysql_connect('localhost', 'username', 'password') or die(mysql_error());
mysql_select_db('databasename') or die(mysql_error());

//Process
if (isset($_POST['submit']))
{

$myUsername = addslashes( $_POST['username'] ); //prevents types of SQL injection
$myPassword = $_POST['password'];
$myEmail = $_POST['email'];

$newpass = md5($myPassword); //This will make your password encrypted into md5, a high security hash

$sql = mysql_query( "INSERT INTO users (`id`, `username`, `password`, `email`) VALUES ('', '$myUsername','$newpass', '$myEmail')" )
or die( mysql_error() );

die( "You have registered for an account.<br><br>Go to <a href=\"login.html\">Login</a>" );
}

echo "Register an account by filling in the needed information below.<br><br>";
echo '<form action="registeracc.php" method="post">';
echo '<table><tr><td>';
echo "<b>Username:</b></td><td><input type='text' style='background-color:#999999; font-weight:bold;' name='username' maxlength='15' value=''></td></tr>";
echo "<tr><td><b>Password:</b></td><td><input type='password' style='background-color:#999999; font-weight:bold;' name='password' maxlength='15' value=''></td></tr>";
echo "<tr><td><b>Email Address:</b></td><td><input type='text' style='background-color:#999999; font-weight:bold;' name='email' maxlength='100' value=''></td></tr></table>";
echo "<input type='submit' name='submit' value='Register Account'></form>";
?>


login.html
<html><head>
<link href="default.css" rel="stylesheet" type="text/css" />
</head><body bgcolor="tan">
<center><h2>Administrator Control Panel</h2></center><br><br>

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="tan">
<tr>
<td colspan="3"><strong>Administrator Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
<center>
<br><br>Return to</font><a href="index.html"><b>Website</b></a>
</center>
</body></html>


checklogin.php
<?php
ini_set ("display_errors", "1");
error_reporting(E_ALL);

ob_start();
session_start();
$host="localhost"; // Host name
$username="username"; // Database username
$password="password"; // Database password
$db_name="databasename"; // Database name
$tbl_name="users"; // Table name

// This will connect you to your database
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Defining your login details into variables
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$encrypted_mypassword=md5($mypassword); //MD5 Hash for security
// MySQL injection protections
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'" or die(mysql_error());
$result=mysql_query($sql) or die(mysql_error());

// Checking table row
$count=mysql_num_rows($result);
// If username and password is a match, the count will be 1

if($count==1){
// If everything checks out, you will now be forwarded to admin.php
$user = mysql_fetch_assoc($result);
$_SESSION['user_id'] = $user['id'];
header("location:admin.php");
}
//If the username or password is wrong, you will receive this message below.
else {
echo "Wrong Username or Password<br><br>Return to <a href=\"login.php\">login</a>";
}

ob_end_flush();

?>


logout.php
<?
session_start();
session_destroy();
?>
You have successfully logged out of the control panel.<br><br><br>
Return to <a href="login.html">Login</a>


admin.php
<?php
mysql_connect('localhost', 'username', 'password') or die(mysql_error());
mysql_select_db('databasename') or die(mysql_error());

session_start();
//If your session isn't valid, it returns you to the login screen for protection
if(empty($_SESSION['user_id'])){
header("location:login.html");
}
?>
<head>
<link href="default.css" rel="stylesheet" type="text/css" />
</head>
<body>
<?php

if (isset($_GET["x"])) {
$x = explode(":",$_GET["x"]);

switch($x[0])
{
case 'next':
next();
break;

}
}
else { start(); }

//Main Admin Homepage
function start()
{
echo '<div id="fulladmin">';
echo '<div id="adminleft">';
//Add a function and change this line to it.
echo '<br><center><a href="admin.php?x=next"><font color=white>Test Page</font></a></center><br></div>';

echo '<div id="adminright"><center><h1>Administrator Control Panel</h1><br><br>';
echo 'Welcome to your control panel. Click a link on the left side to continue.<br><br>';
echo '</center></div></div>';
}


//A Blank second page
function next()
{
echo '<div id="fulladmin">';
echo '<div id="adminleft">';
//Add a function and change this line to it.
echo '<br><center><a href="admin.php?x=next"><font color=white>Test Page</font></a></center><br></div>';

echo '<div id="adminright"><center><h1>Administrator Control Panel</h1><br><br>';
echo 'This is the second page.<br><br>';
echo '</center></div></div>';
}

?>
<div id="adminright"><center><br><br><br><br>Return to main <a href="admin.php"><font color="red">Control Panel</font></a>, or you can <a href="logout.php"><font color="red">Log Out</font></a></center></div>
</body>


default.css
body {
background-image: url(images/bg.jpg);
text-align: justify;
font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
font-size: small;
text-align: justify;
color: #555E4F;
}

h1, h2, h3, h4, h5 {
margin: 0;
text-align: center;
color: black;
}


a {
color: #666666;
text-decoration: none;
}

a:hover {
color: #555E4F;
text-decoration: none;
}

input[type="text"]
{
background-color: #CDBA96
}

input[type="password"]
{
background-color: #CDBA96
}

#fulladmin {
width: 100%
height: 100%
}

#adminleft {
float: left;
width: 20%;
text-transform: uppercase;
font-weight: bold;
font-size: 14px;
color: #323B2E;
background-color: #555E4F;
}

#adminright {
float: right;
width: 80%;
background-color: #CDCD96;
}


__________________________________________________________

Now just go to registeracc.php in your browser and type in your details and submit. Then go to the login page, put it in, and you will be taken into the administrator control panel, which you need to make custom.

