Re: how to not show login info in the url ...what am I looking for?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please keep the discussion on the list, or offer me a contract.

On 10 Dec 2008, at 14:29, Terion Miller wrote:
On Tue, Dec 9, 2008 at 4:03 PM, Stut <stuttle@xxxxxxxxx> wrote:
On 9 Dec 2008, at 21:54, Terion Miller wrote:
On Tue, Dec 9, 2008 at 3:49 PM, Stut <stuttle@xxxxxxxxx> wrote:
On 9 Dec 2008, at 21:41, Terion Miller wrote:
So I have this login information passing parameters in the url to the next page (this is on a intranet app) which I thought was no big deal until a wise crack graphics guy decided to hack it because he could by changing the ?adminID= until he got one that worked...he didn't do anything except alert my boss so now I have to hide this info how does one do this? Once again I
am not a programmer just inherited the job....and the code...
Here is the login page code:

<?php
if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else
{$UserName = '';}
if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else
{$Password = '';}

$msg = '';

if (!empty($UserName)) {

 $sql = "SELECT * FROM admin WHERE UserName='$UserName' and
Password='$Password'";
 $result = mysql_query ($sql);
 $row = mysql_fetch_object ($result);

 If (mysql_num_rows($result) > 0) {
     $_SESSION['AdminLogin'] = "OK";
     header ("Location: Main.php?AdminID=". $row->AdminID);
 } else {
     $msg = "Invalid Login";
 }
}

?>

No need to pass AdminID in the URL at all. Store that ID in the AdminLogin session variable instead of "OK" and you can get it from there on every subsequent page.

-Stut

--
http://stut.net/


How do I do that....I see where...but not getting how:

If (mysql_num_rows($result) > 0) {
$_SESSION['AdminLogin'] = "AdminID"; //<----thats where is said "ok" before header ("Location: Main.php?AdminID=". $row->AdminID); <---- not sure what to do here?
   } else {
       $msg = "Invalid Login";
   }

Nope.


If (mysql_num_rows($result) > 0) {
       $_SESSION['AdminLogin'] = $row->AdminID;
       header ("Location: Main.php");
   } else {
       $msg = "Invalid Login";
   }

But you then need to edit Main.php to change where it gets the AdminID value from. Chances are it's coming from $_GET['AdminID'], and simply needs changing to $_SESSION['AdminLogin'], but you need to make sure session_start() has been called before you try to use it.

Worth noting that securing PHP scripts is not something that should be approached lightly. If you really don't know what you're doing you could make it even less secure than it already is, or at the very least break it so it no longer does what it's supposed to. Posting snippets of code for us to "fix" as and when you have problems is not the way to do it and is fairly likely to lead to more serious problems in the long run. If you need a PHP developer... hire one!

-Stut

--
http://stut.net/
Ok here is the main.php page and from what little I know and can tell the fact that he (last coder) is passing the adminID in the url is not at all needed..right? It seems to be using sessions already...

<?php
include("inc/dbconn_open.php");

if (empty($_SESSION['AdminLogin']) OR $_SESSION['AdminLogin'] <> 'OK' ){
    header ("Location: LogOut.php");
}

if (isset($_GET['AdminID']) && !empty($_GET['AdminID'])){
    $AdminID = $_GET['AdminID'];
} else {
    header ("Location: LogOut.php");
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Work Order System - Administrative Section</title>
</head>

<frameset cols="200,*" frameborder="NO" border="0" framespacing="0">
<frame src="Menu.php?AdminID=<?php echo $AdminID; ?>" name="leftFrame" scrolling="auto" noresize> <frame src="Welcome.php?AdminID=<?php echo $AdminID; ?>" name="mainFrame">
</frameset>
<noframes><body>
</body></noframes>
</html>

That script doesn't use it except to pass it through to Menu.php and Welcome.php.

-Stut

--
http://stut.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux