Thread: Admin login

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    16
    Rep Power
    0

    Admin login


    I have 4 fields in my table
    id , username ,password , admin
    admin is set to 1 when the user has admin rights, but the code doesnt even login.Can you tell me what its wrong?
    PHP Code:

    <?php
    session_start
    (); 
    $username $_POST['username'];
    $password $_POST['password'];
    //Replace the variable values 
      
    $host "127.0.0.1";
      
    $root "root";
      
    $pass "";
      
    $database "test";

     
    //Connects to Mysql or displays  error
    $con mysql_connect($host,$root,$pass) or die(mysql_error());
     
    //"my_db" is the name of the database.
    $db mysql_select_db($database ,$con);    
    if(
    $_SESSION['username'] = $username){
           
     
    $sql="SELECT * FROM admin WHERE username='$_POST[username]' AND password='$_POST[password]' ";
             
    $admin $sql['admin'];
    $password $sql['password'];
               
               
    if(
    $admin>0){
         
    $_SESSION['username']="$username";
          echo 
    "Hello admin ";
        }
        else {
            die(
    "Sorry wrong information.");
            }
                                    }
        

    ?>
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    Your main problem is "you're not running the query." mysql_query()

    Your other problems:
    1) You're using $_POST data raw in your query without escaping it
    2) Your string concatenation is sloppy
    3) You aren't hashing passwords
    4) You should be using mysqli or PDO
    5) Your table may not be named "admin," though that one is a guess
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    16
    Rep Power
    0
    Originally Posted by ManiacDan
    Your main problem is "you're not running the query." mysql_query()

    Your other problems:
    1) You're using $_POST data raw in your query without escaping it
    2) Your string concatenation is sloppy
    3) You aren't hashing passwords
    4) You should be using mysqli or PDO
    5) Your table may not be named "admin," though that one is a guess
    My table is named admin 'im not that bad' , the hash i can do it its ok, what do you mean I use query without escaping it?

    I know that i have to use mysqli but first I need to understand some basic things in php..
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    Originally Posted by johnadamos
    the hash i can do it its ok
    well, but don't just make it an MD5 hash or something, those can be "cracked" fairly easily. Use the PHPass library to generate serious hashes that will actually withstand brute force attacks.



    Originally Posted by johnadamos
    what do you mean I use query without escaping it?
    You just dump the POST values directly into the query string, allowing users to manipulate the query in any way they want.

    For example, I could bypass the password check and login as a different user, or I could fetch the (cleartext!) passwords from the database etc. All I need to do is change the query through the POST values.



    Originally Posted by johnadamos
    I know that i have to use mysqli but first I need to understand some basic things in php..
    Well, not sure if that's a good idea. This "I'll add the security later" never works in my experience. You should make it right from the beginning.

    And mysqli itself won't help you if you continue to build your query strings like that. You either have to use prepared statements (which mysqli offers) or escape every value by hand.

    Comments on this post

    • johnadamos agrees
  8. #5
  9. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    Did you notice that I said your actual problem in the first sentence? You're not running the query. You also had an assignment in a conditional.

    A better version of your script, using PHPass and PDO:


    PHP Code:
    <?php 
    //you need to download phpass for this to work:
    require("PasswordHash.php");
    $hasher = new PasswordHash(8false);

    session_start();  
    $username $_POST['username']; 
    //the passwords must also be hashed in the database, obviously
    $password $hasher->HashPassword($_POST['password']); 

    //Replace the variable values  
      
    $dsn 'mysql:dbname=test;host=127.0.0.1'
      
    $user "root"
      
    $pass ""

    //Connects to Mysql
    $con = new PDO($dsn$user$pass);
       
    $sql "SELECT * FROM admin WHERE username = ? AND password = ?"

    $prep $con->prepare($sql);

    $prep->execute( array( $username$password ) );

    if ( 
    $prep->rowCount() > ) {
      
    $result $prep->fetch();
      
      if ( 
    $result['admin'] > ) {
        
    $_SESSION['username'] = $username;
        echo 
    "Hello Admin";
      } else {
        die(
    "Not an admin account.");
      }
    } else {
      die(
    "Incorrect username or password.");
    }

    Comments on this post

    • johnadamos agrees
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    16
    Rep Power
    0
    Thank you , it works perfect I thought the best way to hash a password and save it into the database, it was if you only add the hash of the username.

    So if I want to protect a page all I have to do is just to
    PHP Code:
    include 'admin.php'
  12. #7
  13. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    No, wait. None of what you just said is right.

    If this page is admin.php, it will not secure a page since this page logs someone in. You need a second page which verifies that $_SESSION['username'] is set (and also make $_SESSION['admin']).

    I don't know what the first sentence even means.

    Comments on this post

    • johnadamos agrees
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    16
    Rep Power
    0
    I meant that I didnt know about PHPpass librady and I thought that the safest way to hash a password in the database was to add the md5 ($_POST['username']) plus the md5 ($_POST['password']) and then the result will be saved as password in the database .

    Okay I will check how to set $_SESSION['username'] (and also make $_SESSION['admin']). thankssssss

IMN logo majestic logo threadwatch logo seochat tools logo