On 9 Dec 2008, at 21:41, Terion Miller wrote:
So I have this login information passing parameters in the url to
the next
page (this is on a intranet app) which I thought was no big deal
until a
wise crack graphics guy decided to hack it because he could by
changing the
?adminID= until he got one that worked...he didn't do anything
except alert
my boss so now I have to hide this info how does one do this? Once
again I
am not a programmer just inherited the job....and the code...
Here is the login page code:
<?php
if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else
{$UserName = '';}
if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else
{$Password = '';}
$msg = '';
if (!empty($UserName)) {
$sql = "SELECT * FROM admin WHERE UserName='$UserName' and
Password='$Password'";
$result = mysql_query ($sql);
$row = mysql_fetch_object ($result);
If (mysql_num_rows($result) > 0) {
$_SESSION['AdminLogin'] = "OK";
header ("Location: Main.php?AdminID=". $row->AdminID);
} else {
$msg = "Invalid Login";
}
}
?>
No need to pass AdminID in the URL at all. Store that ID in the
AdminLogin session variable instead of "OK" and you can get it from
there on every subsequent page.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
