I need some help to review my code add more security on in.
Scenario: Login Page
enter username
enter password Display Page
if log-in success display all the records from mysql server Problem
my script has lack of security because I can go directly to the next page ("displayrecords.php") just typing the address without dealing with the Login Page. Code:
1. Login Page
[PHP]
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr><td colspan="3"><strong>Authorized CMR Approval Login </strong></td></tr>
<tr><td width="78">Username</td><td width="6">:</td><td width="294"><input name="myusername" type="text" id="myusername"></td></tr>
<tr><td>Password</td><td>:</td><td><input name="mypassword" type="password" id="mypassword"></td></tr>
<tr><td> </td><td> </td>
<td><input type="submit" name="Submit" value="Login"></td>
[/PHP]
2. Login Check Page
[PHP]<?php
ob_start();
$host="xxxxx"; // Host name
$username="xxxx"; // Mysql username
$password="xxxxx"; // Mysql password
$db_name="xxxx"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file next page "displayrecords.php"
session_register("myusername");
session_register("mypassword");
header("location:displayrecords.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>[/PHP]
5 1562
Heya, ddtpmyra.
The problem is with displayrecords.php, not your login script. What's displayrecords.php look like?
Hi Pbmods
here it is....
[PHP]<?php
# Connect to the database
# Query for a list of all existing files
$result = mysql_query("SELECT FileID, FileName, FileMime, FileSize, Description, created, Author,Requestor, DeadLineFeedback FROM fileStorage where approved ='N' order by created");
# Check if it was successfull
if($result)
{
# Make sure there are some files in there
if(mysql_num_rows($result) == 0) {
echo "<p>There are no files to approve on CMR database</p>";
}
else
{
# Print the top of a table
echo "<table width='100%'><tr>";
echo "<td><b>Created</b></td>";
echo "<td><b>File Name</b></td>";
echo "<td><b>Requestor</b></td>";
echo "<td><b>Author</b></td>";
echo "<td><b>Deadline Feedback</b></td>";
echo "</tr>";
#display data
while($row = mysql_fetch_assoc($result))
{
# Print file info
echo "<tr border=10><td>". $row['Created']. "</td>";
echo "<td>". $row['FileName']. "</td>";
echo "<td>". $row['Requestor']. "</td>";
echo "<td>". $row['Author']. "</td>";
echo "<td>". $row['DeadLineFeedback']. "</td>";
echo "</tr>";
}
# Close table
echo "</table>";
}
}
else
{
echo "Error! SQL query failed:";
echo "<pre>". mysql_error($dbLink) ."</pre>";
}
# Close the mysql connection
mysql_close($dbLink);
?>[/PHP]
Hey there! (Sorry to butt in, Josh but I am le bored!)
First things first: you're using the old way of using sessions. Just use session_start(), session_destroy and then the $_SESSION array will hold keys and values.
On your displayrecords page you need to check if the session is there. -
/*for example*/
-
if ( isset ( $_SESSION['Logged_In'] ) )
-
{
-
// user is logged in
-
}
-
Hope this helps.
Thanks for the helps and here's what I did on the #2 Login Check Page and added these codes on top of the script and it works perfectly fine.
[PHP]<?
session_start();
if(!session_is_registered(myusername)){
header("location:displayrecords.php");
}
?>[/PHP]
Glad to hear you got it working. Thanks for posting your solution!
Good luck with your project.
Sign in to post your reply or Sign up for a free account.
Similar topics
by: John Morgan |
last post by:
I urgently need tom use SP3a upgrade the instance of SQLServer200
MSDE runing on my local machine but I am having problems in doing so.
My first problem is that when I start the set up procedure...
|
by: Karl Burrows |
last post by:
Here's a simple script I have pulled from various sources and wondered if
there was a way to improve it. First, if the type the wrong password, I
would like to redirect them to another login page...
|
by: N. Graves |
last post by:
Thank you for taking your time to read my question... please offer
your knowledge it will be appreciated!
I'm writing a ASP Web page to access a Access Database that has a
Database Password set....
|
by: Jonathan Dienst |
last post by:
I have a simple data access and administration page for
user details on my site, including a login password --
but I cannot get the textbox to work properly if the
TextMode is set to "Password".
...
|
by: J Sahoo |
last post by:
Hello,
I have a registration page where I am collecting user information
(username, password, last name, age, etc...). I made the password
field as PASSWORD (field type from the textbox). If user...
|
by: Andre Ranieri |
last post by:
I'm trying to create a login page for customers to log into our corporate
website, our presidents naturally wants the user and password fields to
populate from a cookie so the customer doesn't have...
|
by: bill |
last post by:
I need to open a asp.net web form from a classic asp page, and pass a
username and password to the asp.net page. The username and password exist
as session variables in the classic asp...
|
by: Noel S Pamfree |
last post by:
Problem 1
=======
I need to create a page for a friend who operates a school website. She
needs to set up a page so that only the Governors can access it. I thought
I'd try to use JavaScript to...
|
by: Charlotte |
last post by:
Hello,
info: I'me a rookie with IIS
I have on a WinXP Pro the IIS installed, so I can test some pages before
uploading to the hostserver online
on the hostserver is a possibility (with the...
|
by: ryjfgjl |
last post by:
ExcelToDatabase: batch import excel into database automatically...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: Vimpel783 |
last post by:
Hello!
Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
|
by: jfyes |
last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Defcon1945 |
last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
|
by: Shællîpôpï 09 |
last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
|
by: af34tf |
last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
| |