Oh and also in the PHP files, put your username, password, and database name in all of those.

Why not use mysql_real_escape_string in registeracc.php for the username? md5 with salting would be better to use for the passwords. This isn't quite right
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'" or die(mysql_error());
$result=mysql_query($sql);
It should be
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql) or die(mysql_error());
Although in a site that is out of development, errors shouldn't be displayed as they can be security risks. Why the need for the output buffer on checklogin? Thats normally used if you want to send headers after you've written content to the page. Also how do you determine if the user is and admin or not or is the script simply meant as a login for an administrator and no other users?

I am sorry that the script isn't up to your standards. As stated it is a simple admin login script, and it does work. Also I said the code is a bit messy.

If someone wishes to figure out if they are admins or regular users, you put the following field in your users table.

Field Name: authlevel
Type: smallint
Length: 1
Default: 0

If you are admin, change it to a 1, all others would be 0.

This is for administrators only, so there would not be any other users in it. If you wish to build a multi-user control panel, then yes, authlevel is required.

So, it's for administrators only, with a single (zero) levels of authentication... yet there is a form allowing anyone to register?

I am sorry that the script isn't up to your standards. As stated it is a simple admin login script, and it does work. Also I said the code is a bit messy.

I wouldn't have said anything if you pointed out the security issues to begin with which you should have done according to the posting guidelines for this particular forum.

http://www.codingforums.com/showthread.php?t=71868

I don't think a user of the forums should come on here use something that is insecure but didn't know because no one told them and then their site gets hacked or something.

@kbluhm, I forgot to mention. Please delete the registeracc.php when you are done creating users. It's a good idea to keep a copy on your computer in case you need it again.

@Aero, There is nothing unsafe about it, this is secure, once registeracc.php is deleted, why would you need to add an extra 1,000 lines of security? It's simply for creating your admin accounts and going bye bye. The person who uploads the script is the only person who knows about it.

If it wasn't secure I wouldn't have posted it.

If it's for a single user, then an http authentication (http://www.sitepoint.com/article/http-authentication-php/) would be much easier to implement.

That blocks the whole website from being viewed, this is only for the admin control panel.

That blocks the whole website from being viewed No. Just include something like the following at the top of the required pages to protected.<?php
if ($PHP_AUTH_USER != "mysuser"
or $PHP_AUTH_PW != "mypass"):
// Bad or no username/password.
// Send HTTP 401 error to make the
// browser prompt the user.
header("WWW-Authenticate: " .
"Basic realm=\”Protected Page: " .
"Enter your username and password " .
"for access.");
header("HTTP/1.0 401 Unauthorized");
// Display message if user cancels dialog
?>

next() is a php built in function since php4. The following function definition in admin.php produces a fatal runtime error and prevents admin.php from working -

function next()

There is also a link in checklogin.php to login.php. login.php does not exist.

Delete this whole topic

masterofollies, since there are other people's replies added to this thread already, I can't delete the thread. If there's personal or sensitive info you need help editing out, let me know.

@Aero, There is nothing unsafe about it, this is secure, once registeracc.php is deleted, why would you need to add an extra 1,000 lines of security?

If it wasn't secure I wouldn't have posted it.
If for whatever reason someone found the admin page then it would be a security risk. Addslashes does not prevent all mysql injection. mysql_real_escape_string does. That is what it was designed to do.

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Since we are discussing security problems, the lines of code being used for security in admin.php or any other page the following three lines of code is used on -

if(empty($_SESSION['user_id'])){
header("location:login.html");
}

don't provide any security for the remainder of the code on the page. Without an exit/die statement or an else {} conditional statement, the remainder of the code is still executed and a hacker can access any form or form processing code protected by those three lines of code. Why, you might ask? A header() redirect is executed by a browser. All you have to do is ignore the redirect, which most bot scripts do by default.

How to test this? Execuite the Example 1 code found at the following php.net link, modified with the URL of a protected page, without being logged in, then look in the file that is produced and you will see that the remainder of the code on the page was executed -
http://us2.php.net/manual/en/curl.examples-basic.php

Every header() redirect must do something to prevent the remainder of the code on the page from being executed. An exit/die is the simplest way. You can also use an else {} around the remainder of the code on the page.

Again, I want all of this deleted, don't want my scripts on this forum.

In the best interest of everyone, I'm closing this thread- masterofollies has expressed his desire to move on from CF.