On Tue, 2008-12-09 at 15:41 -0600, Terion Miller wrote:
> So I have this login information passing parameters in the url to the next
> page (this is on a intranet app) which I thought was no big deal until a
> wise crack graphics guy decided to hack it because he could by changing the
> ?adminID= until he got one that worked...he didn't do anything except alert
> my boss so now I have to hide this info how does one do this? Once again I
> am not a programmer just inherited the job....and the code...
> Here is the login page code:
>
> <?php
> if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else
> {$UserName = '';}
> if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else
> {$Password = '';}
>
> $msg = '';
>
> if (!empty($UserName)) {
>
> $sql = "SELECT * FROM admin WHERE UserName='$UserName' and
> Password='$Password'";
> $result = mysql_query ($sql);
> $row = mysql_fetch_object ($result);
>
> If (mysql_num_rows($result) > 0) {
> $_SESSION['AdminLogin'] = "OK";
> header ("Location: Main.php?AdminID=". $row->AdminID);
> } else {
> $msg = "Invalid Login";
> }
> }
>
> ?>
>
> <HTML>
>
> <HEAD>
> <TITLE>Work Order System - Administrative Section</TITLE>
> <LINK REL="STYLESHEET" HREF="inc/style.css">
> <script language="JavaScript">
> <!--
> function leftTrim(sString) {
> while (sString.substring(0,1) == ' ') {
> sString = sString.substring(1, sString.length);
> }
> return sString;
> }
>
> function chkData1(objForm) {
>
> objForm.UserName.value = leftTrim(objForm.UserName.value);
> if (objForm.UserName.value.length == 0) {
> alert("Please enter your User Name.");
> objForm.Email.focus();
> return false;
> }
>
> objForm.Password.value = leftTrim(objForm.Password.value);
> if (objForm.Password.value.length == 0) {
> alert("Please enter a your Password.");
> objForm.Password.focus();
> objForm.Password.select();
> return false;
> }
> return true;
> }
>
> //-->
> </script>
>
> </HEAD>
>
> <BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
> <TABLE WIDTH="780" BORDER="0" CELLSPACING="0" CELLPADDING="0">
>
> <TR>
> <TD> </TD>
> </TR>
> <TR>
> <TD ALIGN="CENTER"><B>Work Order System - Administrative
> Section</B><BR><BR></TD>
> </TR>
> <TR>
> <TD>
> <?php
> If (!empty($msg)){
> echo "<div class=\"cl_Error\">". $msg ."</div>";
> }
> ?>
>
> <form name="form1" method="post" action="Index.php" onSubmit="return
> chkData1(this)">
> <TABLE WIDTH="300" BORDER="0" CELLSPACING="0" CELLPADDING="2" ALIGN="center"
> bgcolor="#CCCCCC">
> <TR>
> <TD HEIGHT="22"><div class="admin_Main">Username:</div></TD>
> <TD HEIGHT="22"> <INPUT TYPE="text" NAME="UserName"></TD>
> </TR>
> <TR>
> <TD><div class="admin_Main">Password:</div></TD>
> <TD><INPUT TYPE="password" NAME="Password"></TD>
> </TR>
> <TR>
> <TD colspan="2" align="center"><INPUT TYPE="submit" VALUE="Login">
> </TD>
> </TR>
> </TABLE>
> </form>
> <BR>
>
> Thanks guys and gals!
You shouldn't be passing info like that over the URL; use sessions
instead.
I saw a shopping cart system once that passed the price of items over
the URL, and when I found out and alerted them, we won the contract for
a rebuild and then got accused of hacking by their previous web guys
(who incidentally built the system!)
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
