ob_start(); session_start(); $host="localhost"; // Host name $username="username"; // Database username $password="password"; // Database password $db_name="databasename"; // Database name $tbl_name="users"; // Table name
// This will connect you to your database mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB");
// Defining your login details into variables $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $encrypted_mypassword=md5($mypassword); //MD5 Hash for security // MySQL injection protections $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'" or die(mysql_error()); $result=mysql_query($sql) or die(mysql_error());
// Checking table row $count=mysql_num_rows($result); // If username and password is a match, the count will be 1
if($count==1){ // If everything checks out, you will now be forwarded to admin.php $user = mysql_fetch_assoc($result); $_SESSION['user_id'] = $user['id']; header("location:admin.php"); } //If the username or password is wrong, you will receive this message below. else { echo "Wrong Username or Password<br><br>Return to <a href=\"login.php\">login</a>"; }
ob_end_flush();
?>
logout.php
PHP Code:
<? session_start(); session_destroy(); ?> You have successfully logged out of the control panel.<br><br><br> Return to <a href="login.html">Login</a>
admin.php
PHP Code:
<?php mysql_connect('localhost', 'username', 'password') or die(mysql_error()); mysql_select_db('databasename') or die(mysql_error());
session_start(); //If your session isn't valid, it returns you to the login screen for protection if(empty($_SESSION['user_id'])){ header("location:login.html"); } ?> <head> <link href="default.css" rel="stylesheet" type="text/css" /> </head> <body> <?php
if (isset($_GET["x"])) { $x = explode(":",$_GET["x"]);
switch($x[0]) { case 'next': next(); break;
} } else { start(); }
//Main Admin Homepage function start() { echo '<div id="fulladmin">'; echo '<div id="adminleft">'; //Add a function and change this line to it. echo '<br><center><a href="admin.php?x=next"><font color=white>Test Page</font></a></center><br></div>';
echo '<div id="adminright"><center><h1>Administrator Control Panel</h1><br><br>'; echo 'Welcome to your control panel. Click a link on the left side to continue.<br><br>'; echo '</center></div></div>'; }
//A Blank second page function next() { echo '<div id="fulladmin">'; echo '<div id="adminleft">'; //Add a function and change this line to it. echo '<br><center><a href="admin.php?x=next"><font color=white>Test Page</font></a></center><br></div>';
echo '<div id="adminright"><center><h1>Administrator Control Panel</h1><br><br>'; echo 'This is the second page.<br><br>'; echo '</center></div></div>'; }
?> <div id="adminright"><center><br><br><br><br>Return to main <a href="admin.php"><font color="red">Control Panel</font></a>, or you can <a href="logout.php"><font color="red">Log Out</font></a></center></div> </body>
Now just go to registeracc.php in your browser and type in your details and submit. Then go to the login page, put it in, and you will be taken into the administrator control panel, which you need to make custom.
Oh and also in the PHP files, put your username, password, and database name in all of those.
__________________ Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?
Last edited by masterofollies; 06-30-2009 at 08:27 PM..
Why not use mysql_real_escape_string in registeracc.php for the username? md5 with salting would be better to use for the passwords. This isn't quite right
PHP Code:
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'" or die(mysql_error()); $result=mysql_query($sql);
It should be
PHP Code:
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'"; $result=mysql_query($sql) or die(mysql_error());
Although in a site that is out of development, errors shouldn't be displayed as they can be security risks. Why the need for the output buffer on checklogin? Thats normally used if you want to send headers after you've written content to the page. Also how do you determine if the user is and admin or not or is the script simply meant as a login for an administrator and no other users?
__________________
||||If you are getting paid to do a job, don't ask for help on it!||||
I am sorry that the script isn't up to your standards. As stated it is a simple admin login script, and it does work. Also I said the code is a bit messy.
If someone wishes to figure out if they are admins or regular users, you put the following field in your users table.
Field Name: authlevel
Type: smallint
Length: 1
Default: 0
If you are admin, change it to a 1, all others would be 0.
This is for administrators only, so there would not be any other users in it. If you wish to build a multi-user control panel, then yes, authlevel is required.
__________________ Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?
I am sorry that the script isn't up to your standards. As stated it is a simple admin login script, and it does work. Also I said the code is a bit messy.
I wouldn't have said anything if you pointed out the security issues to begin with which you should have done according to the posting guidelines for this particular forum.
I don't think a user of the forums should come on here use something that is insecure but didn't know because no one told them and then their site gets hacked or something.
__________________
||||If you are getting paid to do a job, don't ask for help on it!||||
@kbluhm, I forgot to mention. Please delete the registeracc.php when you are done creating users. It's a good idea to keep a copy on your computer in case you need it again.
@Aero, There is nothing unsafe about it, this is secure, once registeracc.php is deleted, why would you need to add an extra 1,000 lines of security? It's simply for creating your admin accounts and going bye bye. The person who uploads the script is the only person who knows about it.
If it wasn't secure I wouldn't have posted it.
__________________ Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?
No. Just include something like the following at the top of the required pages to protected.
PHP Code:
<?php if ($PHP_AUTH_USER != "mysuser" or $PHP_AUTH_PW != "mypass"): // Bad or no username/password. // Send HTTP 401 error to make the // browser prompt the user. header("WWW-Authenticate: " . "Basic realm=\”Protected Page: " . "Enter your username and password " . "for access."); header("HTTP/1.0 401 Unauthorized"); // Display message if user cancels dialog ?>
__________________
Quote:
The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)
next() is a php built in function since php4. The following function definition in admin.php produces a fatal runtime error and prevents admin.php from working -
function next()
There is also a link in checklogin.php to login.php. login.php does not exist.
__________________
If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.
masterofollies, since there are other people's replies added to this thread already, I can't delete the thread. If there's personal or sensitive info you need help editing out, let me know.
__________________
- George
- JavaScript Kit- JavaScript tutorials and 400+ scripts!
- JavaScript Reference- JavaScript reference you can relate to.
@Aero, There is nothing unsafe about it, this is secure, once registeracc.php is deleted, why would you need to add an extra 1,000 lines of security?
If it wasn't secure I wouldn't have posted it.
If for whatever reason someone found the admin page then it would be a security risk. Addslashes does not prevent all mysql injection. mysql_real_escape_string does. That is what it was designed to do.
Since we are discussing security problems, the lines of code being used for security in admin.php or any other page the following three lines of code is used on -
don't provide any security for the remainder of the code on the page. Without an exit/die statement or an else {} conditional statement, the remainder of the code is still executed and a hacker can access any form or form processing code protected by those three lines of code. Why, you might ask? A header() redirect is executed by a browser. All you have to do is ignore the redirect, which most bot scripts do by default.
How to test this? Execuite the Example 1 code found at the following php.net link, modified with the URL of a protected page, without being logged in, then look in the file that is produced and you will see that the remainder of the code on the page was executed - http://us2.php.net/manual/en/curl.examples-basic.php
Every header() redirect must do something to prevent the remainder of the code on the page from being executed. An exit/die is the simplest way. You can also use an else {} around the remainder of the code on the page.
__________________
If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.
Last edited by CFMaBiSmAd; 07-01-2009 at 08:17 PM..
Before you post, read our: 
