The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Programming Languages
> PHP Development
|
Admin login
Discuss Admin login in the PHP Development forum on Dev Shed.
Admin login PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
December 11th, 2012, 03:03 PM
|
|
Registered User
|
|
Join Date: Dec 2012
Posts: 16
Time spent in forums: 13 h 13 m 6 sec
Reputation Power: 0
|
|
|
Admin login
I have 4 fields in my table
id , username ,password , admin
admin is set to 1 when the user has admin rights, but the code doesnt even login.Can you tell me what its wrong?
PHP Code:
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
//Replace the variable values
$host = "127.0.0.1";
$root = "root";
$pass = "";
$database = "test";
//Connects to Mysql or displays error
$con = mysql_connect($host,$root,$pass) or die(mysql_error());
//"my_db" is the name of the database.
$db = mysql_select_db($database ,$con);
if($_SESSION['username'] = $username){
$sql="SELECT * FROM admin WHERE username='$_POST[username]' AND password='$_POST[password]' ";
$admin = $sql['admin'];
$password = $sql['password'];
if($admin>0){
$_SESSION['username']="$username";
echo "Hello admin ";
}
else {
die("Sorry wrong information.");
}
}
?>
|
December 11th, 2012, 03:24 PM
|
 |
Likely to be eaten by a grue.
|
|
Join Date: Oct 2006
Location: Pennsylvania, USA
|
|
|
Your main problem is "you're not running the query." mysql_query()
Your other problems:
1) You're using $_POST data raw in your query without escaping it
2) Your string concatenation is sloppy
3) You aren't hashing passwords
4) You should be using mysqli or PDO
5) Your table may not be named "admin," though that one is a guess
__________________
HEY! YOU! Read the New User Guide and Forum Rules
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
|
December 11th, 2012, 03:49 PM
|
|
Registered User
|
|
Join Date: Dec 2012
Posts: 16
Time spent in forums: 13 h 13 m 6 sec
Reputation Power: 0
|
|
Quote: | Originally Posted by ManiacDan Your main problem is "you're not running the query." mysql_query()
Your other problems:
1) You're using $_POST data raw in your query without escaping it
2) Your string concatenation is sloppy
3) You aren't hashing passwords
4) You should be using mysqli or PDO
5) Your table may not be named "admin," though that one is a guess |
My table is named admin 'im not that bad' , the hash i can do it its ok, what do you mean I use query without escaping it?
I know that i have to use mysqli but first I need to understand some basic things in php..
|
December 11th, 2012, 08:04 PM
|
 |
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
Hi,
Quote: | Originally Posted by johnadamos the hash i can do it its ok |
well, but don't just make it an MD5 hash or something, those can be "cracked" fairly easily. Use the PHPass library to generate serious hashes that will actually withstand brute force attacks.
Quote: | Originally Posted by johnadamos what do you mean I use query without escaping it? |
You just dump the POST values directly into the query string, allowing users to manipulate the query in any way they want.
For example, I could bypass the password check and login as a different user, or I could fetch the (cleartext!) passwords from the database etc. All I need to do is change the query through the POST values.
Quote: | Originally Posted by johnadamos I know that i have to use mysqli but first I need to understand some basic things in php.. |
Well, not sure if that's a good idea. This "I'll add the security later" never works in my experience. You should make it right from the beginning.
And mysqli itself won't help you if you continue to build your query strings like that. You either have to use prepared statements (which mysqli offers) or escape every value by hand.
|
December 12th, 2012, 08:35 AM
|
|
Likely to be eaten by a grue.
|
|
Join Date: Oct 2006
Location: Pennsylvania, USA
|
|
Did you notice that I said your actual problem in the first sentence? You're not running the query. You also had an assignment in a conditional.
A better version of your script, using PHPass and PDO:
PHP Code:
<?php
//you need to download phpass for this to work:
require("PasswordHash.php");
$hasher = new PasswordHash(8, false);
session_start();
$username = $_POST['username'];
//the passwords must also be hashed in the database, obviously
$password = $hasher->HashPassword($_POST['password']);
//Replace the variable values
$dsn = 'mysql:dbname=test;host=127.0.0.1';
$user = "root";
$pass = "";
//Connects to Mysql
$con = new PDO($dsn, $user, $pass);
$sql = "SELECT * FROM admin WHERE username = ? AND password = ?";
$prep = $con->prepare($sql);
$prep->execute( array( $username, $password ) );
if ( $prep->rowCount() > 0 ) {
$result = $prep->fetch();
if ( $result['admin'] > 0 ) {
$_SESSION['username'] = $username;
echo "Hello Admin";
} else {
die("Not an admin account.");
}
} else {
die("Incorrect username or password.");
}
|
December 12th, 2012, 11:55 AM
|
|
Registered User
|
|
Join Date: Dec 2012
Posts: 16
Time spent in forums: 13 h 13 m 6 sec
Reputation Power: 0
|
|
Quote: Thank you , it works perfect I thought the best way to hash a password and save it into the database, it was if you only add the hash of the username.
So if I want to protect a page all I have to do is just to |
|
December 12th, 2012, 12:14 PM
|
|
Likely to be eaten by a grue.
|
|
Join Date: Oct 2006
Location: Pennsylvania, USA
|
|
|
No, wait. None of what you just said is right.
If this page is admin.php, it will not secure a page since this page logs someone in. You need a second page which verifies that $_SESSION['username'] is set (and also make $_SESSION['admin']).
I don't know what the first sentence even means.
|
December 12th, 2012, 12:43 PM
|
|
Registered User
|
|
Join Date: Dec 2012
Posts: 16
Time spent in forums: 13 h 13 m 6 sec
Reputation Power: 0
|
|
I meant that I didnt know about PHPpass librady and I thought that the safest way to hash a password in the database was to add the md5 ($_POST['username']) plus the md5 ($_POST['password']) and then the result will be saved as password in the database .
Okay I will check how to set $_SESSION['username'] (and also make $_SESSION['admin']). thankssssss 
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
