how to not show login info in the url ...what am I looking for?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

So I have this login information passing parameters in the url to the next
page (this is on a intranet app) which I thought was no big deal until a
wise crack graphics guy decided to hack it because he could by changing the
?adminID=  until he got one that worked...he didn't do anything except alert
my boss so now I have to hide this info how does one do this?  Once again I
am not a programmer just inherited the job....and the code...
Here is the login page code:

<?php
if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else
{$UserName = '';}
if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else
{$Password = '';}

$msg = '';

if (!empty($UserName)) {

    $sql = "SELECT * FROM admin WHERE UserName='$UserName' and
Password='$Password'";
    $result = mysql_query ($sql);
    $row = mysql_fetch_object ($result);

    If (mysql_num_rows($result) > 0) {
        $_SESSION['AdminLogin'] = "OK";
        header ("Location: Main.php?AdminID=". $row->AdminID);
    } else {
        $msg = "Invalid Login";
    }
}

?>

<HTML>

<HEAD>
<TITLE>Work Order System - Administrative Section</TITLE>
<LINK REL="STYLESHEET" HREF="inc/style.css">
<script language="JavaScript">
<!--
    function leftTrim(sString) {
        while (sString.substring(0,1) == ' ') {
            sString = sString.substring(1, sString.length);
        }
        return sString;
    }

    function chkData1(objForm) {

        objForm.UserName.value = leftTrim(objForm.UserName.value);
        if (objForm.UserName.value.length == 0) {
            alert("Please enter your User Name.");
            objForm.Email.focus();
            return false;
        }

        objForm.Password.value = leftTrim(objForm.Password.value);
        if (objForm.Password.value.length == 0) {
            alert("Please enter a your Password.");
            objForm.Password.focus();
            objForm.Password.select();
            return false;
        }
        return true;
    }

//-->
</script>

</HEAD>

<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<TABLE WIDTH="780" BORDER="0" CELLSPACING="0" CELLPADDING="0">

<TR>
<TD>&nbsp;</TD>
</TR>
<TR>
<TD ALIGN="CENTER"><B>Work Order System - Administrative
Section</B><BR><BR></TD>
</TR>
<TR>
<TD>
<?php
    If (!empty($msg)){
        echo "<div class=\"cl_Error\">". $msg ."</div>";
    }
?>

<form name="form1" method="post" action="Index.php" onSubmit="return
chkData1(this)">
<TABLE WIDTH="300" BORDER="0" CELLSPACING="0" CELLPADDING="2" ALIGN="center"
bgcolor="#CCCCCC">
    <TR>
        <TD HEIGHT="22"><div class="admin_Main">Username:</div></TD>
        <TD HEIGHT="22"> <INPUT TYPE="text" NAME="UserName"></TD>
    </TR>
    <TR>
        <TD><div class="admin_Main">Password:</div></TD>
        <TD><INPUT TYPE="password" NAME="Password"></TD>
    </TR>
    <TR>
        <TD colspan="2" align="center"><INPUT TYPE="submit" VALUE="Login">
</TD>
    </TR>
</TABLE>
</form>
<BR>

Thanks guys and gals!
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux