473,323 Members | 1,537 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,323 software developers and data experts.

Password and Page Security

ddtpmyra
333 100+
I need some help to review my code add more security on in.

Scenario:
Login Page
enter username
enter password

Display Page
if log-in success display all the records from mysql server

Problem
my script has lack of security because I can go directly to the next page ("displayrecords.php") just typing the address without dealing with the Login Page.

Code:
1. Login Page

[PHP]
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr><td colspan="3"><strong>Authorized CMR Approval Login </strong></td></tr>
<tr><td width="78">Username</td><td width="6">:</td><td width="294"><input name="myusername" type="text" id="myusername"></td></tr>
<tr><td>Password</td><td>:</td><td><input name="mypassword" type="password" id="mypassword"></td></tr>
<tr><td>&nbsp;</td><td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
[/PHP]


2. Login Check Page
[PHP]<?php
ob_start();
$host="xxxxx"; // Host name
$username="xxxx"; // Mysql username
$password="xxxxx"; // Mysql password
$db_name="xxxx"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file next page "displayrecords.php"
session_register("myusername");
session_register("mypassword");
header("location:displayrecords.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>[/PHP]
Sep 25 '08 #1
5 1562
pbmods
5,821 Expert 4TB
Heya, ddtpmyra.

The problem is with displayrecords.php, not your login script. What's displayrecords.php look like?
Sep 25 '08 #2
ddtpmyra
333 100+
Hi Pbmods

here it is....

[PHP]<?php

# Connect to the database


# Query for a list of all existing files
$result = mysql_query("SELECT FileID, FileName, FileMime, FileSize, Description, created, Author,Requestor, DeadLineFeedback FROM fileStorage where approved ='N' order by created");

# Check if it was successfull
if($result)
{
# Make sure there are some files in there
if(mysql_num_rows($result) == 0) {
echo "<p>There are no files to approve on CMR database</p>";
}
else
{
# Print the top of a table
echo "<table width='100%'><tr>";
echo "<td><b>Created</b></td>";
echo "<td><b>File Name</b></td>";
echo "<td><b>Requestor</b></td>";
echo "<td><b>Author</b></td>";
echo "<td><b>Deadline Feedback</b></td>";
echo "</tr>";

#display data
while($row = mysql_fetch_assoc($result))
{
# Print file info
echo "<tr border=10><td>". $row['Created']. "</td>";
echo "<td>". $row['FileName']. "</td>";
echo "<td>". $row['Requestor']. "</td>";
echo "<td>". $row['Author']. "</td>";
echo "<td>". $row['DeadLineFeedback']. "</td>";
echo "</tr>";
}

# Close table
echo "</table>";
}
}
else
{
echo "Error! SQL query failed:";
echo "<pre>". mysql_error($dbLink) ."</pre>";
}

# Close the mysql connection
mysql_close($dbLink);

?>[/PHP]
Sep 25 '08 #3
Markus
6,050 Expert 4TB
Hey there! (Sorry to butt in, Josh but I am le bored!)

First things first: you're using the old way of using sessions. Just use session_start(), session_destroy and then the $_SESSION array will hold keys and values.

On your displayrecords page you need to check if the session is there.

Expand|Select|Wrap|Line Numbers
  1. /*for example*/
  2. if ( isset ( $_SESSION['Logged_In'] ) )
  3. {
  4.     // user is logged in
  5. }
  6.  
Hope this helps.
Sep 25 '08 #4
ddtpmyra
333 100+
Thanks for the helps and here's what I did on the #2 Login Check Page and added these codes on top of the script and it works perfectly fine.

[PHP]<?
session_start();
if(!session_is_registered(myusername)){
header("location:displayrecords.php");
}
?>[/PHP]
Sep 26 '08 #5
pbmods
5,821 Expert 4TB
Glad to hear you got it working. Thanks for posting your solution!

Good luck with your project.
Sep 27 '08 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

6
by: John Morgan | last post by:
I urgently need tom use SP3a upgrade the instance of SQLServer200 MSDE runing on my local machine but I am having problems in doing so. My first problem is that when I start the set up procedure...
10
by: Karl Burrows | last post by:
Here's a simple script I have pulled from various sources and wondered if there was a way to improve it. First, if the type the wrong password, I would like to redirect them to another login page...
6
by: N. Graves | last post by:
Thank you for taking your time to read my question... please offer your knowledge it will be appreciated! I'm writing a ASP Web page to access a Access Database that has a Database Password set....
4
by: Jonathan Dienst | last post by:
I have a simple data access and administration page for user details on my site, including a login password -- but I cannot get the textbox to work properly if the TextMode is set to "Password". ...
4
by: J Sahoo | last post by:
Hello, I have a registration page where I am collecting user information (username, password, last name, age, etc...). I made the password field as PASSWORD (field type from the textbox). If user...
6
by: Andre Ranieri | last post by:
I'm trying to create a login page for customers to log into our corporate website, our presidents naturally wants the user and password fields to populate from a cookie so the customer doesn't have...
3
by: bill | last post by:
I need to open a asp.net web form from a classic asp page, and pass a username and password to the asp.net page. The username and password exist as session variables in the classic asp...
3
by: Noel S Pamfree | last post by:
Problem 1 ======= I need to create a page for a friend who operates a school website. She needs to set up a page so that only the Governors can access it. I thought I'd try to use JavaScript to...
3
by: Charlotte | last post by:
Hello, info: I'me a rookie with IIS I have on a WinXP Pro the IIS installed, so I can test some pages before uploading to the hostserver online on the hostserver is a possibility (with the...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.