Please keep the discussion on the list, or offer me a contract.
On 10 Dec 2008, at 14:29, Terion Miller wrote:
On Tue, Dec 9, 2008 at 4:03 PM, Stut <[EMAIL PROTECTED]> wrote:
On 9 Dec 2008, at 21:54, Terion Miller wrote:
On Tue, Dec 9, 2008 at 3:49 PM, Stut <[EMAIL PROTECTED]> wrote:
On 9 Dec 2008, at 21:41, Terion Miller wrote:
So I have this login information passing parameters in the url to
the next
page (this is on a intranet app) which I thought was no big deal
until a
wise crack graphics guy decided to hack it because he could by
changing the
?adminID= until he got one that worked...he didn't do anything
except alert
my boss so now I have to hide this info how does one do this? Once
again I
am not a programmer just inherited the job....and the code...
Here is the login page code:
<?php
if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else
{$UserName = '';}
if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else
{$Password = '';}
$msg = '';
if (!empty($UserName)) {
$sql = "SELECT * FROM admin WHERE UserName='$UserName' and
Password='$Password'";
$result = mysql_query ($sql);
$row = mysql_fetch_object ($result);
If (mysql_num_rows($result) > 0) {
$_SESSION['AdminLogin'] = "OK";
header ("Location: Main.php?AdminID=". $row->AdminID);
} else {
$msg = "Invalid Login";
}
}
?>
No need to pass AdminID in the URL at all. Store that ID in the
AdminLogin session variable instead of "OK" and you can get it from
there on every subsequent page.
-Stut
--
http://stut.net/
How do I do that....I see where...but not getting how:
If (mysql_num_rows($result) > 0) {
$_SESSION['AdminLogin'] = "AdminID"; //<----thats where is
said "ok" before
header ("Location: Main.php?AdminID=". $row->AdminID); <----
not sure what to do here?
} else {
$msg = "Invalid Login";
}
Nope.
If (mysql_num_rows($result) > 0) {
$_SESSION['AdminLogin'] = $row->AdminID;
header ("Location: Main.php");
} else {
$msg = "Invalid Login";
}
But you then need to edit Main.php to change where it gets the
AdminID value from. Chances are it's coming from $_GET['AdminID'],
and simply needs changing to $_SESSION['AdminLogin'], but you need
to make sure session_start() has been called before you try to use it.
Worth noting that securing PHP scripts is not something that should
be approached lightly. If you really don't know what you're doing
you could make it even less secure than it already is, or at the
very least break it so it no longer does what it's supposed to.
Posting snippets of code for us to "fix" as and when you have
problems is not the way to do it and is fairly likely to lead to
more serious problems in the long run. If you need a PHP
developer... hire one!
-Stut
--
http://stut.net/
Ok here is the main.php page and from what little I know and can
tell the fact that he (last coder) is passing the adminID in the url
is not at all needed..right? It seems to be using sessions already...
<?php
include("inc/dbconn_open.php");
if (empty($_SESSION['AdminLogin']) OR $_SESSION['AdminLogin'] <>
'OK' ){
header ("Location: LogOut.php");
}
if (isset($_GET['AdminID']) && !empty($_GET['AdminID'])){
$AdminID = $_GET['AdminID'];
} else {
header ("Location: LogOut.php");
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<title>Work Order System - Administrative Section</title>
</head>
<frameset cols="200,*" frameborder="NO" border="0" framespacing="0">
<frame src="Menu.php?AdminID=<?php echo $AdminID; ?>"
name="leftFrame" scrolling="auto" noresize>
<frame src="Welcome.php?AdminID=<?php echo $AdminID; ?>"
name="mainFrame">
</frameset>
<noframes><body>
</body></noframes>
</html>
That script doesn't use it except to pass it through to Menu.php and
Welcome.php.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
