...

View Full Version : [Help] I Need Help About Secure Page



budaktaktahu
02-27-2012, 06:02 AM
i need Master to fix my problem..
i want make Secure To My Page..
But I don't know how to coding it...
I give you my script code..

Login.php


<?php
session_start();
include("passwords.php");
if ($_POST["ac"]=="log") { /// do after login form is submitted
if ($USERS[$_POST["username"]]==$_POST["password"]) { /// $USERS array
$_SESSION["logged"]=$_POST["username"];
} else {
echo 'Incorrect username/password. Please, try again.';
};
};
if (array_key_exists($_SESSION["logged"],$USERS)) { //// check if user is logged or not
echo "You are logged in."; //// if user is logged show a message
} else { //// if not logged show login form
echo '<form action="donatealatan.php" method="post"><input type="hidden" name="ac" value="log"> ';
echo 'Username: <input type="text" name="username" /><br />';
echo 'Password: <input type="password" name="password" /><br />';
echo '<input type="submit" value="Login" />';
echo '</form>';
};

?>


Logout.php


<?php
session_start(); //Start the current session
session_destroy(); //Destroy it! So we are logged out now
header("location:login.php?msg=Successfully Logged out"); // Move back to login.php with a logout message
?>


passwords.php


<?php
$USERS["admin123"] = "admin123";
$USERS["username2"] = "password2";
$USERS["username3"] = "password3";

function check_logged(){
global $_SESSION, $USERS;
if (!array_key_exists($_SESSION["logged"],$USERS)) {
header("Location: login.php");
};
};
?>


And This My Page..And how to make my page is secure?
donatealatan.php



<head>
<style type="text/css">
.style1 {
font-family: Castellar;
color: #00FF00;
}
.style2 {
color: #FF0000;
}
.style3 {
color: #0000FF;
}
.style5 {
color: #00FF00;
}
.style6 {
text-align: center;
}
</style>
</head>
<body style="background-color: #000000">
<div class="style6">
<span class="style3">
<br></span><span class="style1">Donasi Alatan Gear</span><br>
<span class="style2">Sila Masukan Nama Pemain Kemudian Tekan Butang Donasi</span>
</div>
<form enctype="multipart/form-data" action="donatealatan.php" method="POST">
<div class="style6">
<span class="style3">Nama Pemain Dan Posisi Item Tersebut<br>
(Pemain Hendaklah Memakai Item Tersebut)</span><span class="style5"><br>
Nama Pemain : <input type="text" name="id" style="width: 169px"><br />
Posisi Item :</span>&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" name="il" style="width: 171px"><br>
<label id="Label1"></label><br>
<span class="style3">Item Yang Hendak Diubah</span><span class="style5"><br>
Magic3 :</span></span> <span class="style5">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" name="ie" style="width: 171px"><br />
Tahap F-Soul&nbsp; :</span></span> <span class="style5">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" name="if" style="width: 171px"><br />
Serangan Bumi :&nbsp;&nbsp;&nbsp;&nbsp; </span> </span>&nbsp;<span class="style5"><input type="text" name="ig" style="width: 171px"><br />
Serangan Air :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span> </span>&nbsp;<span class="style5"><input type="text" name="ih" style="width: 171px"><br />
Serangan Api :</span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>&nbsp;<span class="style5"><input type="text" name="ii" style="width: 171px"><br />
Serangan Udara :&nbsp;&nbsp; </span> </span>&nbsp;<span class="style5"><input type="text" name="ij" style="width: 171px"><br />
Special Effect :</span></span> <span class="style5">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" name="ik" style="width: 171px"><br />
</span>
<input type="submit" name="edit" value="Donasi" style="width: 225px"><br>
</div>
</form>
<br>
<?

$location = '127.0.0.1';
$database = 'my';
$username = 'root';
$password = 'test';

$conn = mysql_connect("$location","$username","$password");
if (!$conn) die ("Could not connect MySQL");
mysql_select_db($database,$conn) or die ("Could not open database");

if(isset($_POST['edit']))
{
$sid = addslashes($_POST['id']);
$sie = addslashes($_POST['ie']);
$sif = addslashes($_POST['if']);
$sig = addslashes($_POST['ig']);
$sih = addslashes($_POST['ih']);
$sii = addslashes($_POST['ii']);
$sij = addslashes($_POST['ij']);
$sik = addslashes($_POST['ik']);
$sil = addslashes($_POST['il']);

mysql_query("update cq_item set magic3='$sie', warghostexp='$sif', eudemon_attack1='$sig', eudemon_attack2='$sih', eudemon_attack3='$sii', eudemon_attack4='$sij', special_effect='$sik' where position='$sil' and forgename='$sid'") or die (mysql_error());


echo '<font color=red size=6>Tahniah!Item Donasi Telah Dimasukan,Sila Login Semula</font><br>';
}
?>
<center><p><a href="logout.php">Logout</a></p></center>
</body>
</html>
<script language=JavaScript> var message="Error!"; function clickIE4(){ if (event.button==2){ alert(message); return false; } } function clickNS4(e){ if (document.layers||document.getElementById&&!document.all){ if (e.which==2||e.which==3){ alert(message); return false; } } } if (document.layers){ document.captureEvents(Event.MOUSEDOWN); document.onmousedown=clickNS4; } else if (document.all&&!document.getElementById){ document.onmousedown=clickIE4; } document.oncontextmenu=new Function("alert(message);return false") </script>

MarkR
02-27-2012, 11:46 AM
When you use


if ($USERS[$_POST["username"]]==$_POST["password"])

I'd use === instead of == to avoid some nasty typecasting work around.

Also look at http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string regarding the addslahes shortfalls. The article recommends real_escape_string, but I'd use prepared statements as they are a bit safer: http://php.net/manual/en/pdo.prepared-statements.php

KuriosJon
02-27-2012, 12:40 PM
I'd use === instead of == to avoid some nasty typecasting work around.


Using === when possible is faster and better, but you don't have to worry about any typecasting; PHP handles all of this for you.

budaktaktahu, there are some other issues with your code, but you have a function called check_logged(). All you need to do is call that function at the beginning of the page you want secure.

MarkR
02-27-2012, 02:43 PM
Using === when possible is faster and better, but you don't have to worry about any typecasting; PHP handles all of this for you.

budaktaktahu, there are some other issues with your code, but you have a function called check_logged(). All you need to do is call that function at the beginning of the page you want secure.

Exactly, it handles it for you but it's typically not very good at it. For example if you did 1 == true or 0 == false they'd both return true. Not ideal if you're expecting a string and instead get a boolean!



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum