By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,304 Members | 1,254 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,304 IT Pros & Developers. It's quick & easy.

Password and Page Security

ddtpmyra
100+
P: 333
I need some help to review my code add more security on in.

Scenario:
Login Page
enter username
enter password

Display Page
if log-in success display all the records from mysql server

Problem
my script has lack of security because I can go directly to the next page ("displayrecords.php") just typing the address without dealing with the Login Page.

Code:
1. Login Page

[PHP]
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr><td colspan="3"><strong>Authorized CMR Approval Login </strong></td></tr>
<tr><td width="78">Username</td><td width="6">:</td><td width="294"><input name="myusername" type="text" id="myusername"></td></tr>
<tr><td>Password</td><td>:</td><td><input name="mypassword" type="password" id="mypassword"></td></tr>
<tr><td>&nbsp;</td><td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
[/PHP]


2. Login Check Page
[PHP]<?php
ob_start();
$host="xxxxx"; // Host name
$username="xxxx"; // Mysql username
$password="xxxxx"; // Mysql password
$db_name="xxxx"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file next page "displayrecords.php"
session_register("myusername");
session_register("mypassword");
header("location:displayrecords.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>[/PHP]
Sep 25 '08 #1
Share this Question
Share on Google+
5 Replies


pbmods
Expert 5K+
P: 5,821
Heya, ddtpmyra.

The problem is with displayrecords.php, not your login script. What's displayrecords.php look like?
Sep 25 '08 #2

ddtpmyra
100+
P: 333
Hi Pbmods

here it is....

[PHP]<?php

# Connect to the database


# Query for a list of all existing files
$result = mysql_query("SELECT FileID, FileName, FileMime, FileSize, Description, created, Author,Requestor, DeadLineFeedback FROM fileStorage where approved ='N' order by created");

# Check if it was successfull
if($result)
{
# Make sure there are some files in there
if(mysql_num_rows($result) == 0) {
echo "<p>There are no files to approve on CMR database</p>";
}
else
{
# Print the top of a table
echo "<table width='100%'><tr>";
echo "<td><b>Created</b></td>";
echo "<td><b>File Name</b></td>";
echo "<td><b>Requestor</b></td>";
echo "<td><b>Author</b></td>";
echo "<td><b>Deadline Feedback</b></td>";
echo "</tr>";

#display data
while($row = mysql_fetch_assoc($result))
{
# Print file info
echo "<tr border=10><td>". $row['Created']. "</td>";
echo "<td>". $row['FileName']. "</td>";
echo "<td>". $row['Requestor']. "</td>";
echo "<td>". $row['Author']. "</td>";
echo "<td>". $row['DeadLineFeedback']. "</td>";
echo "</tr>";
}

# Close table
echo "</table>";
}
}
else
{
echo "Error! SQL query failed:";
echo "<pre>". mysql_error($dbLink) ."</pre>";
}

# Close the mysql connection
mysql_close($dbLink);

?>[/PHP]
Sep 25 '08 #3

Markus
Expert 5K+
P: 6,050
Hey there! (Sorry to butt in, Josh but I am le bored!)

First things first: you're using the old way of using sessions. Just use session_start(), session_destroy and then the $_SESSION array will hold keys and values.

On your displayrecords page you need to check if the session is there.

Expand|Select|Wrap|Line Numbers
  1. /*for example*/
  2. if ( isset ( $_SESSION['Logged_In'] ) )
  3. {
  4.     // user is logged in
  5. }
  6.  
Hope this helps.
Sep 25 '08 #4

ddtpmyra
100+
P: 333
Thanks for the helps and here's what I did on the #2 Login Check Page and added these codes on top of the script and it works perfectly fine.

[PHP]<?
session_start();
if(!session_is_registered(myusername)){
header("location:displayrecords.php");
}
?>[/PHP]
Sep 26 '08 #5

pbmods
Expert 5K+
P: 5,821
Glad to hear you got it working. Thanks for posting your solution!

Good luck with your project.
Sep 27 '08 #6

Post your reply

Sign in to post your reply or Sign up for a free account.